NIS2 Directive

NIS2 Directive

What is the NIS2 Directive?

The NIS2 Directive is the European Union’s updated legal framework on cybersecurity for entities that provide essential or important services. It was adopted as Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 and replaces the earlier NIS Directive. Its purpose is to strengthen cyber resilience, improve incident reporting, and align security requirements across EU Member States.

In practical terms, NIS2 expands both the scope of regulated sectors and the range of organisations that may be covered. It applies not only to traditional critical infrastructure operators, but also to many medium-sized and large entities in areas such as energy, transport, banking, financial market infrastructures, health, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, food, manufacturing of certain critical products, and digital providers and services. The directive generally distinguishes between essential entities and important entities, with different supervisory approaches, although both categories are subject to cybersecurity obligations.

NIS2 is not a technical standard in itself. It is a legal act that requires Member States to implement national rules covering risk management measures, governance duties, supply chain security, incident handling, business continuity, vulnerability handling, and reporting obligations. It also places greater emphasis on management accountability. In some cases, members of management bodies may be required under national implementation laws to approve cybersecurity risk-management measures and oversee compliance.

What does the NIS2 Directive regulate?

The directive regulates organisational and operational cybersecurity requirements for covered entities. Article 21 of Directive (EU) 2022/2555 requires entities to take appropriate and proportionate technical, operational and organisational measures to manage risks posed to the security of network and information systems used for their operations. These measures are intended to prevent or minimise the impact of incidents on service recipients and other services.

In practice, NIS2 usually affects areas such as internal governance, risk assessment, access control, incident response, business continuity, crisis management, backup practices, disaster recovery, supplier oversight, encryption policy, security testing, vulnerability disclosure, and staff awareness. The directive also introduces a structured reporting model. As a rule, significant incidents must be reported without undue delay, including an early warning within 24 hours of becoming aware of the significant incident, an incident notification within 72 hours, and a final report not later than one month after the submission of the incident notification, according to Article 23 of Directive (EU) 2022/2555.

The directive is also relevant in the context of corporate governance and liability. Cybersecurity under NIS2 is not treated as a purely technical matter delegated entirely to IT teams. It is framed as a management and compliance issue. This means that boards, executives, compliance functions, legal teams, and operational departments often need to cooperate in order to identify whether the organisation falls within scope, define reporting lines, update internal procedures, and document decision-making.

When is legal support regarding NIS2 worth considering?

Legal support may be particularly important where an organisation is unsure whether it qualifies as an essential entity or an important entity under the directive and national implementing laws. Scope assessments are not always straightforward. They may depend on the sector, the type of services provided, the size of the undertaking, group structure, and whether the entity is considered critical at national level. In some cases, overlap may arise with other frameworks, such as GDPR, sector-specific financial regulations, telecoms rules, or operational resilience obligations.

Support is also useful when a business is preparing for implementation and needs to translate legal requirements into internal governance documents, contractual standards, vendor management processes, and incident reporting workflows. This includes reviewing board responsibilities, internal policies, outsourcing arrangements, escalation procedures, and communication duties toward regulators, customers, or business partners.

For private companies, public-interest operators, digital providers, and corporate groups, legal advice may also be needed after a cybersecurity incident. A serious incident can trigger several parallel obligations, including regulatory notification, contractual notice requirements, evidence preservation, internal investigation, and possible interaction with law enforcement or supervisory authorities. Early legal analysis helps determine which regime applies, what deadlines must be observed, and how to reduce the risk of inconsistent reporting or unnecessary exposure.

A prompt consultation on NIS2 can help avoid compliance gaps, delayed reporting, ineffective governance, disputes with counterparties, regulatory scrutiny, and financial losses linked to service disruption or inadequate documentation. It can also support a more defensible position if the organisation later needs to demonstrate that its security measures were appropriate and proportionate in light of its risk profile.

Support from a law firm in matters related to the NIS2 Directive may include in particular:

• assessment of whether the organisation falls within the scope of NIS2 and national implementing rules,
• classification analysis concerning essential entity or important entity status,
• review of governance structures and management responsibilities,
• drafting or updating cybersecurity policies, reporting procedures, and internal escalation rules,
• support in incident notification and communication with competent authorities,
• legal review of supplier contracts and supply chain security clauses,
• advice on the interaction between NIS2, GDPR, sectoral rules, and contractual obligations,
• support in internal investigations and post-incident legal risk assessment,
• training for management and key teams on legal cybersecurity obligations.

Need legal support regarding the NIS2 Directive? Contact us.

See also

• Commercial Law
• Financial reporting
• Holding company
• Tax Law