The letter iAbout Comreg IconAbout PRS IconAbout PRSAuthorise Postal ProvidersAuthorise Postal Providers IconBase Station Location IconRadio Tower broadcasting wavesBilling Option IconShow more billing options for this planView this sectionA rightward arrowCode of Practice IconCode of PracticeA weighing scalesCompare Services IconCompetition Law Enforcement IconCompetition Law EnforcementPerson holding their hand up with a question markComplaints and Queries IconCompliance Enforcement IconCompliance EnforcementComreg Investigations IconComreg InvestigationsGroup of peopleConsumer Services IconComReg ConsumerTwo people speaking with a speech bubbles Government building with flagCorporate Governance Icon Coverage Map of IrelandCoverage MapPerson wearing a headsetCustomer Service IconArrow pointing downDownloadE-licencingE-licencing IconErrorA red sign with a white exclamation markFacebookThe Facebook LogoTwo Speech bubblesFeedback IconSquiggly line Iconfive_eight_gz IconOpen PadlockFreedom Act IconFrequency Allocations IconFrequency AllocationsStampGeneral Authorisation IconLandline PhoneHome Phone IconIndustry Forms IconIndustry FormsComReg IndustryA tall buildingInternational IconInternationalLaptop computerInternet IconJargon Buster IconJargon BusterGavel hammer used in courtLegislation IconLicense Exceptions IconLicense ExceptionsLicensing IconRolled Certificate with RibbonLiecense Ammendments Permissions IconLiecense Ammendments PermissionsLinkedinThe LinkedIn Logo - this link will open in a new windowMarket Analysis IconMarket AnalysisMarket Information IconMarket InformationMegaphoneMobile PhoneMobile Phone Iconnav-home-iconnav-home-icon-bluenav-home-icon-greenA folded newspaperIndustry News IconA folded newspaperNews and Press IconNounSubmit a consumer query or complaintPhone BookNumbering Naming Addressing IconShow other information about planOther Information IconShow payment options for this planPayment Options IconPDF logoPDF fileLocation DevicePersonal Locator Beacon IconEnvelopePostal IconPostBoxPostal Authorisation IconEuro symbolPremium Rate IconTest Trail One IconTest Trail OnePrice Control Accounting IconPrice COntrol AccountingProductsProducts IconPRS Number IconPRS NumberBlank PagePublications IconRadio SpectrumRadio Spectrum IconRadio Tower broadcasting wavesIndustry Radio Spectrum IconRegulation Of An Post IconList with a tick markSignal wavesRSS FeedSpectrum Awards IconSpectrum AwardsSpectrum Compliance IconSpectrum ComplianceJigsaw pieceStrategy IconTips Advice IconTips AdviceShapeTwitterThe Twitter Logo - this link will open in a new windowec-networkec-networkEC SignalEC Signalec-checklistec-checklistec-deviceec-deviceec-peopleec-peopleec-speechec-speechXThe X Logo - this link will open in a new window
Menu
Home / Industry Home / NIS2 & CER / NIS2 / About NIS2

About NIS2

Background

In 2016, the Network and Information Systems Directive, known as the NIS1 Directive (“NIS1”) or Directive 2016/1148 was published with the aim of achieving a high common level of security of network and information systems across the EU. This was enacted into Irish law in September 2018 (SI 360 of 2018) and remains in force.

The cybersecurity measures imposed on entities providing services and activities under NIS1 varied considerably between different EU Member states in terms of identifying operators of essential services, the types of requirements, the level of detail and the method of supervision. These differences created difficulties for entities operating across multiple Member States. The differences in implementation could also lead to higher vulnerability to cyber threats of some Member States, which could lead to cascade effects across the EU.

The main objectives of the NIS2 Directive (“NIS2”), Directive 2022/2555, are to remove such variations across Member States and to enhance cybersecurity across the EU by setting out minimum rules for a coordinated regulatory framework, by setting out methods for cooperation between authorities in Member States, by updating the list of sectors and services in scope for cybersecurity obligations and by strengthening cybersecurity and resilience measures. The NIS2 Directive was published in the EU Official Journal in December 2022.

Overview of NIS2 Directive

In terms of scope, NIS2 expands the sectors in scope based on increased digitalisation of services and interconnectedness of society. The number of sectors of high criticality increases from 7 to 11 and the number of other critical sectors increases from 1 to 7.

NIS2 defines the method in which entities in scope of NIS2 are classified. The criteria for classifying entities are based primarily on the number of employees, revenue, and criticality. Entities are classified as Essential, Important, or Not in Scope based mainly on these criteria, with some sector-dependent exceptions. Entities will be subject to an expanded list of all-hazard cybersecurity risk management measures aimed at ensuring a high level of cybersecurity across the EU. Entities’ top management will be responsible for the approval of cybersecurity risk management measures taken and for overseeing their implementation. Under NIS2, entities will be subject to new incident reporting obligations.

Note: Incident reporting obligations for ECN\ECS providers under existing legislation are unaffected until such time as they are amended or repealed by the legislation transposing the NIS2 Directive.

For supervision, NIS2 sets out that Essential entities shall be subject to supervision on an ex-ante basis, while Important entities shall be subject to supervision on an ex-post basis.
For cooperation between Member States, NIS2 increases EU-level collaboration by promoting cooperation between Member States on topics such as technical guidance, handling of incidents and management of incidents. NIS2 introduces a coordinated vulnerability disclosure process and database to ensure vulnerabilities discovered by security researchers can be shared and addressed in a structured way before being made public. NIS2 will also require Member States to submit information from entities in certain sectors to an EU-wide registry, which will include information such as where the entities are main established and where they provide services.

The NIS2 Quick Reference Guide created by the National Cyber Security Centre (NCSC) gives a useful overview of the NIS2 Directive.

Entities in Scope

Entities can use the NCSC Am I in Scope tool on the NCSC website to check whether they fall under the remit of the NIS2 Directive. For further information regarding entities in scope, please refer to the NCSC’s NIS2 FAQ.

In this section

Was this page helpful?

    Thank you for your feedback.
    Your feedback will help us improve this site.

      Thank you for your feedback.
      Your feedback will help us improve this site.