Today, the NIS 2 Directive (Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive), OJ L 333, 27.12.2022, p. 80–152) enters into force. Member States have to transpose the Directive into national law by 17 October 2024. The NIS Directive (Directive (EU) 2016/1148)) is repealed with effect from 18 October 2024.
The time frame is rather tight considering the significant increase in entities covered due to new sectors being added and the introduction of a size-cap rule. The latter seeks to eliminate inconsistencies in the identification of essential services across the EU. It is no longer up to the Member States to decide upon thresholds and identification systems (top-down vs. bottom-up); all entities which qualify as medium-sized enterprises under Article 2 of the Annex to Commission Recommendation 2003/361/EC, or exceed the ceilings for medium-sized enterprises provided for in para. 1 of that Article, and which operate within the sectors coverd by the NIS 2 Directive and provide the types of service or carry out the activities covered by the NIS 2 Directive fall within its scope. The increase in entities covered is estimated between seven-fold (see T. Sievers, Proposal for a NIS directive 2.0: companies covered by the extended scope of application and their obligations referring to the European Commission’s Impact Assessment Report, EU-doc. SWD (2020) 345 final, Part 1/3, p. 20, 70) to forty-fold (Cyber Security Coalition asbl/vzw. NIS-2: Where are you?) compared to the status quo. With more entities being covered and new supervisory and enforcement powers granted to the competent NIS authorities, a key aspect for Member States will be the respective staffing and funding of national authorities.
In a previous publication we mapped the NIS 2 Proposal against the latest legislative measures in Germany and Italy in the field of cybersecurity since both Member States had already implemented some of the suggested changes and discussed amendments (see here).