Cybersecurity Directive Political Agreement — May 13, 2022

Executive briefing: On 13 May 2022 the European Parliament and Council reached a political agreement on the Directive on measures for a high common level of cybersecurity across the Union (NIS2). The deal widens coverage to new sectors, tightens incident notification windows, and imposes explicit board-level accountability for cybersecurity risk management.

Key obligations agreed

Broader scope. Essential entities now include energy, transport, health, and digital infrastructure operators while important entities cover critical manufacturing, food, postal, and waste water providers.
Governance. Management bodies must approve cybersecurity risk management measures, oversee implementation, and can be held liable for compliance failures.
Reporting cadence. Significant incidents require initial notification within 24 hours, status updates by 72 hours, and a final report within one month.

Operational preparation

Inventory EU subsidiaries, suppliers, and joint ventures to determine whether they fall under the essential or important entity definitions.
Benchmark existing policies against Articles on vulnerability handling, supply-chain risk, encryption, and multi-factor authentication that will become mandatory once national transposition completes.
Stage incident reporting runbooks that capture the early warning, intermediate, and final report data elements national authorities will demand.

Enablement moves

Brief boards on accountability provisions and training requirements introduced by the political agreement.
Coordinate with procurement teams to embed NIS2-aligned clauses—breach notification, vulnerability disclosure, and audit access—into supplier contracts.
Map overlaps with DORA and the Critical Entities Resilience Directive so dual-regulated entities can deliver unified assurance packs.

Sources

Zeph Tech is preparing transposition trackers, supplier diligence checklists, and incident reporting templates so EU operators can evidence NIS2 readiness.