The Commission welcomes the political agreement reached between the European Parliament and EU Member States on the Directive on measures for a high common level of cybersecurity across the Union (NIS-2 Directive) proposed by the Commission in December 2020.

To respond to this increased exposure of Europe to cyber threats, the NIS-2 Directive now covers medium and large entities from more sectors that are critical for the economy and society, including providers of public electronic communications services, digital services, waste water and waste management, manufacturing of critical products, postal and courier services and public administration, both at central and regional level.

It also covers more broadly the healthcare sector, for example by including medical device manufacturers, given the increasing security threats that arose during the COVID-19 pandemic. The expansion of the scope covered by the new rules, by effectively obliging more entities and sectors to take cybersecurity risk management measures, will help increase the level of cybersecurity in Europe in the medium and longer term.

The NIS-2 Directive also strengthens cybersecurity requirements imposed on the companies, addresses security of supply chains and supplier relationships and introduces accountability of top management for non-compliance with the cybersecurity obligations. It streamlines reporting obligations, introduces more stringent supervisory measures for national authorities, as well as stricter enforcement requirements, and aims at harmonising sanctions regimes across Member States. It will help increase information sharing and cooperation on cyber crisis management at a national and EU level.