NIS 2 Directive - Why The Why - Explained by the Directive Why is it necessary to adopt a directive concerning cybersecurity at the European Union level? Hereinafter, the arguments presented in the NIS 2 Directive itself are summarized.The primary objective of the NIS 2 Directive is to ensure the effective functioning of the society and economy through measures for a high common level of cybersecurity across the European Union. This is aimed to be achieved by mitigating threats to systems used to provide essential services in key sectors and ensuring the continuity of such services when facing security incidents.On July 6, 2016, the European Parliament and the Council of the European Union took an initial step towards this objective with the adoption of Directive (EU) 2016/1148, better known as the NIS Directive, titled "measures for a high common level of security of network and information systems across the Union".The measures described in this directive have induced some achievements in increasing the level of cyber resilience of individual member states of the European Union and, consequently, of the European Union itself. The NIS 2 Directive refers in this regard to the effect of a significant change in mindset and the improvement of national frameworks, as well as the cooperation at the Union level regarding the security of systems used to provide essential services in key sectors.Specifically, the establishment of national strategies on the security of systems providing essential services, the establishment of national capabilities, the implementation of regulatory measures covering entities and systems identified as essential, as well as the establishment of the Cooperation Group and the network of national Computer Security Incident Response Teams (CSIRTs) at the Union level, are mentioned as concrete achievements in this context.However, the review of the implementation of the NIS Directive also revealed shortcomings, particularly stemming from providing the member states of the European Union with very wide discretion regarding the implementation of the directive into national law. Besides the level of detail, the NIS 2 Directive mentions the different and sometimes conflicting implementation of the NIS Directive by member states at the national level concerning the delimitation of the scope, obligations regarding the security and incident reporting, as well as supervision and enforcement.The divergent implementation of the NIS Directive by the member states of the European Union entailed a fragmentation of the internal market affecting cross-border activities, additional costs, and limitations in legal certainty regarding obligations. Moreover, the higher vulnerability of some states to cyber threats can negatively affect the level of cyber resilience of other states.The NIS 2 Directive aims to remove such divergences among member states of the European Union by setting out minimum rules regarding the functioning of a coordinated regulatory framework. As a uniform criterion determining the entities falling within the scope of the directive, a size-cap rule with exceptions for organizations which fulfill specific criteria that indicate a key role is established. Furthermore, effective remedies and enforcement measures are defined.Additionally, the NIS 2 Directive seeks to address the expansion of the cyber threat landscape due to current and emerging cybersecurity challenges, leading to an increase in the frequency, sophistication, and impact of security incidents driven by the speedy digital transformation and interconnectedness of society.To guarantee the proper functioning of the internal market, the NIS 2 Directive aims to ensure a comprehensive coverage of services of vital importance to key societal and economic activities in the internal market. To this end, the list of sectors and activities subject to cybersecurity obligations has been updated and extended to a larger part of the economy. Further information Who? To whom does the NIS 2 Directive apply?Learn more > What? What are the requirements of the NIS 2 Directive?Learn more > Back Back to the overview >
