NIS2 Directive: New Cyber Security Rules in the EU

    The NIS 2 Directive on the security of networks and information systems adopted by the European Commission was published in the European Union (EU) Official Journal on 27 December 2022 and entered into force on 16 January 2023. The NIS2 Directive aims to harmonize cybersecurity regulations and the implementation of cybersecurity measures in member states. In this context, the NIS2 Directive constitutes a significant step towards strengthening cyber security in EU.

    Why a New NIS Directive?

    The new NIS2 Directive will replace the NIS Directive, which regulates the EU’s rules on the security of networks and information systems. The NIS Directive, adopted on 6 July 2016, is known for being the first cyber security legislation adopted by the EU.

    The rapid digitalization process and the increasing malicious cyber activities at the global level and the need for legal regulations for these activities had brought up the need to update the NIS Directive. Insufficient cyber resilience regulations, lack of agreement among member states on key risks and challenges, and the lack of a coordinated crisis response were among the main problems of the NIS Directive.

    Key Elements of NIS2 Directive

    Some key elements of NIS2 Directive, which establishes the minimum standards for cyber risk management and reporting obligations, are compiled below:

    • Broader application than the NIS Directive by including additional industries and covering medium and large organizations.
    • A list for security measures to be implemented.
    • Obligation to submit an initial notification within 24 hours to the relevant competent authority in case of significant cyber threat.
    • Strengthened supply chain cybersecurity for key information and communication technologies.
    • Member states may conduct coordinated risk assessments of essential supply chains in collaboration with the Commission and the European Union Agency for Cybersecurity.
    • Stricter enforcement requirements with administrative fines up to 10 million EUR or 2% of the total global annual turnover of the company.

    What Will be the Next Steps?

    NIS2 Directive entered into force on 16 January 2023. Member states are obliged to take the necessary measures within 21 months from the entry into force of the directive. In this context, the process of incorporating the provisions of the NIS2 Directive into the national laws of the member states will be completed on 17 October 2024.

    You can reach the full text of NIS2 Directive here.

    The Turkish version of this article is available on NIS2 Direktifi: AB’de Yeni Siber Güvenlik Kuralları

    Tagged with: Gökçe, Elik AksözAssoc. Prof. Dr. Mehmet Bedii Kaya, NIS2Technology & Telecoms

    This website is available “as is.” Turkish Law Blog is not responsible for any actions (or lack thereof) taken as a result of relying on or in any way using information contained in this website, and in no event shall they be liable for any loss or damages.