The updated NIS2 Directive, focuses on enhancing the resilience of critical sectors across the EU by tightening cybersecurity requirements to ensure the security and continuity of essential services in the face of escalating digital threats.
The NIS2 Directive has a broadened scope to additional sectors and entities vital to the EU's economy and society. Organisations are classified according to factors such as size, sector and criticality. They fall into two categories: essential and important entities.
Highly critical sectors in scope are:
- Digital infrastructures (electronic communications, trust services, domain name services, top level domain registries, cloud services, data centers, internet exchange points, content delivery networks);
- Energy (electricity, district heating, oil, gas and hydrogen);
- Transport (air, rail, water, road);
- Banking and Financial market infrastructures;
- Health (healthcare providers, EU reference labs, research and manufacturing of pharmaceuticals and medical devices);
- Drinking water and waste water;
- Public administrations;
- Space.
Other critical sectors in scope are:
- Postal and courier services;
- Waste management;
- Manufacture, production and distribution of chemicals;
- Manufacturing;
- Digital providers;
- Research.
Alongside the provisions of the NIS2, new requirements have been introduced from other key horizontal and sector-specific legislations, such as the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA).
ENISA developed a NIS2 awareness campaign the effort to further support organisations and authorities in adhering with the provisions of the NIS 2 Directive. The purpose of this informative material and resources is to educate businesses and competent authorities by providing a comprehensive overview of the Directive’s requirements, illustrating how it affects them.