Find a lawyerOur capabilitiesYour careerSearch
Locations
Our capabilities
News

Select language:

Locations
Our capabilities
News

Select language:

hamburger menu showcase image
  1. Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)
Directive on measures for a high common level of cybersecurity across the Union (NIS2 Directive)
Status: In force
  • Transposition into national law until 17 October 2024

Summary

The NIS2 Directive repeals and modernises the NIS1 Directive which was the first piece of EU-wide legislation on cybersecurity. The NIS2 Directive extendts the framework to cover further sectors, taking into account the evolving cybersecurity threat landscape since the adoption of NIS1.

Scope

NIS2 applies to ‘essential entities’ and ‘important entities’ that provide services or carry out activities within the EU. Essential entities operate in highly critical sectors such as energy, transport, banking, water, financial market infrastructures, health, digital infrastructure, ICT service management (business-to-business), public administration and space. Important entities act in other critical sectors such as (among others) production, processing and distribution of food, manufacturing, production and distribution of chemicals, various other manufacturing and digital providers.

Key elements

Key obligations for regulated entities:

  • Cybersecurity requirements and management body obligations
  • 3-phase reporting obligations for significant incidents (24 hours early warning, 72 hours incident reporting, 1 month final report)
  • Communication of significant cyber threats to potentially affected recipients of the services without undue delay

Breaches of these obligations are subject to severe GDPR-style fines set by national law. The maximum fine must be at least the higher of:

  • €10m or 2 % of the total worldwide annual turnover for essential entities,
  • €7m or 1.4 % of the total worldwide annual turnover for important entities.

Challenges

  • Considerable increase in companies and sectors in scope
  • Harmonised EU regime for handling cyber incidents, with specific rules for incident reporting (short deadlines) and enforcement (high-fines) across Europe

EU Digital Strategy Hub
Data Governance Act
Data Act
European Data Spaces
Cyber Resilience Act
Digital Markets Act
Digital Services Act
NIS2 Directive
AI Act
AI Liability Directive
DSM Directive
European Media Freedom Act
eIDAS 2.0
Political Advertising Regulation
Digital Operational Resilience Act (DORA)
Related capabilities
Artificial intelligence
Automotive
Data, privacy and cyber security
Fintech
Industrials
Life sciences
Technology
Blogs

Blogs

Feb 25 2025
The rise of audits as a regulatory tool for tech
As technology evolves, so do challenges in effectively regulating it. In an era where there is increasing focus on effective oversight of...
Feb 5 2025
German Election #2: Digital Policies in the 2025 Election Campaign – How Germany’s Political Parties Want Germany to Catch Up on Digitalisation
On 23 February 2025, almost 60 million German voters will elect a new federal parliament in snap elections after the collapse of the...
Aug 9 2024
How to implement NIS2
The national implementation of the new EU Directive on measures for a high common level of cybersecurity for specific sectors across the...
May 30 2024
NIS2 Directive transposed in Belgium: How does it impact your organisation?
The NIS2 Directive aims to achieve a high common level of cybersecurity across the EU. On 18 April 2024, the Belgian Parliament has...
Mar 10 2023
Top EU data regulation trends for 2023
2022 was a year full of challenges for global businesses, and in particular in the realm of data protection regulation in the EU. 2023...
Mar 10 2023
The EU’s NIS2 Directive: Key aspects for businesses to consider
In 2016, the European Parliament and European Council agreed on the NIS Directive as the first piece of EU-wide legislation on...
Contacts
Düsseldorf, Frankfurt am Main
Theresa EhlenPartner
Düsseldorf
Philipp RoosCounsel
Düsseldorf
Julia UtzerathSenior Knowledge Lawyer
London
Giles PrattPartner
Related capabilities
Artificial intelligenceAutomotiveData, privacy and cyber securityFintechIndustrialsLife sciencesTechnology
Related capabilities
FIND US IN
All locations
NAVIGATE TO
About usYour careerOur thinkingOur capabilitiesNews
CONNECT
Find a lawyerAlumniContact us
NEED HELP
Fraud and scamsComplaintsTerms and conditions
LEGAL
AccessibilityCookiesLegal noticesTransparency in supply chains statementResponsible procurementPrivacy

© 2025 Freshfields. Attorney Advertising: prior results do not guarantee a similar outcome

Select language: