DIRECTIVE (EU) 2022/2555: Measures for a High Common Level of Cybersecurity Across the Union

DIRECTIVE (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, also known as the NIS 2 Directive, is a pivotal legal instrument aimed at bolstering cybersecurity across the European Union. This directive supersedes Directive (EU) 2016/1148 (NIS Directive) and introduces updated measures to achieve a higher common level of cybersecurity throughout the member states, thereby improving the functioning of the internal market.

CHAPTER I: GENERAL PROVISIONS

This chapter outlines the foundational aspects of the NIS 2 Directive, setting the stage for its objectives, scope, and definitions.

Article 1: Subject Matter

The core objective of this Directive is to establish measures that ensure a high common level of cybersecurity within the Union. This is primarily aimed at enhancing the operational efficiency of the internal market. To achieve this, the Directive sets out several key provisions:

• Obligations for Member States: Mandates the adoption of national cybersecurity strategies and the designation or establishment of competent authorities, cyber crisis management bodies, single points of contact for cybersecurity, and Computer Security Incident Response Teams (CSIRTs).
• Cybersecurity Risk-Management and Reporting Obligations: Specifies risk management measures and reporting obligations for entities listed in Annex I or II, as well as those identified as critical under Directive (EU) 2022/2557.
• Rules on Information Sharing: Establishes guidelines and obligations for cybersecurity information exchange among entities and member states.
• Supervisory and Enforcement Obligations: Defines the supervisory and enforcement responsibilities of Member States to ensure compliance with the directive.

Article 2: Scope

The scope of the NIS 2 Directive is broad, encompassing a wide range of entities critical to the EU’s economy and society.

1. General Application: The directive applies to both public and private entities listed in Annex I or II that qualify as medium-sized enterprises or larger, as defined by Recommendation 2003/361/EC. These entities must provide services or conduct activities within the Union to fall under this directive.
2. Specific Entities Regardless of Size: Certain types of entities are included regardless of their size due to their critical nature:
   • Providers of public electronic communications networks or publicly available electronic communications services.
   • Trust service providers.
   • Top-level domain name registries and domain name system (DNS) service providers.
   • Entities that are sole providers of essential services in a Member State.
   • Entities whose service disruption could significantly impact public safety, security, or health, or induce systemic risks, especially those with cross-border impacts.
   • Entities critical at national or regional levels due to their sector or service type, or for interdependent sectors.
   • Public administration entities of central government and certain regional-level entities.
3. Critical Entities Under Directive (EU) 2022/2557: Entities identified as critical under Directive (EU) 2022/2557 are also included, irrespective of their size.
4. Domain Name Registration Services: Entities providing domain name registration services are also covered, regardless of size.
5. Optional Application by Member States: Member States have the option to extend the directive’s application to:
   • Public administration entities at the local level.
   • Education institutions, particularly those involved in critical research.
6. National Security and State Functions: The directive respects Member States’ responsibilities for national security and safeguarding essential state functions.
7. Exclusions: It does not apply to public administration entities operating in national security, public security, defense, or law enforcement areas, including criminal offense prevention, investigation, detection, and prosecution.
8. Exemptions: Member States may exempt specific entities involved in national security, defense, or law enforcement, or those providing services exclusively to public administration entities in paragraph 7, from certain obligations (Articles 21 or 23). Supervisory and enforcement measures will not apply to these exempted activities or services. In cases where entities exclusively carry out these exempted activities, Member States may also exempt them from Articles 3 and 27.
9. Trust Service Providers Exception: Paragraphs 7 and 8 do not apply when an entity acts as a trust service provider.
10. Financial Sector Exclusions: The directive does not apply to entities exempted from Regulation (EU) 2022/2554 (Digital Operational Resilience Act – DORA) as per its Article 2(4).
11. National Security Information: The directive does not require the disclosure of information that would contravene essential national security, public security, or defense interests.
12. Relationship with Other EU Legislation: This directive operates without prejudice to other EU regulations and directives, including GDPR (Regulation (EU) 2016/679), ePrivacy Directive (2002/58/EC), Directives 2011/93/EU and 2013/40/EU, and Directive (EU) 2022/2557 (Critical Entities Resilience Directive – CER).
13. Confidential Information Exchange: Confidential information, such as business secrets, can be exchanged with the Commission and relevant authorities only when necessary for the directive’s application, ensuring confidentiality and protection of commercial interests.
14. Personal Data Processing: Processing of personal data must be conducted in accordance with GDPR, relying on Article 6 thereof, and for providers of public electronic communications networks or services, in accordance with Union data protection and privacy law, particularly Directive 2002/58/EC.

Article 3: Essential and Important Entities

This article categorizes entities under the directive into essential and important, based on their criticality and size.

1. Essential Entities: These include:
   • Entities from Annex I exceeding medium-sized enterprise ceilings.
   • Qualified trust service providers, top-level domain name registries, and DNS service providers, regardless of size.
   • Providers of public electronic communications networks or services that are medium-sized enterprises.
   • Public administration entities of central government (Article 2(2)(f)(i)).
   • Other Annex I or II entities identified by Member States as essential (Article 2(2)(b) to (e)).
   • Entities identified as critical under Directive (EU) 2022/2557 (Article 2(3)).
   • Entities identified as operators of essential services under the previous NIS Directive (EU) 2016/1148 or national law, if Member States choose to include them.
2. Important Entities: Entities in Annex I or II that do not qualify as essential are considered important entities, including those identified by Member States under Article 2(2)(b) to (e).
3. List of Entities: By April 17, 2025, Member States must establish a list of essential and important entities, including domain name registration service providers. This list must be regularly reviewed and updated at least every two years.
4. Information Submission: To compile the list, Member States will require entities to submit:
   • Name of the entity.
   • Address and contact details (email, IP ranges, phone numbers).
   • Relevant sector and subsector from Annex I or II.
   • Member States where services are provided within the directive’s scope.
     Entities must promptly notify any changes to this information within two weeks. The Commission, with ENISA’s assistance, will provide guidelines and templates for these obligations. Member States may also set up national registration mechanisms.
5. Notification to Commission and Cooperation Group: By April 17, 2025, and biennially, competent authorities will notify:
   • The Commission and Cooperation Group of the number of essential and important entities listed per sector and subsector in Annex I or II.
   • The Commission with details on entities identified under Article 2(2)(b) to (e), including sector, subsector, service type, and the specific provision under which they were identified.
6. Optional Early Notification: Until April 17, 2025, Member States may, upon Commission request, notify the names of essential and important entities.

Article 4: Sector-Specific Union Legal Acts

This article addresses the interaction between the NIS 2 Directive and other sector-specific EU legal acts concerning cybersecurity.

1. Equivalence and Precedence: Where sector-specific EU laws require essential or important entities to adopt cybersecurity risk management or incident notification measures that are at least equivalent to those in the NIS 2 Directive, the relevant provisions of the NIS 2 Directive, including supervision and enforcement (Chapter VII), will not apply to these entities. If sector-specific laws do not cover all entities in a sector within the NIS 2 Directive’s scope, the NIS 2 Directive will continue to apply to those not covered.
2. Criteria for Equivalence: Requirements are considered equivalent if:
   • Cybersecurity risk management measures are at least equivalent to those in Article 21(1) and (2) of the NIS 2 Directive.
   • Sector-specific laws provide immediate, and where possible, automatic and direct access to incident notifications for CSIRTs, competent authorities, or single points of contact under the NIS 2 Directive, and incident notification requirements are at least equivalent to Article 23(1) to (6) of the NIS 2 Directive.
3. Commission Guidelines: The Commission will provide guidelines by July 17, 2023, to clarify the application of paragraphs 1 and 2, taking into account input from the Cooperation Group and ENISA, and will review these guidelines regularly.

Article 5: Minimum Harmonisation

The NIS 2 Directive sets a minimum level of harmonization. Member States are allowed to adopt or maintain stricter cybersecurity provisions, provided they are consistent with EU law.

Article 6: Definitions

This article provides definitions for key terms used throughout the Directive to ensure clarity and consistent interpretation. Some key definitions include:

• Network and Information System: Encompasses electronic communications networks, devices processing digital data, and digital data stored, processed, or transmitted for operation, use, protection, and maintenance.
• Security of Network and Information Systems: The ability of systems to resist events that compromise data availability, authenticity, integrity, or confidentiality, or services offered.
• Cybersecurity: Defined as per Regulation (EU) 2019/881 (Cybersecurity Act).
• National Cybersecurity Strategy: A coherent framework of strategic objectives, priorities, and governance for cybersecurity in a Member State.
• Incident: An event compromising data availability, authenticity, integrity, or confidentiality or services offered via network and information systems.
• Large-Scale Cybersecurity Incident: An incident exceeding a Member State’s response capacity or significantly impacting at least two Member States.
• Cyber Threat: As defined in Regulation (EU) 2019/881.
• ICT Product, ICT Service, ICT Process: As defined in Regulation (EU) 2019/881.
• Vulnerability: A weakness in ICT products or services that can be exploited by a cyber threat.
• Standard and Technical Specification: As defined in Regulation (EU) No 1025/2012.
• Domain Name System (DNS): A hierarchical naming system identifying internet services and resources.
• DNS Service Provider: Entities providing recursive or authoritative domain name resolution services.
• Top-Level Domain Name Registry (TLD Name Registry): Entities responsible for administering specific TLDs.
• Entity Providing Domain Name Registration Services: Registrars or agents acting on their behalf.
• Digital Service: As defined in Directive (EU) 2015/1535.
• Trust Service and Trust Service Provider: As defined in Regulation (EU) No 910/2014 (eIDAS Regulation).
• Cloud Computing Service, Data Centre Service, Content Delivery Network, Social Networking Services Platform, Online Marketplace, Online Search Engine: Common definitions for digital services.
• Representative: A designated natural or legal person in the Union to act on behalf of certain non-EU entities.
• Public Administration Entity: Defined by criteria including public interest purpose, legal personality, public funding or supervision, and power to make administrative decisions.
• Public Electronic Communications Network and Electronic Communications Service: As defined in Directive (EU) 2018/1972 (European Electronic Communications Code).
• Entity: A natural or legal person recognized under national law, capable of exercising rights and obligations.
• Managed Service Provider and Managed Security Service Provider: Entities providing ICT services or cybersecurity risk management services.
• Research Organisation: Entities primarily focused on applied research or experimental development for commercial purposes, excluding educational institutions.

This detailed overview of Chapter I of the NIS 2 Directive provides a foundational understanding of its scope, objectives, and key definitions, setting the stage for the subsequent chapters that detail the operational and cooperative frameworks for cybersecurity across the European Union.