EN
L 333/80
Official Journal of the European Union
27.12.2022
DIRECTIVES
DIRECTIVE (EU) 2022/2555 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL
of 14 December 2022
on measures for a high common level of cybersecurity across the Union, amending Regulation (EU)
No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2
Directive)
(Text with EEA relevance)
THE EUROPEAN PARLIAMENT AND THE COUNCIL OF THE EUROPEAN UNION,
Having regard to the Treaty on the Functioning of the European Union, and in particular Article 114 thereof,
Having regard to the proposal from the European Commission,
After transmission of the draft legislative act to the national parliaments,
Having regard to the opinion of the European Central Bank (1),
Having regard to the opinion of the European Economic and Social Committee (2),
After consulting the Committee of the Regions,
Acting in accordance with the ordinary legislative procedure (3),
Whereas:
(1)
Directive (EU) 2016/1148 of the European Parliament and the Council (4) aimed to build cybersecurity capabilities
across the Union, mitigate threats to network and information systems used to provide essential services in key
sectors and ensure the continuity of such services when facing incidents, thus contributing to the Union’s security
and to the effective functioning of its economy and society.
(2)
Since the entry into force of Directive (EU) 2016/1148, significant progress has been made in increasing the Union’s
level of cyber resilience. The review of that Directive has shown that it has served as a catalyst for the institutional
and regulatory approach to cybersecurity in the Union, paving the way for a significant change in mind-set. That
Directive has ensured the completion of national frameworks on the security of network and information systems
by establishing national strategies on security of network and information systems and establishing national
capabilities and by implementing regulatory measures covering essential infrastructures and entities identified by
each Member State. Directive (EU) 2016/1148 has also contributed to cooperation at Union level through the
establishment of the Cooperation Group and the network of national computer security incident response teams.
Notwithstanding those achievements, the review of Directive (EU) 2016/1148 has revealed inherent shortcomings
that prevent it from addressing effectively current and emerging cybersecurity challenges.
(3)
Network and information systems have developed into a central feature of everyday life with the speedy digital
transformation and interconnectedness of society, including in cross-border exchanges. That development has led to
an expansion of the cyber threat landscape, bringing about new challenges, which require adapted, coordinated and
innovative responses in all Member States. The number, magnitude, sophistication, frequency and impact of
incidents are increasing, and present a major threat to the functioning of network and information systems. As a
result, incidents can impede the pursuit of economic activities in the internal market, generate financial loss,
(1) OJ C 233, 16.6.2022, p. 22.
(2) OJ C 286, 16.7.2021, p. 170.
(3) Position of the European Parliament of 10 November 2022 (not yet published in the Official Journal) and decision of the Council of
28 November 2022.
(4) Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common
level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1).