IAPP Training · Module 9 - BoK II.B
Module 9 · The NIS and NIS2 Directives
The NIS Directive (in force May 2018) was the first EU-wide cybersecurity law - not specifically about personal data, but it aligns with and bolsters the GDPR's security duties. Its three focuses are national capabilities, cross-border collaboration and national supervision of critical sectors. The NIS2 Directive applies to medium and large entities and was effective 17 Jan 2025; it splits covered organisations into essential entities and important entities, expands sectors, and creates the European Vulnerability Database (EUVD) maintained by ENISA.
| Focus | What it does |
|---|---|
| National capabilities | Compel Member State cybersecurity strategies/structures |
| Cross-border collaboration | Enhance cooperation between Member States |
| National supervision of critical sectors | Improve security of essential services and digital service providers |
- NIS2 Directive applies to medium and large entities; effective 17 Jan 2025.
- New classifications - essential entities (energy, banking, health, drinking water) and important entities (waste management, food, medical devices, electronics).
- Expands covered sectors; modifies breach notification; adds voluntary coordinated vulnerability disclosure.
- Provides the European Vulnerability Database (EUVD), maintained by ENISA.
Key terms - quick answers
What is “NIS Directive”?
The first EU-wide cybersecurity law, in force May 2018; aligns with and bolsters GDPR security but is not specifically about personal data.
What is “NIS2 Directive”?
The successor effective 17 Jan 2025; applies to medium and large entities and expands the regime.
What is “Essential entities”?
NIS2 category covering energy, banking, health and drinking water.
What is “Important entities”?
NIS2 category covering waste management, food, medical devices and electronics.