Definition

NIS2

NIS2 (Directive 2022/2555) is the EU's revised network and information security directive, enforceable from October 2024 across all member states. It expands the scope of regulated entities and tightens incident-reporting timelines.

NIS2 distinguishes "essential" entities (banks, hospitals, energy, water, digital infrastructure) and "important" entities (postal services, waste management, manufacturers of medical devices, food production, chemical industry). Both categories face mandatory incident reporting within 24 hours, supply-chain risk management requirements and management-board accountability.

Why it matters

✓Penalties up to €10M or 2 % of worldwide turnover (essential) / €7M or 1.4 % (important).
✓Personal liability for management board members.
✓AI usage that exfiltrates regulated data to a third-party LLM is a reportable incident.

Related terms

EU AI Act
DORA
GDPR
AI DLP