Policy Briefing — EU NIS2 Directive Proposal
The European Commission tabled the NIS2 Directive to expand cybersecurity obligations for critical and important entities Zeph Tech serves.
The NIS2 Directive proposal widened EU cybersecurity obligations to more sectors, introduced supervisory enforcement, and strengthened supply-chain requirements. Zeph Tech uses the draft to guide EU clients on governance upgrades and reporting expectations.
- 16 Dec 2020 — NIS2 proposal. The draft directive expanded the scope to medium and large entities across additional critical sectors.
- 16 Dec 2020 — Press release coverage. The Commission highlighted new risk management and incident reporting obligations.
- 16 Dec 2020 — Annex on sectors and services. The proposal detailed the essential and important entity categories and supervisory measures.
Zeph Tech continues to track NIS2 negotiations to prepare clients for compliance design work.
Follow-up: NIS2 was adopted in December 2022 with a 17 October 2024 transposition deadline, and member states spent 2023–2024 issuing draft national laws and sectoral scoping consultations.
Sources
- Proposal for a Directive on Measures for a High Common Level of Cybersecurity across the Union (NIS2) — European Commission; The Commission proposed replacing the original NIS Directive with expanded scope, risk management, and supervisory provisions.
- Commission proposes measures to boost cybersecurity and critical infrastructure resilience — European Commission; The Commission showcased NIS2 alongside the revised CER directive and the new Cybersecurity Strategy.
- Annexes to the NIS2 Directive Proposal — European Commission; The annexes list essential and important entity categories plus reporting timelines and supervisory measures.