The NIS2 Directive (Directive (EU) 2022/2555) is the European Union’s updated cybersecurity legislation, replacing the original NIS Directive from 2016. It entered into force in January 2023 with member states required to transpose it into national law by October 2024. NIS2 significantly expands the scope of entities covered, strengthens security requirements, and introduces stricter enforcement with personal liability for management.

Scope and Covered Entities

NIS2 divides organizations into two categories: essential entities (energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, space) and important entities (postal services, waste management, chemicals, food, manufacturing, digital providers, research). The directive applies to medium and large organizations in these sectors, but member states can extend coverage to smaller entities deemed critical.

Key Requirements

Organizations must implement risk management measures covering incident handling, business continuity, supply chain security, network security, vulnerability disclosure, encryption, access control, and multi-factor authentication. Significant incidents must be reported to national authorities within 24 hours (early warning), with a full notification within 72 hours and a final report within one month.

Relevance to AI

AI systems deployed in critical infrastructure sectors fall under NIS2’s cybersecurity requirements. This means AI components in energy grids, healthcare systems, financial platforms, and transport networks must meet the same security standards as other ICT systems. Supply chain security provisions also apply to AI model providers and cloud AI services used by covered entities.

Enforcement

Maximum fines reach 10 million euros or 2% of global turnover for essential entities, and 7 million euros or 1.4% of turnover for important entities. Critically, NIS2 introduces personal accountability for senior management, who can be held liable for non-compliance.

Sources

  • European Parliament and Council. (2022). Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). Official Journal of the European Union, L 333/80. (The directive itself; all obligations derive from this primary source.)
  • European Union Agency for Cybersecurity (ENISA). (2023). ENISA threat landscape 2023. ENISA. (Annual threat intelligence informing NIS2 risk management requirements.)
  • European Commission. (2022). Proposal for NIS2: Impact Assessment. SWD(2020) 345 final. (Legislative history and rationale for scope expansion and strengthened enforcement.)