← Back to all briefings
Policy 5 min read Published Updated Credibility 92/100

Policy Briefing — EU NIS2 Directive Proposal

Detailed examination of the European Commission's December 2020 NIS2 proposal, covering scope expansion, governance duties, incident reporting, supervision, and the timeline to full application for critical and important entities across the EU.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)

On 16 December 2020, the European Commission proposed the NIS2 Directive to replace the 2016 Network and Information Security Directive. The draft sought to raise the common level of cybersecurity across the Union by widening sectoral scope, sharpening risk management duties, shortening incident notification timelines, and introducing stronger supervisory and enforcement powers. This briefing unpacks the proposal so Zeph Tech clients understand the obligations that later appeared in the final 2022 directive and in member state transposition efforts.

Scope expansion and sector coverage

The proposal moved beyond the original NIS Directive’s narrow focus on operators of essential services and digital service providers. NIS2 introduced two categories: essential entities and important entities. Both categories cover medium and large organisations meeting sector thresholds, but essential entities face more stringent supervision. The draft annexes set out the sectors affected.

  • Essential entities. Energy (electricity, district heating, oil, gas), transport (air, rail, water, road), banking, financial market infrastructures, health, drinking and waste water, digital infrastructure providers (IXPs, DNS, TLD registries), public administration of central governments, and space infrastructure operators were classified as essential.
  • Important entities. Postal and courier services, waste management, manufacturing of critical products (pharmaceuticals, medical devices, chemicals, computers, electronics, machinery, motor vehicles), food production, digital providers (online marketplaces, search engines, social networks, data centres, cloud computing), and research organisations were added as important entities.

The scope language intentionally captured medium and large entities while allowing member states to extend coverage to certain small providers whose disruption could have systemic impact. Unlike the 2016 directive, micro and small enterprises were exempt by default unless designated due to risk. The Commission also streamlined cross-border identification rules to reduce administrative divergence.

Governance and security requirements

Articles 18 and 20 of the proposal laid out baseline cybersecurity risk management measures and governance responsibilities. Leadership accountability was explicit: management bodies must approve cybersecurity risk management measures, oversee implementation, and can be held liable for infringements. Zeph Tech advises boards to document cyber risk decisions and budget allocations to satisfy this oversight duty.

The proposed security measures were risk-based and technology-neutral. They included policies for risk analysis, incident handling, business continuity, supply-chain security, acquisition and development security, testing, cryptography, and multi-factor authentication. For supply chains, entities would need to assess supplier cybersecurity practices and incorporate security clauses into procurement. The proposal also encouraged use of European cybersecurity certification schemes where applicable.

At an operational level, the draft required:

  • Business continuity and crisis management. Entities had to maintain backup strategies, disaster recovery, and crisis exercise programmes that account for hybrid threats and cascading failures across sectors.
  • Vulnerability handling and disclosure. Organisations were expected to implement processes for coordinated vulnerability disclosure and to prioritize remediation based on severity.
  • Asset and configuration management. Accurate inventories, secure configurations, and logging were emphasised to support detection and forensic readiness.
  • Workforce security. Role-based access controls, security training, and background checks for sensitive roles were suggested to mitigate insider and human-factor risk.

Because the proposal adopted a performance-based approach, entities could tailor controls to their risk profile while ensuring proportionality. Zeph Tech maps these requirements to ISO/IEC 27001:2022 controls and EU cloud codes of conduct to help clients demonstrate conformity during supervisory audits.

Incident reporting and information-sharing obligations

The proposal compressed notification timelines to achieve faster situational awareness across the Union. Essential and important entities would have to submit:

  • Early warning within 24 hours. A brief alert to the competent authority or CSIRT describing whether the incident is suspected to be caused by unlawful or malicious action and whether it has cross-border impact.
  • Incident notification within 72 hours. A fuller report summarising the incident, severity, indicators of compromise, mitigation steps, and potential socioeconomic effects.
  • Final report within one month. A detailed account of root cause, applied mitigations, and lessons learned, plus documentation of any ongoing remediation.

The Commission proposed harmonised templates to reduce reporting friction and envisioned single points of contact coordinating with CSIRTs, supervisory authorities, and critical infrastructure regulators. Entities were expected to notify service recipients when an incident could adversely affect the provision of services. Zeph Tech helps clients set up playbooks that align with these timelines while integrating with existing SOC and crisis communications processes.

The proposal encouraged voluntary cyber threat information sharing, noting that sectoral ISACs and ENISA-supported platforms should be used to disseminate indicators, tactics, and mitigations. It also required CSIRTs to provide proactive scanning and support to entities during major incidents.

Supervision, enforcement, and penalties

The Commission sought to close enforcement gaps from the first NIS directive. For essential entities, competent authorities would use a mix of ex-ante and ex-post supervision, including audits, evidence requests, and on-site inspections. Important entities faced primarily ex-post supervision triggered by evidence of non-compliance or incidents. Administrative fines mirrored GDPR-style ceilings, with maximums of at least €10 million or 2% of total worldwide annual turnover, whichever is higher.

Member states were instructed to establish coordinated risk assessments for critical supply chains and to leverage the NIS Cooperation Group to align guidance. The draft empowered the Commission to issue implementing acts on technical requirements, further harmonising supervision across the single market. These powers anticipated later acts on 5G supply chain security and cloud security schemes.

Implementation timeline and relationship to other EU instruments

The proposal set a 21-month transposition window after entry into force. Because the draft anticipated interaction with the revised CER (Critical Entities Resilience) directive and the EU Cybersecurity Act, entities operating critical infrastructure were advised to align resilience, certification, and cybersecurity controls. The Commission press materials highlighted the goal of a “security-by-design single market” and encouraged member states to coordinate national cybersecurity strategies with EU-level initiatives.

Although the 2020 text was still subject to trilogue negotiations, the core obligations—broader scope, management accountability, supply-chain due diligence, and tighter incident reporting—survived into the final 2022 directive. Zeph Tech therefore recommends that EU-facing clients implement the proposed controls proactively, rather than waiting for national transposition deadlines.

Citations: European Commission, Proposal for a Directive on Measures for a High Common Level of Cybersecurity across the Union (NIS2), 16 Dec 2020, EUR-Lex COM(2020) 823 final; European Commission, “Commission proposes measures to boost cybersecurity and critical infrastructure resilience,” Press Release IP/20/2391, 16 Dec 2020. Source 1 Source 2

Timeline plotting source publication cadence sized by credibility.
3 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Policy pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • NIS2
  • European Union
  • Critical Infrastructure
Back to curated briefings