Cybersecurity Briefing — NIS2 Directive enters into force
The EU’s revised NIS2 Directive was published in the Official Journal on 27 December 2022, expanding security and incident-reporting obligations for essential and important entities across critical sectors.
The Directive on measures for a high common level of cybersecurity across the Union (NIS2) was published in the EU Official Journal on 27 December 2022, triggering entry into force on 16 January 2023. NIS2 broadens sectoral scope to include providers in energy, transport, healthcare, digital infrastructure, managed services, and more, introducing stricter risk management, supply chain oversight, and vulnerability handling duties.
Covered entities must notify significant incidents within 24 hours of awareness, provide detailed follow-ups within 72 hours, and deliver final reports within one month. Organizations operating in the EU should identify in-scope entities, update incident response plans, and align governance and supplier assurance programs ahead of Member State transposition due by 17 October 2024.
- Directive (EU) 2022/2555 provides the full NIS2 text and timelines.
- European Commission NIS2 page summarizes scope expansions and reporting expectations.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.