16 December, 2020
Angus J Allen

European Commission proposes NIS2

EU flag
On 16 December 2020, the European Commission adopted a proposal for a Revised Directive on Security of Network and Information Systems (NIS2).

The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped achieve a higher and more even level of security of network and information systems across the EU. In view of digitalisation in recent years, the European Commission believes that it is in need of an update.


Greater capabilities

Under NIS2, more stringent supervision measures and enforcement measures are expected to be introduced.  It is also expected there will be established a list of administrative sanctions, including fines for breach of the cybersecurity risk management and reporting obligations.


NIS2 will provide for greater cooperation both at EU and Member State levels, including:

  • The establishment of a European Cyber crises liaison organisation network (EU- CyCLONe) to support coordinated management of large scale cybersecurity incidents and crises at EU level
  • Increased information sharing and cooperation between Member State authorities with enhanced role of the Cooperation Group
  • Coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU

Cybersecurity risk management

NIS2 will strengthen security requirements with a list of focused measures including incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.

NIS2 will also strengthen the security of supply chains for key information and communication technologies.

Importantly, we expect the European Commission to demand greater accountability of company management for compliance with cybersecurity risk-management measures.

We also expect streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline.

Sector coverage

NIS2 is expected to expand in scope to include more sectors and services as either essential or important entities.  Sectors falling within scope are likely to include the following:

  • Providers of public electronic communications networks or services
  • Digital services such as social networking services platforms and data centre services
  • Waste water and waste management
  • Space
  • Manufacturing of certain critical products such as pharmaceuticals, medical devices and chemicals
  • Postal and courier services
  • Food
  • Public administration

Next steps

NIS2 is a key part of the European Commission’s updated cyber cyber strategy. However, legislative wheels in Brussels turn slowly and the proposal will now be subject to significant negotiations between legislators, following which Member States will have a further 18 months to transpose it into national law.

Written by

Angus J Allen

Angus J Allen

Founder and CEO

Angus is Founder and CEO at Volemic. In this role, Angus oversees all aspects of Volemic's product development, operations and sales internationally. Before launching Volemic, Angus spent 20 years as a technology lawyer, banker and leader.

Related Articles

The Volemic View Blog

Subscribe via Email.


Subscribe to The Volemic View to receive the latest news and insights relating to data privacy, cybersecurity and making email trustworthy.

Thank you! You have been subscribed.