On 13 May 2022, the European Parliament and EU Member States reached a provisional agreement on the NIS2 Directive. This act will repeal the current NIS Directive, amending the rules on the security of network and information systems.
The new rules will be of relevance both for the entities directly falling under the new Directive (in conjunction with its future local implementation) as well as, though itself not in scope, dealing with the organisations covered by the NIS2 Directive.
Once formally approved by the co-legislators and published in the Official Journal, the NIS2 Directive will enter into force 20 days after publication. Member States will then have 21 months to transpose the Directive into national law. In Germany, for example, following the IT Security Act 2.0, the legislator will have to deal with an IT Security Act 3.0.
Our article describes the key takeaways of the provisional agreement and highlights the current points for action.