NIS2 replaces the 2016 NIS framework and establishes common EU requirements for cybersecurity governance, risk management and incident reporting for designated “essential” and “important” entities across expanded sectors. It binds Member States to set strategies, designate authorities and enforce supervisory regimes, while obliging covered entities to implement proportionate technical and organisational measures and to notify significant incidents on tight timelines. This is structurally relevant to AI governance because AI development, deployment and service provision rely on network and information systems and complex ICT supply chains that NIS2 seeks to secure. The instrument’s subject is precisely stated: “This Directive lays down measures that aim to achieve a high common level of cybersecurity across the Union” (Article 1(1)).
Full name: Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (Text with EEA relevance)