THE EVER-INCREASING CYBERSECURITY COMPLIANCE IN EUROPE: THE NIS 2 AND WHAT ALL BUSINESSES IN THE EU SHOULD BE AWARE OF

On 27 December 2022, the Network and Information Systems (NIS) Directive 2 has been published on the Official Gazette of the European Union and became effective 21 days after. The NIS 2 represents the new attempt by the Union to create a more solid regional cybersecurity legal framework and requirements after the fragmented adoption of the previous NIS Directive by its Member States and gives the latter until 17 October 2024 to adapt their legislations. The new directive widens the reach of the previous discipline by including more enterprises in the scope of application as well as new sectors. Further, the Union is lifting the burden of classification from the Member States by replacing it with an identification based on company’s dimension. But that’s not all. The NIS 2 revises also most of cybersecurity requirements of the previous discipline by providing a list of new obligations as well as revised procedural terms and liabilities. In this context, many operators previously exempt by the NIS Directive could now face new compliance challenges when operating in Europe whereas companies already subject to NIS 1, should also reassess their stance in order to limit their legal risks in the region. The article provides an outline of the new reach of the NIS 2 Directive, its main provisions and provides suggestions for EU and foreign operators (including Russians) in order to be prepared for the changes the NIS 2 regulatory system would bring.