The European Union's cybersecurity rules, introduced in 2016, have been updated by Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity in the Union. The Directive replaces Directive (EU) 2016/1148 by extending its scope to cover a wider range of economic sectors.
 
What are the differences between Directive (EU) 2016/1148 (known as the NIS Directive) and Directive (EU) 2022/2555 (known as the NIS2 Directive)?

1. Scope:
- NIS Directive: Targets essential sectors such as energy, transport, banking and healthcare. Focuses on essential service operators and digital service providers.
- NIS Directive 2: Extends the scope to more sectors and types of entities, providing broader coverage of digital and essential services.

2. Security and incident reporting requirements:
- NIS Directive: Establishes basic security and incident reporting requirements for sectors deemed essential.
- NIS 2 Directive: Introduces stricter security requirements and more intensive supervision of digital service providers by national authorities. It also imposes stricter incident response and reporting obligations.

3. Regulatory and supervisory framework:
- NIS Directive: Establishes the basic framework for Member States to identify essential service operators and digital service providers, manage risks and report incidents.
- NIS Directive 2: Strengthens the regulatory framework to ensure a more coordinated approach across the EU. Emphasises the need for greater strategic and operational cooperation between Member States.

4. National Strategies and Policies:
- NIS Directive: Requires Member States to develop national strategies for the security of networks and information systems.
- NIS 2 Directive: Encourages more harmonised and comprehensive national strategies, bringing them more into line with EU strategies and policies.

5. Filling the gap and providing legal certainty:
- NIS Directive: Aims to reduce disparities in cyber security preparedness between Member States but has limitations in terms of uniform application.
- NIS 2 Directive: Specifically targets the disparities in cyber security measures between Member States, aiming at uniformity, legal certainty and a higher overall level of cyber security in the Union.

6. Cross-border cooperation:
- NIS Directive: Introduces measures for cooperation between Member States.
- NIS Directive 2: Focuses on more effective cross-border cooperation and information sharing, creating a more robust framework for joint cyber security response.
In essence, the NIS Directive 2 can be seen as an evolution and strengthening of the principles and framework established by the NIS Directive, with the aim of achieving a more coordinated, comprehensive and rigorous cyber security regime in the European Union.

In order to implement the requirements of Directive (EU) 2022/2555 (NIS 2), EU Member States need to take a number of steps:
1. Transpose the Directive: Member States must transpose the requirements of the Directive into national law. This means that they must adopt new legislation or amend existing legislation to meet the standards and requirements set out in the Directive.

2. Designation of competent authorities and contact points:
- Each Member State must designate or establish competent authorities responsible for implementing the Directive.
- Contact points for network and information system security must also be set up to facilitate cooperation and the exchange of information between Member States.

3. Development of national strategies:
- Member States should develop or update their national network and information systems security strategies to take account of the requirements of the Directive.

4. Identification of essential service providers and digital service providers:
- As required by the Directive, Member States must identify the essential service providers and digital service providers covered by the Directive.

5. Security measures and incident reporting:
- Member States must ensure that identified operators and providers implement appropriate technical and organisational security measures.
- They must also establish procedures for reporting incidents affecting the security of networks and information systems.

6. Cooperation and exchange of information:
   - Cooperation and exchange of information between Member States and between competent authorities and operators of essential services and digital service providers should be encouraged.

7. Supervision and sanctions:
- Member States should establish mechanisms to monitor and verify compliance with the requirements of the Directive.
- Penalties for non-compliance should be established.
This is a general framework and steps may vary according to the specific conditions and legal frameworks of each Member State. For more detailed information and an exact timeframe for the implementation of the Directive, it is advisable to consult the official documents and guidance provided by the European Union or the relevant national authorities.

The deadline for transposition of the Directive into national law is 17.10.2024.
 
Directive - 2022/2555 - EN - EUR-Lex (europa.eu)
Directive - 2016/1148 - EN - EUR-Lex (europa.eu)