The final text of the NIS2 Directive, formally known as Directive (EU) 2022/2555, is structured to provide a comprehensive legal framework aimed at enhancing cybersecurity across the European Union. The directive is divided into several key sections, each addressing different aspects of cybersecurity to ensure a high common level of protection across member states.

Structure and Key Sections

1. Essential and Important Entities: There will be two types of entities subject to NIS2 rules (essential and important entities) though the distinction between them is somewhat blurred, with a non-exhaustive list provided.
2. National cybersecurity authorities: NIS2 sets the foundation for member states to develop national cybersecurity strategies and establishes the roles of competent authorities, including the designation of cybersecurity crisis management authorities and computer security incidentIncident Means an event compromising the availability, authenticity, integrity or confidentiality of stored, transmitted or processed data or of the services offered by, or accessible via, network and information systems. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) response teams (CSIRTs).
3. Cybersecurity RiskRisk Means the potential for loss or disruption caused by an incident and is to be expressed as a combination of the magnitude of such loss or disruption and the likelihood of occurrence of the incident. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) Management and Reporting: All entities covered by the directive implement robust risk management measures. These include regular assessments of cybersecurity risks, the implementation of appropriate security measures, and stringent reporting obligations for incidents with a clear Coordinated VulnerabilityVulnerability Means a weakness, susceptibility or flaw of ICT products or ICT services that can be exploited by a cyber threat. - Definition according Article 6 Directive (EU) 2022/2555 (NIS2 Directive) Disclosure (CVD) procedure.
4. Supply chain: The directive also emphasizes the importance of supply chain security, recognizing that vulnerabilities in one part of the supply chain can have widespread impacts.
5. Supervision and Enforcement: The directive details the supervisory and enforcement mechanisms that member states must establish to ensure compliance. This includes the powers of competent authorities to conduct audits, impose penalties, and enforce the directive’s provisions. The directive also introduces new elements such as peer reviews among member states to enhance collaboration and ensure consistent application across the EU.

The NIS2 Directive significantly broadens the scope of its predecessor, NIS1, by covering more sectors and introducing stricter cybersecurity requirements. It aims to create a more harmonized approach to cybersecurity across the EU, reducing fragmentation and ensuring that critical infrastructure and essential services are better protected against cyber threats.