The NIS 2 Directive, which follows the landmark NIS Directive introduced in 2016, will respond to “the increasing degree of digitalisation and interconnectedness of our society and the rising number of cyber malicious activities at global level”, the European Commission has said.

It significantly expands the scope of EU cybersecurity rules to include more sectors, including providers of public electronic communications services, digital services, waste water and waste management, manufacturing of critical products, postal and courier services and public administration.

It also covers more broadly the healthcare sector, for example by including medical device manufacturers, given the increasing security threats that arose during the Covid-19 pandemic.

Business leaders will be held accountable for non-compliance with cybersecurity obligations under the new Directive, which will also streamline reporting obligations, introduce stricter enforcement requirements and aim to harmonise sanctions regimes across member states. It will also provide for increased information sharing and co-operation on cyber crisis management at a national and EU level.

Margrethe Vestager, the European Commission’s executive vice-president for a Europe Fit for the Digital Age, said: “We have been working hard for digital transformation of our society. In the past months we have put a number of building blocks in place, such as the Digital Markets Act and the Digital Services Act.

“Today, member states and the European Parliament have also secured an agreement on NIS 2. This is another important breakthrough of our European digital strategy, this time to ensure that citizens and businesses are protected and trust essential services.”

Margaritis Schinas, vice-president for Promoting our European Way of Life, said: “Cybersecurity was always essential to shield our economy and our society against cyber threats; it is becoming critical as we are moving further in the digital transition. The current geopolitical context makes it even more urgent for the EU to ensure that its legal framework is fit for purpose.

“By agreeing on these further strengthened rules, we are delivering on our commitment to enhance our cybersecurity standards in the EU. Today, the EU shows its clear determination to champion preparedness and resilience against cyber threats, which target our economies, our democracies and peace.”

Thierry Breton, commissioner for the internal market, said: “Cyber threats have become bolder and more complex. It was imperative to adapt our security framework to the new realities and to make sure our citizens and infrastructures are protected. In today’s cybersecurity landscape, cooperation and rapid information sharing are of paramount importance.

“With the agreement of NIS2, we modernise rules to secure more critical services for society and economy. This is therefore a major step forward. We will complement this approach with the upcoming Cyber Resilience Act that will ensure that digital products are also more secure whenever they are used.”