https://www.googletagmanager.com/gtag/js?id=G-0XR6Y9027Qscript>

EU Council directive strengthens cybersecurity measures

29 November 2022

Elizabeth Pfeuti

New standardised ‘high level’ cybersecurity rules are being proposed for the EU by the European Council, which will bring more firms under this regulatory reach.
EU regulation

EU Council directive strengthens cybersecurity measures 

November 30, 2022

New standardised ‘high level’ cybersecurity rules are being proposed for the EU by the European Council, which will bring more firms under this regulatory reach.  

Called NIS2, this new directive will replace the current rules and create a baseline for cybersecurity risk management measures and reporting obligations.  

The new regulation will cover the same sectors as the current directive, including the energy, transport, health, and digital infrastructure industries.  

To widen the scope of rules, a size cap has been introduced. As a result, all medium and large-sized companies operating within the covered sectors will be affected. 

The widened scope means most companies within the public and private sectors as well as the EU as a whole will be covered. 

However, companies within the defence or national security, public security, law enforcement sector, judiciary, parliament, and central banks have been excluded.  

Ivan Bartoš, Czech deputy prime minister for digitalisation and minister of regional development, said: “There is no doubt that cybersecurity will remain a key challenge for the years to come. The stakes for our economies and our citizens are enormous. Today, we took another step to improve our capacity to counter this threat.” 

The legislation has also established mechanisms for successful cooperation and updated remedies and sanctions to allow effective enforcement.   

Reporting obligations have been streamlined to avoid over-reporting and creating an excessive burden for the entities.  

Additionally, the directive will establish the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), which will support the coordinated management of large-scale cybersecurity incidents and crises.  

Following the introduction of NIS2, member states within the EU will have 21 months to enforce the directive into national law. 

NIS2 has been approved by the European Parliament, which recently approved the Digital Operational Resilience Act (DORA).  

This regulation is designed to mitigate ICT risks across the EU by harmonising existed rules around this.  

Specific implications for European financial services firms and their ICT providers have been integrated in this.  

Regulated entities have 24 months to implement DORA.  

Latest News

SHareholder meeting

ISSB sets direction for TNFD-aligned reporting

SHareholder meeting

2026 UK Proxy Season: targeted shareholder dissent yields boardroom fallouts

SHareholder meeting

Minerva Proxy Update

SHareholder meeting

SEC plans to dismantle shareholder governance infrastructure

SHareholder meeting

SFDR reset progresses, but credibility gaps remain

SHareholder meeting

China’s 80% ESG rule forces a reset for public funds

Featured Briefings

Minerva Briefing

UK Proxy Season Review 2026

Minerva Briefing

Australia Proxy Season Review 2025

Minerva Briefing

2026 Proxy Season Preview

Related Stories

SFDR

SFDR reset progresses, but credibility gaps remain

June 24, 2026

Alex Whitebrook

Read More

Income “Insanity”: Sanders Lambasts Tesla CEO Musk’s U$1tn Pay Package

December 11, 2025

Jack Grogan-Fenn

Read More

Generating Guidance: UK to Set Statutory Advice for Private Pensions

December 5, 2025

Jack Grogan-Fenn

Read More

Case Closed: SEC Stops SolarWinds Data Breach Lawsuit

November 24, 2025

Jack Grogan-Fenn

Read More

Climbing Cyber Concerns: UK Government Issues Warning to Companies

October 15, 2025

Jack Grogan-Fenn

Read More

Sparking Good Governance: Responding to Rising AI and Cyber Risks

August 14, 2025

Jack Grogan-Fenn

Read More