NIS2 in Context: Why the EU Reinvented Its Cybersecurity Directive

1. Setting the Scene: From NIS1 to NIS2

In this module you will situate NIS2 within the evolution of EU cybersecurity law and understand why the EU decided to fundamentally revise its first Network and Information Security Directive (NIS1).

Key timeline (relative to today – December 2025):

• 2016 – Directive (EU) 2016/1148 ("NIS1") adopted: the EU’s first horizontal cybersecurity law.
• 2018 – NIS1 implementation deadline for Member States.
• 2018–2020 – Growing criticism: limited scope, inconsistent implementation, uneven security levels.
• December 2020 – European Commission proposes NIS2.
• December 2022 – Directive (EU) 2022/2555 ("NIS2") adopted.
• January 2023 – NIS2 enters into force.
• 17 October 2024 – Deadline for Member States to transpose NIS2 into national law.

By late 2025, all Member States are legally required to have implemented NIS2, though in practice transposition quality and enforcement maturity vary.

In this module we will:

1. Diagnose NIS1’s limitations (scope, fragmentation, weak enforcement).
2. Analyse policy drivers behind NIS2 (geopolitics, digitalisation, supply chains).
3. Dissect NIS2’s objectives and structure (Directive (EU) 2022/2555).
4. Map NIS2 to other EU instruments (GDPR, EECC, sectoral rules, CER Directive, DORA, etc.).
5. Distil high-level obligations for Member States and covered entities.

You are expected to already know core EU law concepts (directives vs regulations, competence, harmonisation) and basic cybersecurity governance (risk management, incident reporting). The focus here is critical analysis, not just memorisation.

2. NIS1: Ambition vs Reality

To understand NIS2, you must first forensically examine NIS1’s shortcomings.

2.1 What NIS1 tried to do

NIS1 (Directive (EU) 2016/1148):

• Was the first EU-wide cybersecurity law.
• Targeted "operators of essential services" (OES) in sectors like energy, transport, banking, health, drinking water, and digital infrastructure.
• Covered a narrow set of "digital service providers" (DSPs): online marketplaces, online search engines, cloud computing.
• Required:
• National cybersecurity strategies.
• Computer Security Incident Response Teams (CSIRTs).
• Security and incident notification obligations for OES/DSPs.
• Cooperation Group and CSIRTs Network.

2.2 Structural weaknesses of NIS1

1. Narrow and inconsistent scope

• Each Member State used different criteria to identify OES (e.g., market share thresholds, national lists), leading to regulatory patchwork.
• Some critical sectors and entities (e.g., many SMEs in critical supply chains, some public administration functions) remained outside scope.

1. Fragmented implementation and supervision

• Wide discretion in transposition led to divergent:
• Security requirements (sometimes high-level, sometimes very prescriptive).
• Supervisory models (sectoral vs centralised, ex ante vs ex post).
• Result: uneven level of cybersecurity across the EU and regulatory arbitrage for cross-border operators.

1. Weak enforcement and low deterrence

• No harmonised EU-level approach to penalties; some Member States imposed minimal fines.
• Limited capacity and expertise in several national authorities.

1. Insufficient treatment of supply-chain and ecosystem risks

• NIS1 focused mainly on individual operators, not on systemic interdependencies and supply-chain vulnerabilities.

1. Underdeveloped reporting framework

• Divergent incident notification thresholds and processes.
• Under-reporting due to fear of reputational damage and regulatory uncertainty.

2.3 Why this mattered in practice

• Example: Cross-border cloud provider under NIS1

A large cloud provider operating in 10+ Member States faced different supervisory expectations and incident thresholds in each country. This increased compliance cost and undermined the idea of a Digital Single Market.

Thought hook:

> If NIS1’s objective was a "high common level of security of network and information systems", how "common" can that level be if each Member State defines critical operators, risk measures, and penalties differently?

3. Diagnostic Exercise: Where Did NIS1 Fall Short?

Use this brief thought exercise to sharpen your analytical lens.

Task 1 – Classify the issues

For each problem below, classify it as mainly (A) Scope, (B) Governance/Fragmentation, or (C) Enforcement/Deterrence:

1. A major hospital in one Member State is classified as an OES and heavily regulated, while a similar hospital in another Member State is not.
2. A cloud provider experiences a cross-border outage but receives different incident reporting deadlines from three national authorities.
3. A large energy distributor repeatedly fails to patch critical systems but faces only symbolic fines.
4. A public administration providing eID and tax services is not covered by NIS1 at all.

Write down your classification before checking the suggested solution.

Suggested classification:

• 1 → Scope and Governance/Fragmentation (dual nature: inconsistent designation of OES, plus coordination failure).
• 2 → Governance/Fragmentation (divergent procedures and thresholds).
• 3 → Enforcement/Deterrence.
• 4 → Scope (coverage gap for critical public services).

Task 2 – Link to policy response

For each category, hypothesise one type of reform you would design (without yet looking at NIS2):

• Scope → e.g., …
• Governance/Fragmentation → e.g., …
• Enforcement/Deterrence → e.g., …

Keep your hypotheses; we will confront them with what NIS2 actually does in the next steps.

4. Policy Drivers Behind NIS2: Why Reinvent the Directive?

Between NIS1 (2016) and NIS2 (2022), the context of cybersecurity in Europe changed dramatically.

4.1 Macro drivers

1. Acceleration of digitalisation

• Massive growth of cloud, IoT, 5G, remote work, and digital public services.
• Critical functions increasingly depend on digital platforms and data flows.

1. Rising geopolitical tension and cyber operations

• State and state-sponsored actors intensify operations against EU targets.
• Russia’s full-scale invasion of Ukraine in 2022 highlighted cyber as a tool of hybrid warfare.
• Attacks on energy, transport, health, and government systems raised the stakes for resilience.

1. High-impact incidents and supply-chain compromises

• Global cases like SolarWinds and Kaseya (though not EU-specific) illustrated the systemic risk of supply-chain attacks.
• Attacks on critical EU infrastructure and hospitals exposed dependencies on third-country providers.

1. Fragmentation undermining the Digital Single Market

• Businesses operating cross-border faced regulatory complexity and uneven expectations.
• The EU’s broader strategy for a trusted digital space (e.g., GDPR, EECC, Data Strategy, Cybersecurity Act) required coherent cybersecurity baselines.

4.2 Strategic alignment with EU cybersecurity policy

NIS2 is part of a broader architecture, including:

• EU Cybersecurity Strategy for the Digital Decade (2020).
• EU Cybersecurity Act (Regulation (EU) 2019/881) – strengthened ENISA, introduced EU cybersecurity certification.
• CER Directive (Directive (EU) 2022/2557) – on the resilience of critical entities, complementary to NIS2.
• DORA (Regulation (EU) 2022/2554) – for digital operational resilience in financial services.

The Commission concluded that incremental tweaks to NIS1 were insufficient. Instead, it pursued a "NIS2" reboot to:

• Expand and clarify scope.
• Raise and harmonise security baselines.
• Strengthen and align enforcement, including penalties.
• Integrate supply-chain and ecosystem risk management.

You should see NIS2 not as a minor revision but as a second-generation EU cybersecurity directive designed to operate in a far more complex and hostile digital environment.

5. Inside Directive (EU) 2022/2555: Objectives, Scope & Structure

Directive (EU) 2022/2555 (NIS2) is the central horizontal EU cybersecurity instrument as of 2025.

5.1 Core objectives (Article 1)

NIS2 aims to:

1. Achieve a high common level of cybersecurity across the Union.
2. Improve the functioning of the internal market by:

• Harmonising security and incident reporting obligations.
• Reducing regulatory fragmentation.

1. Enhance Member State preparedness and cooperation.
2. Address supply-chain vulnerabilities and cross-border interdependencies.

5.2 Structural overview (high-level)

NIS2 is structured into several chapters, including:

• Chapter I – General provisions: subject matter, scope, definitions.
• Chapter II – Cybersecurity risk management and reporting obligations for entities.
• Chapter III – National frameworks: strategies, authorities, CSIRTs, single points of contact.
• Chapter IV – EU-level coordination: Cooperation Group, CSIRTs Network, EU-CyCLONe.
• Chapter V – Supervision and enforcement.
• Annexes I & II – Sectoral scope.

5.3 Expanded and clarified scope

NIS2 abandons the old NIS1 categories of "operators of essential services" and "digital service providers". Instead, it introduces:

1. Essential entities (Annex I sectors), e.g.:

• Energy (electricity, gas, oil, hydrogen).
• Transport (air, rail, water, road).
• Banking and financial market infrastructures.
• Health (including hospitals, eHealth providers, some labs).
• Drinking water and wastewater.
• Digital infrastructure (IXPs, DNS, TLD name registries, data centres, cloud providers, CDN providers).
• Public administration (central and some regional levels).

1. Important entities (Annex II sectors), e.g.:

• Postal and courier services.
• Waste management.
• Manufacturing of critical products (e.g., pharmaceuticals, medical devices, certain ICT products).
• Digital providers (online marketplaces, search engines, social networking platforms).

1. Size-cap rule (with exceptions)

• As a rule, NIS2 applies to medium and large entities (≥50 employees and/or ≥€10m turnover/balance sheet), with flexibility for Member States to include smaller entities when critical.

5.4 Essential vs Important: same obligations, different supervision

• Security and reporting obligations are largely the same for essential and important entities.
• Supervision model differs:
• Essential entities → proactive/ex ante supervision possible.
• Important entities → generally ex post supervision (triggered by evidence of non-compliance or incidents).

This design aims to balance risk-based regulation with administrative feasibility.

6. Quick Check: What Changed from NIS1 to NIS2?

Test your understanding of the core structural shift from NIS1 to NIS2.

7. NIS2 in the EU Legal Ecosystem: GDPR, EECC, CER, DORA & More

NIS2 does not operate in a vacuum. It must be read together with other EU legal instruments, some horizontal, some sector-specific.

7.1 NIS2 and GDPR (Regulation (EU) 2016/679)

• Overlap: Both can apply to the same incident (e.g., a ransomware attack on a hospital affecting system availability and compromising personal data).
• Key differences:
• GDPR focuses on personal data protection and rights of data subjects.
• NIS2 focuses on network and information system security and continuity of services.
• Incident reporting:
• GDPR: personal data breaches → notify supervisory authority within 72 hours (Article 33).
• NIS2: two-stage reporting (early warning, incident notification, final report) with specific deadlines (see Article 23 NIS2).
• Coordination: Entities may need parallel notifications to data protection authorities and NIS2 competent authorities.

7.2 NIS2 and EECC (European Electronic Communications Code – Directive (EU) 2018/1972)

• EECC imposes security and integrity obligations on providers of public electronic communications networks/services.
• NIS2 and EECC co-exist; telecoms operators fall primarily under EECC for security, but NIS2 clarifies interfaces and cooperation.
• Member States must avoid double regulation and ensure coherent requirements.

7.3 NIS2 and the CER Directive (Directive (EU) 2022/2557)

• CER focuses on physical resilience of critical entities (e.g., physical protection, redundancy of facilities).
• NIS2 focuses on cybersecurity.
• Many entities are dual-regulated (e.g., energy or transport operators):
• They must meet both physical resilience (CER) and cyber resilience (NIS2) obligations.
• The two directives require coordinated national competent authorities and risk assessments that consider both physical and cyber threats.

7.4 NIS2 and DORA (Regulation (EU) 2022/2554)

• DORA applies to financial entities (banks, insurers, investment firms, etc.) and certain ICT third-party service providers.
• It creates a sector-specific, highly detailed digital operational resilience framework.
• Relationship with NIS2:
• DORA is lex specialis for covered financial entities.
• NIS2 remains relevant for horizontal coordination and for entities in the financial ecosystem that are not DORA-regulated.

7.5 NIS2 and the EU Cybersecurity Act (Regulation (EU) 2019/881)

• Cybersecurity Act establishes EU cybersecurity certification schemes.
• NIS2 encourages the use of certification as a tool to demonstrate compliance with security requirements, where appropriate.

Key takeaway: NIS2 is the horizontal backbone of EU cybersecurity law, but sectoral instruments (GDPR, EECC, DORA, CER, etc.) may impose stricter or more specific obligations. Understanding lex specialis and coordination mechanisms is critical.

8. Case Study: A Cross-Sector Cyber Incident Under NIS2

Consider a hypothetical but realistic scenario to see how NIS2 interacts with other rules.

Scenario

In 2025, EuroMed Health Group, a large cross-border hospital network (an essential entity under NIS2), suffers a ransomware attack:

• Electronic Health Record (EHR) systems are encrypted.
• Some data are exfiltrated and posted on a leak site.
• Operations in hospitals across three Member States are disrupted for 48 hours.

Step-by-step regulatory analysis

1. NIS2 qualification

• Sector: Health (Annex I) → essential entity.
• Impact: significant disruption of services + cross-border effect → significant incident under NIS2.

1. NIS2 obligations triggered

• Risk management (Article 21): EuroMed must already have in place:
• Policies on risk analysis, incident handling, business continuity, supply-chain security, encryption, etc.
• Incident reporting (Article 23):
• Early warning to CSIRT/competent authority within 24 hours of becoming aware of a significant incident.
• Incident notification within 72 hours.
• Final report within one month.

1. GDPR obligations

• Data exfiltration of health data → personal data breach.
• Must notify data protection authorities within 72 hours (Article 33 GDPR).
• May need to communicate the breach to affected data subjects (Article 34 GDPR).

1. CER Directive (if applicable)

• If EuroMed is also designated as a critical entity under the CER Directive, it must integrate this incident into its overall resilience planning, including physical backup sites, redundancies, and continuity strategies.

1. Supervision and enforcement

• Under NIS2, national authorities may:
• Conduct on-site or off-site inspections.
• Request evidence of risk management measures.
• Impose binding instructions and administrative fines for non-compliance.
• Maximum fines under NIS2 can be significant (for essential entities, up to at least €10 million or 2% of total worldwide annual turnover, whichever is higher, though exact figures depend on national transposition).

Analytical question

> Identify three distinct legal risks EuroMed faces beyond the technical challenge of restoring systems. For each risk, specify the relevant instrument (NIS2, GDPR, CER, etc.) and the type of liability (administrative, reputational, civil, etc.).

Use this scenario to practise multi-instrument reasoning: rarely will a real-world incident engage only one EU law.

9. High-Level Obligations Under NIS2: Member States vs Entities

NIS2 imposes obligations at two levels: Member States and covered entities.

9.1 Obligations for Member States

1. National cybersecurity strategy (Article 7)

• Must define strategic objectives, governance, roles, and resources.

1. Competent authorities and CSIRTs (Articles 8–11)

• Designate one or more national competent authorities.
• Establish at least one CSIRT with clearly defined tasks.
• Designate a single point of contact (SPOC) for cross-border cooperation.

1. Supervision and enforcement framework (Chapter V)

• Establish effective, proportionate, and dissuasive penalties.
• Develop supervisory powers (inspections, audits, information requests, on-site visits).

1. Cooperation mechanisms

• Participate in the Cooperation Group, CSIRTs Network, and EU-CyCLONe (for large-scale incidents).

1. Identification of entities and scope management

• Apply the size-cap rule and identify entities in Annex I/II sectors.
• May designate additional entities when justified by national risk assessments.

9.2 Obligations for Essential and Important Entities

Article 21 – Cybersecurity risk management measures requires at least:

• Risk analysis and information system security policies.
• Incident handling (prevention, detection, response, recovery).
• Business continuity and crisis management, including backup and disaster recovery.
• Supply-chain security, including security-related aspects of relationships with suppliers and service providers.
• Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure.
• Policies and procedures to assess the effectiveness of cybersecurity risk management measures.
• Basic cyber hygiene and cybersecurity training.
• Use of cryptography and encryption where appropriate.

Article 23 – Reporting obligations:

• Early warning within 24 hours for significant incidents.
• Incident notification within 72 hours.
• Final report within one month.

9.3 Management accountability

• NIS2 explicitly addresses management bodies (e.g., boards, executives):
• They must approve and oversee the implementation of cybersecurity risk management measures.
• They can be held personally liable under national law (e.g., temporary bans from exercising managerial functions), depending on transposition.

This marks a shift from seeing cybersecurity as a purely technical issue to a core governance and risk-management responsibility.

10. Flashcard Review: Core NIS2 Concepts

Use these flashcards to solidify key terms and relationships before the final reflective exercise.

11. Synthesis Exercise: Positioning NIS2 in the EU Cybersecurity Strategy

To consolidate your understanding, work through this structured reflection.

Part A – Explain the replacement of NIS1 in 4 sentences

Without looking back, write four precise sentences that:

1. Identify two major limitations of NIS1.
2. Link those limitations to two core design features of NIS2.

Example structure (fill with your own content):

> NIS1 failed to … This resulted in … NIS2 responds by … Additionally, NIS2 introduces …

Part B – Map NIS2 in the legal ecosystem

Draw (mentally or on paper) a simple diagram with NIS2 at the centre. Around it, place:

• GDPR
• EECC
• CER Directive
• DORA
• Cybersecurity Act

For each arrow from NIS2 to another instrument, annotate:

• "Overlaps in …" (e.g., incident reporting, security requirements).
• "Lex specialis?" (Yes/No, and for whom).

Part C – Edge case challenge

Consider a medium-sized SaaS provider that:

• Offers HR and payroll software to hospitals and banks in multiple Member States.
• Stores and processes large volumes of employee personal data.

Questions:

1. Under what conditions is this provider likely to fall under NIS2 scope (as an important entity in Annex II: digital infrastructure or other digital services)?
2. How does its position in the supply chain change its risk management obligations under NIS2 compared with NIS1?
3. What parallel obligations might it face under GDPR and, indirectly, via clients subject to DORA?

Write brief bullet-point answers. Compare them with official guidance from at least one Member State’s NIS2 transposition (where available) to see how theory translates into national practice.