The EU NIS-2 Directive
The EU NIS-2 Directive: Cybersecurity Law for Critical Infrastructure
In an increasingly interconnected world, ensuring cybersecurity across all sectors has become more crucial than ever. In order to protect EU companies and citizens from threats, the European Union aims at establishing a high common level of cybersecurity across the EU for important companies and critical infrastructure providers. The EU NIS-2 Directive represents a significant step towards this aim. The NIS-2 Directive, which came into force on December 14, 2022, extends the applicability to further sectors, setting new standards and obligations for a wide range of entities.
EU Directives do not apply directly. They must be implemented in national laws of the EU Member States. Each Member State had been obliged to implement the Directive into their local law until October 2024.
Non-compliance can lead to substantial penalties, including of at least EUR 7 million or 1.4% of an entity's worldwide turnover.
Learn below about the most important cornerstones the NIS-2 Directive requires and explore our map to see the current implementation status in the EU member states. Given that national laws may contain deviations, you can find your contact person at the respective PwC network firm in the map.
Who is affected by NIS-2?
The Directive applies to both essential and important entities, including critical infrastructure operators, regardless of their size. However, there are exemptions available for small entities with fewer than 50 employees or an annual turnover and balance sheet total of less than EUR 10 million.
Key Requirements (among other things)

Registration
Entities falling under the Directive must register and adhere to strict cyber incident reporting duties.

Incidents Reporting
Any incident significantly impacting service provision must be reported promptly to local competent national authorities (CSIRTs). These include incidents causing severe operational disruptions or financial losses, or those affecting other parties by causing substantial damage.

Incidents Reporting Timeframe
- Within 24 hours: Submit an early initial report upon becoming aware of a significant incident.
- Within 72 hours: Provide a confirmation or update.
- Within 1 month: Deliver a final report.
European Overview
Implementation Overview Map in EU Countries
The map reflects the current implementation status in each member state, which is constantly changing as the implementation proceeds. Please reach out to the designated PwC network firm for more information or advice on specific questions.