EU NIS2 Directive Proposal

On 16 December 2020, the European Commission proposed the NIS2 Directive to replace the 2016 Network and Information Security Directive. The draft sought to raise the common level of cybersecurity across the Union by widening sectoral scope, sharpening risk management duties, shortening incident notification timelines, and introducing stronger supervisory and enforcement powers. this analysis unpacks the proposal so practitioners clients understand the obligations that later appeared in the final 2022 directive and in member state transposition efforts.

Scope expansion and sector coverage

The proposal moved beyond the original NIS Directive’s narrow focus on operators of essential services and digital service providers. NIS2 introduced two categories: essential entities and important entities. Both categories cover medium and large teams meeting sector thresholds, but essential entities face more stringent supervision. The draft annexes set out the sectors affected.

• Essential entities. Energy (electricity, district heating, oil, gas), transport (air, rail, water, road), banking, financial market infrastructures, health, drinking and waste water, digital infrastructure providers (IXPs, DNS, TLD registries), public administration of central governments, and space infrastructure operators were classified as essential.
• Important entities. Postal and courier services, waste management, manufacturing of critical products (pharmaceuticals, medical devices, chemicals, computers, electronics, machinery, motor vehicles), food production, digital providers (online marketplaces, search engines, social networks, data centers, cloud computing), and research teams were added as important entities.

The scope language intentionally captured medium and large entities while allowing member states to extend coverage to certain small providers whose disruption could have systemic impact. Unlike the 2016 directive, micro and small enterprises were exempt by default unless designated due to risk. The Commission also simplified cross-border identification rules to reduce administrative divergence.

Governance and security requirements

Articles 18 and 20 of the proposal laid out baseline cybersecurity risk management measures and governance responsibilities. Leadership accountability was explicit: management bodies must approve cybersecurity risk management measures, oversee setup, and can be held liable for infringements. Advised: boards to document cyber risk decisions and budget allocations to satisfy this oversight duty.

The proposed security measures were risk-based and technology-neutral. They included policies for risk analysis, incident handling, business continuity, supply-chain security, acquisition and development security, testing, cryptography, and multi-factor authentication. For supply chains, entities would need to assess supplier cybersecurity practices and incorporate security clauses into procurement. The proposal also encouraged use of European cybersecurity certification schemes where applicable.

At an operational level, the draft required:

• Business continuity and crisis management. Entities had to maintain backup strategies, disaster recovery, and crisis exercise programs that account for hybrid threats and cascading failures across sectors.
• Vulnerability handling and disclosure. Teams were expected to implement processes for coordinated vulnerability disclosure and to focus on remediation based on severity.
• Asset and configuration management. Accurate inventories, secure configurations, and logging were emphasized to support detection and forensic readiness.
• Workforce security. Role-based access controls, security training, and background checks for sensitive roles were suggested to mitigate insider and human-factor risk.

Because the proposal adopted a performance-based approach, entities could tailor controls to their risk profile while ensuring proportionality. Mapping these requirements to ISO/IEC 27001:2022 controls and EU cloud codes of conduct to help clients show conformity during supervisory audits.

Incident reporting and information-sharing obligations

The proposal compressed notification timelines to achieve faster situational awareness across the Union. Essential and important entities would have to submit:

• Early warning within 24 hours. A brief alert to the competent authority or CSIRT describing whether the incident is suspected to be caused by unlawful or malicious action and whether it has cross-border impact.
• Incident notification within 72 hours. A fuller report summarizing the incident, severity, indicators of compromise, mitigation steps, and potential socioeconomic effects.
• Final report within one month. A detailed account of root cause, applied mitigations, and lessons learned, plus documentation of any ongoing remediation.

The Commission proposed harmonized templates to reduce reporting friction and envisioned single points of contact coordinating with CSIRTs, supervisory authorities, and critical infrastructure regulators. Entities were expected to notify service recipients when an incident could adversely affect the provision of services. This brief helps clients set up playbooks that align with these timelines while integrating with existing SOC and crisis communications processes.

The proposal encouraged voluntary cyber threat information sharing, noting that sectoral ISACs and ENISA-supported platforms should be used to distribute indicators, tactics, and mitigations. It also required CSIRTs to provide preventive scanning and support to entities during major incidents.

Supervision, enforcement, and penalties

The Commission sought to close enforcement gaps from the first NIS directive. For essential entities, competent authorities would use a mix of ex-ante and ex-post supervision, including audits, evidence requests, and on-site inspections. Important entities faced primarily ex-post supervision triggered by evidence of non-compliance or incidents. Administrative fines mirrored GDPR-style ceilings, with maximums of at least €10 million or 2% of total worldwide annual turnover, whichever is higher.

Member states were instructed to establish coordinated risk assessments for critical supply chains and to use the NIS Cooperation Group to align guidance. The draft helped the Commission to issue implementing acts on technical requirements, further harmonising supervision across the single market. These powers anticipated later acts on 5G supply chain security and cloud security schemes.

Implementation timeline and relationship to other EU instruments

The proposal set a 21-month transposition window after entry into force. Because the draft anticipated interaction with the revised CER (Critical Entities Resilience) directive and the EU Cybersecurity Act, entities operating critical infrastructure were advised to align resilience, certification, and cybersecurity controls. The Commission press materials highlighted the goal of a “security-by-design single market” and encouraged member states to coordinate national cybersecurity strategies with EU-level initiatives.

Although the 2020 text was still subject to trilogue negotiations, the core obligations—broader scope, management accountability, supply-chain due diligence, and tighter incident reporting—survived into the final 2022 directive. Therefore recommended: that EU-facing clients implement the proposed controls early, rather than waiting for national transposition deadlines.

Citations: European Commission, Proposal for a Directive on Measures for a High Common Level of Cybersecurity across the Union (NIS2), 16 Dec 2020, EUR-Lex COM(2020) 823 final; European Commission, “Commission proposes measures to boost cybersecurity and critical infrastructure resilience,” Press Release IP/20/2391, 16 Dec 2020. Source 1 Source 2

More on this topic

Further reading from our research library.

Policy · Credibility 93/100 · May 13, 2022

EU NIS2 Directive provisional agreement reached

The EU agreed on NIS2 in May 2022. This is the cybersecurity directive that brings way more sectors under mandatory requirements—energy, transport, banking, health, digital infrastructure, and more. Much broader scope…

Policy · Credibility 94/100 · December 27, 2022

EU NIS2 Directive enters into force

On 27 December 2022 the EU NIS2 Directive entered into force, significantly expanding cybersecurity requirements across essential and important entities with member state transposition required by October 2024.

Policy · Credibility 92/100 · December 15, 2020

EU Digital Services & Markets Acts Proposed

The European Commission unveiled the Digital Services Act and Digital Markets Act proposals to modernize platform liability, content governance, and gatekeeper obligations across the single market.

Policy · Credibility 91/100 · July 24, 2020

European Commission unveils 2020–2025 EU Security Union Strategy

The European Commission set a 2020–2025 Security Union agenda on July 24, 2020 to harden critical infrastructure, modernize counterterrorism tools, and coordinate cyber resilience across member states.

Policy · Credibility 92/100 · June 3, 2021

EU Proposes European Digital Identity Framework

The EU proposed eIDAS 2.0 in June 2021—digital identity wallets that work across all member states. Every EU citizen would get access to a government-backed digital identity. The setup implications for private sector…

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• AI Policy Implementation Guide

  Coordinate governance, safety, and reporting programmes that meet EU Artificial Intelligence Act timelines and U.S. National AI Initiative Act mandates while sustaining product…

• Digital Markets Compliance Guide

  Implement EU Digital Markets Act, EU Digital Services Act, UK Digital Markets, Competition and Consumers Act, and U.S. Sherman Act requirements with cross-functional operating…

• Semiconductor Industrial Strategy Policy Guide

  Coordinate CHIPS and Science Act, EU Chips Act, and Defense Production Act programmes with capital planning, compliance, and supplier readiness.

Coverage intelligence

Published

December 16, 2020

Coverage pillar

Policy

Source credibility

92/100 — high confidence

Topics

NIS2 · European Union · Critical Infrastructure

Sources cited

3 sources (eur-lex.europa.eu, ec.europa.eu)

Reading time

5 min

Source material

1. Proposal for a Directive on Measures for a High Common Level of Cybersecurity across the Union (NIS2) — European Commission
2. Commission proposes measures to boost cybersecurity and critical infrastructure resilience — European Commission
3. Annexes to the NIS2 Directive Proposal — European Commission