NIS2 — Directive (EU) 2022/2555¶
The NIS2 (Network and Information Security 2), Directive (EU) 2022/2555, is the new horizontal Union framework for ensuring a high common level of cybersecurity across the EU. It repeals and expands the first NIS Directive (Dir. (EU) 2016/1148, transposed in Italy by Legislative Decree 65/2018) by introducing a harmonised framework for two categories of entities — essential and important — operating across 18 critical sectors. The directive imposes cybersecurity risk-management measures, significant-incident reporting obligations, and a regime of supervision, enforcement and cross-border cooperation. Transposed in Italy by Legislative Decree 138 of 4 September 2024.
Identifiers¶
| Title | Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) |
| CELEX | 32022L2555 |
| OJ EU | L 333 of 27.12.2022, p. 80 |
| Adoption date | 14 December 2022 |
| Entry into force | 16 January 2023 |
| Transposition deadline | 17 October 2024 |
| Italian transposition | Legislative Decree 138 of 4 September 2024 |
| Rectifications | C1 (OJ L 112, 27.4.2023); C2 (OJ L 90206, 22.12.2023); C3 (OJ L 90309, 4.4.2025) — not incorporated into the text published here |
Structure¶
- 9 chapters (I–IX) covering a total of 46 articles
- 144 recitals
- 3 annexes:
- I — Sectors of high criticality (11 sectors): energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management B2B, public administration, space
- II — Other critical sectors (7 sectors): postal and courier services, waste management, manufacture/production and distribution of chemicals, production/processing and distribution of food, manufacturing, digital providers, research
- III — Correlation table with Dir. (EU) 2016/1148 (NIS1)
Scope of application¶
NIS2 introduces two unified categories of in-scope entities (Article 3):
- essential entities: typically large entities operating in the sectors of Annex I, plus specific categories identified by the directive (CSIRTs, top-level domain name registries, qualified trust service providers, providers of public electronic communications networks and publicly available electronic communications services, central public administration entities, etc.);
- important entities: other entities — medium and large — operating across Annex I and Annex II that do not fall within the essential category.
Identification is based on a combination of size (medium and large enterprises within the meaning of Recommendation 2003/361/EC) and sector (Annexes I and II). Microenterprises and small enterprises are generally excluded, save where the nature of the service makes the directive nonetheless applicable (Article 2(2)–(5)).
Excluded from the scope (Article 2(7)–(11)):
- public administration entities engaged in national security, public security, defence or law enforcement (with a residual core of applicable provisions);
- financial sector entities for which DORA Regulation (EU) 2022/2554 applies as lex specialis (Article 4 NIS2);
- certain entities covered by equivalent sectoral regimes.
Essential and important entities are subject to the substantive obligations of Chapter IV: cybersecurity risk-management measures (Article 21), significant-incident reporting (Article 23), use of European cybersecurity certification schemes (Reg. (EU) 2019/881, Article 24), registration (Article 27), standards (Article 25). The directive also imposes governance obligations on management bodies (Article 20): approval of measures, oversight of implementation, direct accountability for breaches.
Septuple cross-references with the AI Act, GDPR, Data Act, DGA, PLD, DSA and CRA¶
NIS2 interacts with seven EU acts published on this site: the AI Act (for AI systems used by essential entities and for the cybersecurity of high-risk AI systems), the GDPR (for the dual notification of incidents involving personal data), the Data Act (for data sharing for cyber risk-management purposes), the DGA (for data intermediation service providers as potential NIS2 entities), the PLD (for the liability of software used by essential entities), the DSA (for the overlap between VLOPs/VLOSEs and essential entities) and the CRA (horizontal pairing: products vs entities).
NIS2 ↔ AI Act axis (AI systems in essential entities and risk management)¶
| NIS2 | AI Act | Nature of the intersection |
|---|---|---|
| Art. 21(2) (risk-management measures) | AI Act, art. 15 (cybersecurity of high-risk AI systems) | Technical convergence: NIS2 essential entities deploying high-risk AI systems must ensure cybersecurity both of the entity (NIS2) and of the system (AI Act); Article 21 NIS2 measures include the security of AI systems |
| Art. 23 (significant-incident reporting) | AI Act, art. 73 (serious incident notification); art. 79 (AI systems presenting a risk) | Parallel notifications: incidents involving high-risk AI systems in NIS2 essential entities may require notification both to the CSIRT (NIS2) and to the AI Act market surveillance authority |
| Art. 6(38) (definition 'DNS service provider', 'TLD name registry'); Annex I, point 8 (digital infrastructure) | AI Act, Annex III, point 1 (biometric AI systems); point 6 (law enforcement) | Digital infrastructure and cloud providers are NIS2 essential entities and frequently deployers of high-risk AI systems: dual conformity |
| Art. 24 (use of European cybersecurity certification schemes) | AI Act, art. 42 (presumption of conformity through harmonised standards) | Common certification schemes: the Reg. (EU) 2019/881 (Cybersecurity Act) serves as a shared framework |
| Chapter VII — arts. 31-37 (supervision and enforcement) | AI Act, Chapter VII (governance); Chapter IX (post-market monitoring) | Authority coordination: NIS2 competent authorities and AI Act market surveillance authorities cooperate on AI systems deployed in essential entities |
NIS2 ↔ GDPR axis (dual notification for personal-data incidents)¶
| NIS2 | GDPR | Nature of the intersection |
|---|---|---|
| Art. 2(14); recital 14 | All of the GDPR | Without prejudice clause: NIS2 applies without prejudice to the GDPR; the GDPR prevails in case of conflict; NIS2 does not constitute a legal basis for processing personal data |
| Art. 6(14) ('personal data' — GDPR cross-reference) | GDPR, art. 4(1) | Direct definitional cross-reference |
| Art. 23 (significant-incident reporting to the CSIRT) | GDPR, arts. 33, 34 (data breach notification to the supervisory authority and to the data subject) | Dual notification: the same incident affecting an essential entity and involving personal data may trigger both obligations (NIS2 to the CSIRT, GDPR to the DPA). NIS2 recital 105: coordination and information exchange between authorities are required |
| Art. 21(2)(a)–(i) (risk-management measures) | GDPR, art. 32 (security of processing); art. 25 (data protection by design) | Substantive convergence: NIS2 measures (risk analysis policies, incident management, supply-chain security, encryption, MFA, etc.) coincide largely with GDPR technical and organisational measures. NIS2 compliance contributes to — but does not replace — GDPR compliance |
| Art. 30 (cooperation and information sharing); art. 35 (cooperation between competent authorities and DPAs) | GDPR, Chapter VI (supervisory authorities); art. 60 (cooperation) | Formalised cooperation: NIS2 competent authorities cooperate with DPAs for incidents falling within both regimes |
| Recital 105 | GDPR, Chapter VIII (remedies, liability and sanctions) | NIS2 (Article 36) and GDPR (Article 83) sanction mechanisms are autonomous and apply cumulatively for the cybersecurity dimension and the data protection dimension |
NIS2 ↔ Data Act axis (data sharing for risk management)¶
| NIS2 | Data Act | Nature of the intersection |
|---|---|---|
| Art. 30 (cooperation and operational information exchange) | Data Act, Chapter V — arts. 14-22 (B2G in exceptional needs) | Parallel exchange models: NIS2 organises information sharing on security (including cyber threat intelligence) between entities and authorities; the Data Act enables access to private-sector data for exceptional public needs, including cyber crisis situations |
| Art. 21(2)(d) (supply-chain security); art. 22 (coordinated risk assessment) | Data Act, Chapter VI — arts. 23-31 (cloud switching) | NIS2 essential entities relying on cloud services (third-party risk management) benefit from Data Act guarantees of portability and interoperability that enhance operational resilience |
| Annex I, point 8 (cloud and data centre providers) | Data Act, art. 2, points 6-8 (related services, data processing services) | Cloud providers are NIS2 essential entities and typically operators subject to the Data Act cloud switching regime |
| Art. 24 (use of EU certification schemes) | Data Act, art. 33(11) (interoperability and standards) | Coordinated standardisation: NIS2 may impose certifications; the Data Act promotes interoperability standards — the two reinforce each other |
NIS2 ↔ DGA axis (data intermediation services as in-scope entities)¶
| NIS2 | DGA | Nature of the intersection |
|---|---|---|
| Annex I, point 8 (digital infrastructure); Annex II, point 6 (digital service providers) | DGA, art. 2(11) ('data intermediation service'); art. 11 (notification) | DGA data intermediation service providers may qualify as essential or important entities under NIS2, particularly when they operate as cloud providers, online marketplaces or social network platforms |
| Art. 21 (risk-management measures) | DGA, art. 12 (conditions for data intermediation services, points (h), (m) — security) | Technical convergence: DGA security requirements for intermediation services flow into NIS2 technical measures (encryption, authentication, access control) |
| Art. 23 (incident reporting) | DGA, art. 14 (legal representative); art. 12(m) (notification of security breaches) | Distinct notifications: NIS2 to the CSIRT, DGA to the competent authority for intermediation services and to affected data subjects |
| Chapter VI — arts. 29-30 (information sharing) | DGA, Chapter VI — arts. 29-30 (EDIB) | Parallel cooperation models: NIS2 organises information sharing on security between entities, the DGA establishes the EDIB for data governance |
NIS2 ↔ PLD axis (liability for software used by essential entities)¶
| NIS2 | PLD | Nature of the intersection |
|---|---|---|
| Art. 21 (risk-management measures); art. 23 (incident reporting) | PLD, art. 4(1) ('product' includes software); art. 7 (presumption of defectiveness) | Software systems used by NIS2 essential entities are products under the PLD: if a cyber incident is caused by a software defect, the harmed party may bring a PLD action against the manufacturer |
| Art. 21(2)(d) (supply-chain security); recitals 85, 90 | PLD, recital 32; art. 7(2)(f) | PLD–NIS2 chain: an essential entity hit by an unpatched supplier vulnerability may bring a PLD action against the supplier; conversely, a manufacturer that fails to release security updates contributes to product defectiveness |
| Art. 21(2)(j) (use of MFA, encryption, etc.) | PLD, art. 7(2)(f) (cybersecurity as element of non-defectiveness) | Shared security standards: NIS2 entity-side measures and PLD product non-defectiveness requirements converge on the same technical standards |
NIS2 ↔ DSA axis (VLOPs/VLOSEs as essential entities)¶
| NIS2 | DSA | Nature of the intersection |
|---|---|---|
| Annex I, point 8 (digital infrastructure); Annex II, point 6 (digital service providers — online marketplaces, search engines, social network platforms) | DSA, art. 33 (designation of VLOPs/VLOSEs) | Structural overlap: VLOPs/VLOSEs designated under the DSA are digital service providers under NIS2 and typically qualify as essential or important entities |
| Art. 21 (risk-management measures) | DSA, art. 34 (systemic risk assessment); art. 35 (mitigation) | Cumulation of assessments: a VLOP subject to NIS2 must perform both the NIS2 cyber risk assessment and the DSA systemic risk assessment (broader: includes content, fundamental rights and democratic-process risks); the two integrate |
| Art. 23 (significant-incident reporting to the CSIRT) | DSA, art. 32 (notification of suspected criminal offences); art. 42 (VLOPs transparency reports) | Distinct notifications: NIS2 to the CSIRT for cyber incidents, DSA to the competent authority for suspected offences and for transparency reports |
| Chapter VII — art. 31 (competent authorities); art. 35 (cooperation) | DSA, Chapter IV — Digital Services Coordinators | Authority cooperation: NIS2 competent authorities, Digital Services Coordinators (DSCs) and the Commission operate in coordination on dossiers concerning VLOPs |
NIS2 ↔ CRA axis (entities vs products — horizontal pairing)¶
NIS2 and the CRA are the two horizontal pillars of EU cybersecurity. NIS2 disciplines entities (risk management, incident reporting, supervision); the CRA disciplines products (cybersecurity by design across the lifecycle). The two regimes are complementary and operate cumulatively: NIS2 entities procure CRA products to build their own security posture.
| NIS2 | CRA | Nature of the intersection |
|---|---|---|
| Recital 49; entire framework | All of the CRA, in particular art. 1 | Structural pairing: NIS2 ensures that entities operating in critical sectors have adequate risk-management measures; the CRA ensures that the products they use are secure by design. Together they realise the EU cybersecurity baseline |
| Art. 23 (significant-incident reporting to the CSIRT) | CRA, art. 14 (notification of exploited vulnerabilities and severe incidents via the Single Reporting Platform) | Complementary notifications: the NIS2 entity hit by the incident notifies the CSIRT; the manufacturer of the compromised product notifies via the CRA. CRA recital 76 provides for coordination to avoid duplication |
| Art. 21 (risk-management measures); art. 21(2)(d) (supply-chain security) | CRA, art. 13(8) (support period and security updates) | Trust chain: NIS2 entities depend on CRA security updates to maintain their security posture; NIS2 obliges the entity to patch management coherent with the manufacturer's support period |
| Annex I, Annex II (sectors) | CRA, Annex III, class II; Annex IV (important and critical products) | Alignment between CRA critical product categories and NIS2 critical sectors: CRA important/critical products are typically those used in NIS2 sectors |
| Art. 24 (use of European cybersecurity certification schemes) | CRA, Chapter IV — arts. 33-46 (notification of conformity assessment bodies) | Common certification schemes: CRA conformity assessment procedures may rely on European certification schemes (Reg. (EU) 2019/881) that NIS2 may impose on essential entities |
| Art. 30 (information sharing) | CRA, recital 76 | Operational cooperation: CRA market surveillance authorities cooperate with NIS2 CSIRTs and competent authorities for sharing information on vulnerabilities and incidents |
Septet of definitions¶
Seven key concepts run simultaneously across NIS2 and the other seven acts, with NIS2 introducing its own technical vocabulary (essential/important entity, significant incident, near miss, cyber threat):
| Concept | NIS2 | AI Act | GDPR | Data Act | DGA | PLD | DSA | CRA |
|---|---|---|---|---|---|---|---|---|
| Entity / provider | art. 6(38) (entity); art. 3 (essential/important) | art. 3(3), (4) (provider, deployer) | art. 4(7), (8) (controller/processor) | art. 2(13), (14) (data holder/recipient) | art. 2(11) (data intermediary) | art. 4(10) (manufacturer) | art. 3(b) (intermediary service provider) | art. 3(12) (manufacturer) |
| Personal data | art. 6(14) (GDPR cross-reference) | art. 3(50) | art. 4(1) | art. 2(3) | art. 2(3) | art. 4(6) | (implicit GDPR cross-reference) | recital 17 (GDPR cross-reference) |
| Incident / breach | art. 6(6), (7); art. 23 | art. 3(49) (serious incident) | art. 4(12); art. 33 | n/a | n/a | n/a | art. 32 (suspected offence) | art. 3(41) |
| Vulnerability | art. 6(8) | n/a | n/a | n/a | n/a | (substantive cross-reference) | n/a | art. 3(42) |
| Cyber threat | art. 6(10) | (referenced in several chapters) | (relevant for risk) | n/a | n/a | n/a | (relevant for systemic risk) | (presupposed) |
| Cybersecurity / security by design | art. 6(3); art. 21 | art. 15 | art. 32 | (relevant) | n/a | (substantive cross-reference) | n/a | Annex I; art. 13 |
| Notification / reporting | art. 23 | art. 73 | arts. 33, 34 | n/a | n/a | n/a | art. 32 | art. 14 |
Italian transposition (Legislative Decree 138/2024)¶
Italy transposed NIS2 by Legislative Decree 138 of 4 September 2024, in force since 16 October 2024. The National Cybersecurity Agency (ACN) is designated as the national NIS competent authority and single point of contact; the CSIRT Italia, operating within the ACN, is designated as the national CSIRT.
The decree establishes registration procedures for essential and important entities, deadlines for progressive compliance with risk-management measures, the supervision and enforcement regime, and the sanctions framework (administrative fines up to EUR 10 million or 2% of total worldwide annual turnover for essential entities; up to EUR 7 million or 1.4% for important entities). The ACN has subsequently issued resolutions and operational guidelines for registration and compliance.
Amendments and rectifications¶
NIS2 has received 3 redactional rectifications, not incorporated into the text published here (the source is the original version of 14.12.2022):
- C1: Rectification, OJ L 112 of 27.4.2023, p. 51
- C2: Rectification, OJ L 90206 of 22.12.2023, p. 1
- C3: Rectification, OJ L 90309 of 4.4.2025, p. 1
For the consolidated text in force with rectifications incorporated, refer to EUR-Lex (CELEX 02022L2555).
NIS2 itself amends:
- Reg. (EU) No 910/2014 (eIDAS);
- Directive (EU) 2018/1972 (European Electronic Communications Code);
and repeals Directive (EU) 2016/1148 (NIS1).
Status of applicability¶
NIS2 has been applicable since 18 October 2024 (transposition deadline). In Italy, substantive obligations apply on the schedule set by Legislative Decree 138/2024 and ACN determinations: entity registration, adoption of risk-management measures, activation of the incident reporting regime, sanction regime.
Related glossary terms¶
Entries from the AI-centric glossary relevant to this act:
Official sources¶
- Full official text on EUR-Lex (CELEX 32022L2555)
- Consolidated version on EUR-Lex (CELEX 02022L2555)
- Legislative Decree 138/2024 — Italian transposition (Normattiva)
- National Cybersecurity Agency (ACN) — NIS page
- ENISA — NIS2 Directive page
- Reg. (EU) 2019/881 (Cybersecurity Act) — European certification schemes