EU Adopts Enhanced Legal Framework to Provide for High Common Level of Cybersecurity

The Council of the European Union ("EU") adopted a new Directive to strengthen cybersecurity and resilience across the Union.

Following the European Parliament's approval on November 10, 2022, the Council of the European Union announced on November 28, 2022, that it adopted the new Directive (EU) 2022/0383 on measures for a high common level of cybersecurity across the Union ("NIS 2"), repealing Directive (EU) 2016/1148. 

Aim and Scope

Based on the experience to date with Directive (EU) 2016/1148, NIS 2 aims at further harmonizing cybersecurity requirements and their implementation across the EU. It extends the scope of both the sectors and entities covered by the former Directive to include: (i) medium-sized and large "essential and important" entities operating in new sectors, including public electronic communications networks or services, social networking services platforms and data centers, space, public administration and manufacture of critical products, such as pharmaceuticals, medical devices, or chemicals; as well as (ii) certain critical "essential and important" entities, irrespective of their size.

Three Stage Incident Reporting and Risk Management

NIS 2 foresees more stringent reporting obligations, the most important of which is a three-stage incident reporting. NIS 2 furthermore imposes upon the responsible entities the obligation to implement cybersecurity risk management measures and sets minimum measures to be adopted internally and in the supply chain.

As a means of strengthening compliance with security governance, NIS 2 imposes upon management bodies of the responsible entities approval and supervisory responsibilities in relation to cybersecurity risk management and establishes management liability for violations of NIS 2. 

Moreover, to address compliance and incident management, NIS 2 introduces stricter enforcement requirements. Administrative fines, applicable to specific breaches, may be imposed in the amount of up to 10 million EUR or 2% of the total worldwide annual turnover, whichever is higher, for essential entities, and up to 7 million EUR or 1.4 % for important entities. 

European Cyber Crises Liaison Organization Network

NIS 2 also establishes the European Cyber Crises Liaison Organization Network ("EU-CyCLONe"), which will support the coordinated management of large-scale cybersecurity incidents and lay down mechanisms for effective cooperation among relevant authorities in each Member State.

Next Steps

NIS 2 will enter into force on the 20th day following its publication in the Official Journal of the EU. From this date, Member States will have 21 months to implement NIS 2 provisions into national law. 

Insights by Jones Day should not be construed as legal advice on any specific facts or circumstances. The contents are intended for general information purposes only and may not be quoted or referred to in any other publication or proceeding without the prior written consent of the Firm, to be given or withheld at our discretion. To request permission to reprint or reuse any of our Insights, please use our “Contact Us” form, which can be found on our website at This Insight is not intended to create, and neither publication nor receipt of it constitutes, an attorney-client relationship. The views set forth herein are the personal views of the authors and do not necessarily reflect those of the Firm.