European Council and European Parliament Agree to New Cybersecurity Standard

Download the privacy alert!

European Council and European Parliament Agree to New Cybersecurity Standard

Why This Privacy Law is Important:

Drafted in 2021, the revised Directive on security of network and information systems (also known as NIS2) has been agreed to in principle by the European Council and the European Parliament. In a press release on May 13, 2022, the Council states that these new measures will promote a higher level of cybersecurity across the EU and will “further improve the resilience and incident response capacities of both the public and private sector and the EU as a whole.”


NIS2 replaces the existing directive, adopted in 2016, which was the first piece of EU-wide legislation on cybersecurity. While it aimed to achieve a high level of cybersecurity across EU Member States, its implementation was difficult, resulting in fragmented and largely insufficient security levels. Since cyberattacks have only increased since then, NIS2 raises standards, provides stronger oversight, and gives greater powers for enforcement.

NIS2 defines minimum rules for a regulatory framework, as well as mechanisms to enhance collaboration between authorities in member states. It updates both the sectors and activities governed by cybersecurity obligations and provides remedies and sanctions to ensure compliance by regulated entities. To facilitate adoption and collaboration, it establishes a committee to support the coordinated management of large-scale cybersecurity incidents.

Who it Applies to:

NIS2 sets obligations for organizations in essential fields, such as energy, transportation, health, and digital infrastructure, public administration, and the space sector. It will catch manufacturers of certain products considered critical, including medical devices, computer, electronic and optical products, certain equipment and machinery, vehicles and transport equipment. It will also extend to postal services, waste management, food production and processing, and further digital services such as public electronic communications services, data center services, CDNs and social networking services.

Unlike under the preceding standards, member states do not have sole authority to determine which entities are governed by the regulations. Rather, a size-cap rule means that medium- to large-sized organizations operating in these fields must comply. The directive does not apply to entities carrying out activities in areas such as defense or national security, public security, law enforcement, the judiciary, parliaments, or central banks.

Download the Privacy Alert to the right to get the full text and expert analysis!

Download the Resource