EU seeks to bolster cybersecurity regulation with the introduction of NIS 2.0

On 16 December 2020, the EU released its proposed revisions to the existing Directive 2016/1148 on the security of network and information systems (NIS2).

The proposals, which were announced as a key component of the EU’s new Cybersecurity Strategy, are intended to build on and repeal the existing NIS framework. They involve a number of significant changes being made to the existing regime, including widening the scope of the law’s application to additional industry sectors, strengthening the existing rules on security requirements and incident reporting, while also increasing the maximum fines that can be applied.

NIS2 comes just over two years after the original NIS Directive 2016/1148 ("NIS1") was intended to take effect across EU Member States. It has been introduced in order to address various criticisms and issues identified with NIS1 and to reflect the increasingly widespread digitisation of the European economy, which has accelerated further during the COVID-19 pandemic.

Key changes to existing regime

While the underlying purpose of NIS2 remains the same, there are various notable changes that are being proposed which may substantially impact organisations in the future, including:

  • New sectors introduced

A number of additional industry sectors will fall within the scope of NIS2, as part of a new definition of ‘important entities’. These include digital providers (social networks, marketplaces and search engines), pharmaceutical companies, manufacturers of medical and electronic equipment and courier services.

  • Distinction between operators of essential services and digital service providers removed

The previous distinction between ‘operators of essential services’ and ‘digital service providers’ will be dispensed with and combined into a single category of ‘essential entities’ who will be subject to the most stringent standards of supervision. Relevant sectors that will fall within this category include financial services, energy, transport and digital infrastructure (e.g. cloud service providers and data centres).

  • 24 hour breach notification requirements

The obligation under NIS1 to notify security incidents without undue delay has been notably strengthened. Organisations that are considered either essential or important entities will now be required to provide an initial notification, to both the relevant authority and affected users, within 24 hours of becoming aware of a security incident which has a significant impact on the provision of the services being provided.

  • Enhanced risk management and security measures

Information security obligations have been bolstered through the introduction of specific requirements. Both essential and important entities will be expected to have in place various measures, such as risk analysis and information security policies, plans for incident response, business continuity and crisis management, as well as robust processes for managing cyber risks within the supply chain.

  • Governance by senior management

Senior management will take on additional responsibilities for approving the adequacy of the risk management and security measures referred to above. This will include both supervising the implementation of appropriate security standards and being accountable for non-compliance.

  • Enhanced supervision and enforcement

Member States will be required to provide their relevant competent authority with specific powers, including the right to issue fines of up to €10m or 2% of annual worldwide turnover (whichever is the highest) for the most serious infringements. Essential entities will be subject to proactive supervision (‘ex ante’) which shall include the potential for random inspections and security scans of an organisation’s systems for vulnerabilities. By comparison, important entities will only be subject to reactive enforcement ("ex post") if an infringement comes to the attention of competent authority. However, the same level of fines will apply and audits can be undertaken.

The introduction of NIS2 will occur in parallel to a new proposed directive concerning the resilience of critical entities in sectors such as energy and transport. This also forms part of the same package of measures announced as part of the EU’s new cybersecurity strategy. The directive will require Member States to identify critical entities that operate within their jurisdiction and imposes additional obligations on such entities which go beyond the scope of NIS2, such as undertaking appropriate technical and organisational measures to ensure the resilience of their operations.

Next steps

The NIS2 proposal will now be subject to negotiations between the Council of the EU and European Parliament. Following the publication of the final version, Member States will be given 18 months to transpose the Directive into national law.


Authored by Eduardo Ustaran and Dan Whitehead.


Eduardo Ustaran
Dan Whitehead


This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2022 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.