← Back to all briefings

Cybersecurity · Credibility 94/100 · · 2 min read

EU NIS2 Directive Published in Official Journal — December 27, 2022

The EU’s updated NIS2 Directive entered the Official Journal, triggering an implementation countdown for broader cyber risk obligations across essential and important entities.

Executive briefing: On the Official Journal of the European Union published NIS2, expanding security and incident-reporting duties for operators of essential and important entities across the bloc. The directive enters into force on , giving Member States 21 months to transpose the rules and requiring covered organisations to comply with stronger risk management, supply-chain governance, and 24-hour incident notification.

Key changes for operators

  • Expanded scope. NIS2 adds more sectors—including energy distribution, waste management, postal services, and digital providers—to the EU’s list of essential and important entities subject to supervisory oversight.
  • Risk management baselines. Entities must implement multi-factor authentication, vulnerability disclosure processes, supply-chain security assessments, and incident handling measures enumerated in Article 21.
  • Incident timelines. Operators need to submit an early warning within 24 hours of becoming aware of a significant incident, followed by a full notification within 72 hours and a final report within one month.

Control alignment guidance

  • ISO/IEC 27001 A.5. Update information security policies to document NIS2-specific responsibilities, especially escalation flows to national CSIRTs and regulators.
  • NIST CSF ID.SC. Enhance supplier assessments to include contract clauses on vulnerability reporting, incident cooperation, and assurance evidence for critical dependencies.
  • NIST CSF RS.AN. Calibrate incident categorisation criteria so security operations can recognise events that meet the NIS2 definition of significant impact.

Operational recommendations

  • Map subsidiaries and service providers that qualify as essential or important entities in each EU Member State and assign accountable executives for transposition monitoring.
  • Launch NIS2 tabletop exercises with legal, public affairs, and supply-chain leaders to practice the 24/72-hour notification cadence.
  • Review cyber insurance policies and incident retainers to confirm they align with Member State supervisory authority expectations for cooperation and evidence sharing.
  • European Union
  • NIS2
  • Incident reporting
  • Supply chain security
Back to curated briefings