Cybersecurity Directive Political Agreement — May 13, 2022
Trilogue talks on 13 May 2022 moved the NIS2 Directive toward adoption, expanding EU cybersecurity duties across sectors and requiring entities to prepare for tighter risk management, incident reporting, and supply chain oversight.
Executive briefing: EU legislators entered trilogue negotiations on 13 May 2022 to finalise the revised Network and Information Security Directive (NIS2). The proposal broadens the scope of cybersecurity obligations to more sectors and companies, strengthens supervisory powers, and harmonises incident reporting. Organisations designated as “essential” or “important” entities must prepare for enhanced risk management requirements, board accountability, and stricter supply chain oversight once the directive is adopted and transposed into national law.
Scope expansion
NIS2 extends beyond the original 2016 directive by covering new sectors such as waste management, postal services, manufacturing of critical products (medical devices, pharmaceuticals, chemicals, food), digital providers (cloud, data centres, social networks), and public administration. The directive introduces size-cap rules: medium and large entities within in-scope sectors are covered by default, while smaller entities may be included if they are critical. Member States will maintain registers of essential and important entities, which determine supervision intensity and penalties. Organisations should verify whether their activities fall within Annex I (essential) or Annex II (important) and monitor national designations.
Risk management obligations
Article 18 outlines baseline security measures, including risk analysis, incident handling, business continuity, supply chain security, testing, cryptography, and personnel security. Entities must implement policies covering asset management, network segmentation, encryption, vulnerability handling, and zero-trust principles. Boards must approve risk management measures and can be held personally liable for non-compliance. Member States must ensure board-level training and can require removal or suspension of managers after serious breaches.
To prepare, organisations should assess existing frameworks (ISO/IEC 27001, NIST CSF, CIS Controls) against NIS2 requirements, identifying gaps in areas such as supply chain assurance, secure development, and operational resilience. Establish cross-functional programmes combining cybersecurity, legal, procurement, and business continuity teams. Document risk appetite, security metrics, and investment plans to demonstrate proportionality.
Incident reporting
NIS2 introduces a three-stage incident reporting process: an early warning within 24 hours of becoming aware of a significant incident, an initial report within 72 hours, and a final report within one month (or interim if investigation continues). Reports must include indicators of compromise, mitigation measures, and cross-border impact analysis. Member States may require real-time updates or public disclosure when incidents could affect the public. Entities must set up processes for rapid detection, evidence collection, and legal review to meet tight timelines. Automation tools—SIEMs, SOAR platforms, case management—should integrate with notification workflows to avoid manual bottlenecks.
Supply chain security
The directive places strong emphasis on supplier risk management. Entities must assess supply chain cybersecurity and may be required to account for vulnerabilities affecting providers. Member States and the European Commission can organise coordinated risk assessments for critical supply chains (e.g., cloud services, data centres). Organisations should build supplier inventories, classify critical vendors, and enforce security requirements via contracts, audits, and continuous monitoring. Align procurement questionnaires with NIS2, covering secure development practices, incident reporting obligations, and subcontractor transparency.
Supervision and penalties
Essential entities face proactive supervision, including audits, on-site inspections, and security scans. Important entities will be supervised primarily ex post but must still provide evidence upon request. Penalties can reach at least €10 million or 2% of global turnover for essential entities and €7 million or 1.4% for important entities. Authorities may also issue binding instructions, order implementation of specific measures, or appoint monitoring officers. Organisations should maintain compliance documentation—policies, training records, incident logs, testing reports—to respond quickly to supervisory inquiries.
National coordination and CSIRTs
NIS2 strengthens cooperation between national Computer Security Incident Response Teams (CSIRTs) and the EU CyCLONe network for crisis management. Entities must maintain contact points for CSIRT interaction and share technical details to support coordinated response. Member States will adopt national cybersecurity strategies, designate single points of contact, and participate in joint exercises. Organisations should engage with their national CSIRT, understand reporting templates, and participate in sectoral exercises to build muscle memory.
Interplay with other regulations
NIS2 dovetails with the Digital Operational Resilience Act (DORA), the Critical Entities Resilience Directive (CER), and sectoral regulations. Financial institutions must align NIS2 cybersecurity controls with DORA’s ICT risk requirements; energy and transport operators must coordinate with CER obligations. Data protection considerations persist under GDPR, especially when incidents involve personal data. Establish integrated governance frameworks to avoid duplicative processes and leverage common controls.
Cyber insurance and risk transfer
Insurers may adjust underwriting criteria in light of NIS2 obligations. Entities should review cyber insurance policies to ensure coverage aligns with new incident reporting duties, regulatory fines, and business interruption impacts. Demonstrating compliance with NIS2 controls can strengthen renewal negotiations and avoid exclusions tied to inadequate security practices. Coordinate between risk management and legal teams to align policy notification timelines with regulatory reporting deadlines.
Implementation roadmap
Short term (2022): Monitor trilogue developments and emerging compromise texts on board liability, public administration scope, and cross-border supervision. Conduct gap assessments against the proposed NIS2 requirements, prioritising incident reporting readiness and supply chain governance.
Medium term (2023–2024): Once NIS2 is formally adopted (expected late 2022) and transposed by Member States (within 21 months), implement remediation plans. Update cybersecurity policies, incident response playbooks, and vendor management procedures. Deploy technical measures—multi-factor authentication, network segmentation, logging, vulnerability management—and conduct training for boards and executives.
Long term (2024 onward): Maintain continuous compliance through regular audits, tabletop exercises, and threat intelligence sharing. Establish key performance indicators (MTTD, MTTR, patch latency, supplier assurance rates) and report to boards. Participate in national and EU-level cybersecurity coordination mechanisms to stay informed about sectoral risk assessments.
Metrics and evidence
Define metrics to track progress: percentage of critical assets covered by vulnerability management, time to file regulatory reports, supplier assessment completion rates, and adherence to recovery time objectives. Maintain evidence repositories with signed policies, training attendance logs, incident tickets, and audit results. Use governance, risk, and compliance platforms to link controls to NIS2 articles and document remediation status.
Action items for leadership
Board members and senior executives should request briefings on NIS2 implications, approve budget for compliance programmes, and sponsor cross-functional working groups. Designate accountable executives for cybersecurity, legal compliance, and supply chain oversight. Encourage participation in industry associations that influence implementing acts and guidance.
The NIS2 trilogue signals imminent expansion of EU cybersecurity obligations. Organisations that begin planning now—strengthening governance, incident reporting, and supplier assurance—will be ready when national laws take effect.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.