Cybersecurity Briefing — EU reaches provisional agreement on NIS2 Directive
On 13 May 2022 the European Parliament and Council reached a provisional agreement on the NIS2 Directive, expanding security and incident reporting obligations to more sectors and refining supervisory and penalty frameworks.
EU co-legislators announced a provisional agreement on NIS2 on 13 May 2022, broadening the cybersecurity directive’s scope to additional essential and important entities, including managed service providers, digital infrastructure, and critical manufacturing. The compromise tightens incident reporting timelines (24 hours for early warning), harmonizes supervision, and introduces risk management requirements such as supply-chain security and coordinated vulnerability disclosure.
Organizations falling under the expanded sectors must prepare for stricter oversight and potential fines, update incident response playbooks, and assess supplier assurance programs ahead of formal adoption and national transposition.
- Council press release describes the 13 May 2022 political deal, scope expansion, and reporting duties.
- Parliament statement highlights supply-chain risk controls, governance responsibilities, and enforcement powers agreed by negotiators.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.