The NIS2 Directive is the EU-wide legislation on cybersecurity. It provides legal measures to boost the overall level of cybersecurity in the EU. The EU cybersecurity rules introduced in 2016 were updated by the NIS2 Directive that came into force in 2023.

NIS2 categorizes entities into two groups: important and essential. Both groups must meet the same requirements, but there are differences in the supervisory measures and penalties. Essential entities must comply with supervisory requirements from the start of NIS2, while important entities are subject to ex-post supervision, meaning action is taken if evidence of non-compliance is found.

The scoping exercise for competent authorities has been simplified by NIS2. A list of sectors has been defined and any large (headcount over 250 or revenue over 50 million) or medium (headcount over 50 or revenue over 10 million) enterprise from those sectors is automatically included in the scope. However, small or micro-organizations may still be included if they fulfill specific criteria demonstrating a significant role in society, the economy, or specific sectors or services.