Overview of the NIS2 Directive and its Status
Directive (EU) 2022/2555 of the European Parliament and Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (‘NIS2 Directive’ or ‘NIS2’) promises to advance the European Union’s cybersecurity framework.
The NIS2 Directive, which entered into force on 16 January 2023, replaces Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS1 Directive). This original directive was a pioneering attempt to standardise cybersecurity measures across EU Member States. Since its introduction in 2016, the digital landscape has rapidly evolved alongside increasingly sophisticated digital threats, revealing the limitations of the NIS1 Directive. Building on its predecessor, the NIS2 Directive is designed to address these shortcomings and establish a more robust and comprehensive cybersecurity framework.
This blog post explores the main changes brought by the NIS2 Directive compared to NIS1. We will discuss the expanded scope, the measures to develop a robust cyber-resilient framework, the challenges related to the implementation of the NIS2 Directive in the national legislation of the EU Member States, and why this topic is critical for public administration.
Scope and Sectors Affected: From a Critical Selection to a Holistic Cyber-resilient Approach
The scope represents the most significant difference between the NIS2 Directive and NIS1, which had a substantially more limited focus. While the NIS1 Directive focused primarily on critical sectors including energy, transport, banking and healthcare infrastructure, the NIS2 Directive aims to strengthen cybersecurity capabilities across a broader spectrum of sectors. It fosters more coherent collaboration between EU Member States enabling better cyber resilience, and promoting cybersecurity as a key priority for organisations considered vital to European societal and economic functions.
To achieve this goal, the NIS2 Directive distinguishes entities classified according to their criticality to society and the economy, according to two categories with different supervision levels: essential (Annex I NIS 2 Directive) or important (Annex II NIS 2 Directive) entities.
Essential entities
- Energy
- Transport
- Banking
- Financial markets infrastructure
- Healthcare
- Drinking water
- Digital infrastructure
- ICT services management (business-to-business)
- Waste water
- Public administration (including regional and local levels)
- Space activities
Important entities
- Digital providers
- Postal and courier services
- Waste management
- Manufacturing, production and distribution of chemicals
- Production, processing and distribution of food
- Research
- Manufacturing
Under the NIS2 Directive, public administrations are now obligated to implement comprehensive cybersecurity measures in their delivery of critical services. In addition to their essential role as public service providers, the nature of the data processed by government organisations is a strong basis of the inclusion of public administrations in the list of essential entities. Furthermore, according to the ENISA Threat Landscape 2024 Report,2 public administration is the most targeted sector for cyberattacks – accounting for 19% of all incidents – further reinforcing the necessity for a cyber-resilient public sector.
The Implementation of the NIS2 Directive: A Fragmented Exercise Across EU Member States
After its entry into force, EU Members States were given 21 months to transpose the NIS 2 Directive into national law. However, this deadline has passed, resulting in inconsistent efforts from Member States, with some failing to publish their draft transposition of the directive. This delay creates legal uncertainty for all sectors covered by the NIS2 Directive, making it a challenge, rather than the solution, for strengthening cybersecurity in the EU.
The expanded scope of the NIS2 Directive requires extensive analysis and legislative efforts to ensure its implementation. This complexity arises not only from the diversity of national cybersecurity frameworks but also from the requirements of each sector included on the list, identified either as ‘essential’ or ‘important’ entities. In addition, the draft legislation needs to be coordinated between different administrations (regional, local and national levels) requiring agreement and cooperation among all. Nevertheless, as demonstrated below, this has been achieved by some Member States.
Based on their progress in transposing the NIS2 Directive into national legislation, Member States can be grouped into three categories:
- Fully implemented: Belgium, Croatia, Hungary, Italy, Latvia, Lithuania and Slovakia have approved and adopted their NIS2 implementing legislation, meeting the transposition deadline. These countries are now developing supporting regulations to provide additional guidance to affected sectors, allowing for future adaptations as needed.
- Implementation in progress: Austria, Bulgaria, Cyprus, Czech Republic, Denmark, Finland, France, Germany, Greece, Ireland, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovenia and Sweden have presented legislative proposals that await final approval. These Member States are focused on adapting NIS2 requirements to regional and local levels through public consultations.
- Drafting: Estonia and Spain are still working on the draft legislation for NIS2 implementation.
It should be mentioned that EEA countries (Iceland, Lichtenstein and Norway) are also subject to this directive and are still in the process of transposing it.
In addition to these efforts, EU Member States will need to provide a complete list of their ‘essential’ and ‘important’ entities by 17 April 2025.
Main Compliance Obligations for Public Administrations
The NIS2 Directive, in additional to expanding the scope of application, raises the level and number of cybersecurity requirements for public administrations to foster network and information security systems.
Under their new designation, public administrations must conduct risk assessments that analyse and ensure measures implemented guarantee the continuity of services and the protection of the information they use (Article 21, NIS2). Public administrators are thus expected to consider a wide range of factors, including network security, incident handling procedures, business continuity planning and supply chain security.
At the same time, reporting obligations laid down by Article 23 are equally relevant under the NIS2 Directive. Incidents affecting designated entities may result in social and economic disruption, duration and financial losses. As such, rapid response and risk mitigation measures are critical for ensuring access to essential and important services. Once an incident occurs, public administrations must notify their supervisory authority within 24 hours of becoming aware of the situation. If the incident is cyber-related, the National Cyber Security Incident Response Team will also need to be notified. This dual system of reporting, notification and supervision seeks to ensure a timely identification and response of cyber threats.
The NIS2 Directive provides a robust enforcement framework to ensure compliance and therefore, non-compliance with its requirements can lead to substantial penalties. Article 36 of the NIS2 Directive outlines the administrative fine structure for non-compliance: (i) for essential entities, a maximum of at least EUR 10 million or up to 2% of the total worldwide annual turnover, whichever is higher and (ii) for important entities, a maximum of at least EUR 7 million or 1.4% of the total worldwide annual turnover, whichever is higher. However, before imposing an administrative fine, authorities may choose to issue warning and/or binding instructions, ordering entities to cease non-compliant conduct, mandating implementation of security audit recommendations, or requiring public disclosure of non-compliance aspects, for example.
Why is the NIS2 Directive Vital for Public Officers?
The fact that the NIS2 Directive expands its scope to include public administration as ‘essential’ entities clearly highlights the critical nature of protecting sensitive and personal data, which are commonly gathered, processed and stored by public administrations. Thus, a breach of security can result in the erosion of public trust, compromised national security, threats to public safety and potential economic and political instability, as well as the disruption of essential public services.
As such, public administrations must prioritise a holistic cyber-resilience approach. This should include the development of risk frameworks and assessments, robust and proactive risk responses, and the strengthening of capacities and expertise to prepare for a rapidly evolving digital landscape. This is urgent with the onset of sophisticated technologies, such as artificial intelligence, which further enable cyber threats that don’t know geographic limitations. This need is recognised and supported by the EU Commission, which has allocated a budget of EUR 35 million to the deployment of state-of-the-art cybersecurity technologies and tools. Another EUR 20 million will be allocated to support Member States in implementing EU laws on cybersecurity and national cybersecurity strategies.
As part of this initiative, the NIS2 Directive requires Member States to promote and develop education and training on cybersecurity for building cyber-awareness and disseminating good practices (Article 7). For example, it is reported that human error is one of the main causes of security incidents. This further emphasises the need for ongoing cyber training since the ability to recognise potential cyberattacks goes beyond technical knowledge, but also skills such as pattern recognition, analytical thinking and understanding human behaviour. This means that public administrations should focus on training current staff and raising awareness in their organisations, while also recruiting cybersecurity professionals who can support building tools and implementing technical measures.
The shortage of cybersecurity personnel in public administration is a well-known aspect of the public sector given its competition with opportunities available in the private sectors. Thus, attracting skilled cybersecurity professionals remains challenging. However, understanding that cybersecurity skills imply more than technical skills is crucial. Organisational measures, such as upskilling initiatives, accessible and comprehensive internal policies, inclusive risk assessments and fostering an interdisciplinary cybersecurity culture are all features of an effective cybersecurity strategy.
In conclusion, the NIS2 Directive represents an ambitious step forward in the EU’s cybersecurity landscape, aiming to establish a unified framework across 18 critical sectors. However, as we approach the implementation deadline, we see that some challenges persist, namely in transposing NIS2 into national legislation. This could have an impact on the effectiveness of the directive and result in a patchwork variation of cybersecurity standards across the Member States.
Despite these hurdles, we can still find reason for optimism, given the EU Commission’s strategy on cybersecurity and its prominence on the agenda of the Polish Presidency. The focus on avoiding silos, promoting a more integrated approach to cybersecurity and establishing interoperability between EU Member States signals a strong commitment to overcome the above-mentioned challenges.
Moreover, there is a growing recognition that holistic cybersecurity extends beyond technical skills. The interdisciplinary nature of cybersecurity, requiring legal, technical and operational perspectives, remains critical and is a key consideration in our upcoming training on Cybersecurity Policies and Practices in the EU – for non-IT Experts.
Ready to be familiarised with all the cybersecurity legal and policy aspects? Are you looking for certainty and recommendations from experts in terms of cybersecurity measures for your organisation? Then you cannot miss our upcoming course in February: Cybersecurity Policies and Practices in the EU – for non-IT Experts.
