标准简介
NIS2 指令(指令(EU)2022/2555)是欧盟关于在联盟范围内实现高水平通用网络安全措施的法规,于 2024 年 10 月 17 日由成员国转化为国内法。该指令取代了 2016 年的原始 NIS 指令,大幅扩展了覆盖范围和要求。NIS2 将受监管实体分为「必要实体」和「重要实体」两类,涵盖能源、交通、银行、金融市场基础设施、医疗、饮用水、污水处理、数字基础设施、ICT 服务管理、公共管理、航天等 18 个行业领域。
NIS2 要求组织实施全面的网络安全风险管理措施,包括风险分析和信息系统安全策略、事件处理流程、业务连续性和危机管理、供应链安全、网络安全培训和基本网络安全卫生实践、加密和多因素认证的使用。重大事件须在 24 小时内发出早期预警、72 小时内提交事件通知、1 个月内提交最终报告。管理层须接受网络安全培训并承担个人责任。违规罚款方面,必要实体最高 1000 万欧元或全球年营业额的 2%,重要实体最高 700 万欧元或全球年营业额的 1.4%。NIS2 还引入了对高层管理人员的个人问责机制。
Expanded Scope
Covers 18 critical sectors and an estimated 160,000+ entities across the EU — significantly broader than the original NIS Directive, including digital infrastructure, public administration, and space.
Management Accountability
Holds management bodies personally liable for cybersecurity compliance. Executives can face temporary bans from management positions for repeated violations involving gross negligence.
Incident Reporting
Mandates early warning to national CSIRT within 24 hours of becoming aware of a significant incident, full notification within 72 hours, and a final report within one month.
list_alt Key Requirements
- Risk management measures covering at least 10 domains
- Supply chain security and vulnerability management
- Incident reporting within 24/72-hour timelines
- Management body training and accountability
- Use of encryption and multi-factor authentication
- Business continuity and crisis management plans
- Cybersecurity risk assessment and policies
- Essential vs Important entity classification
Who Needs to Comply?
Medium-sized and large organizations (50+ employees or EUR 10M+ turnover) in 18 critical sectors across EU member states, classified as either essential or important entities. Also applies to certain smaller entities providing critical services.
Key Requirements
Cybersecurity Risk Management
Implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. Measures must cover at least 10 domains including incident handling, supply chain, and cryptography.
Incident Reporting Obligations
Report significant incidents to the national CSIRT or competent authority: early warning within 24 hours, incident notification within 72 hours, and a final report within one month including root cause analysis.
Supply Chain Security
Assess and address cybersecurity risks in supply chains and supplier relationships. Consider the vulnerabilities of each direct supplier and the overall quality of their security practices.
Management Body Obligations
Management bodies must approve cybersecurity measures, oversee implementation, and undergo regular cybersecurity training. They can be held personally liable for infringements.
Registration & Cooperation
Entities must register with relevant national authorities. Cooperate with CSIRTs and competent authorities during incidents and share relevant threat intelligence.
Penalties & Enforcement
Essential entities face fines up to EUR 10 million or 2% of global annual turnover. Important entities face fines up to EUR 7 million or 1.4% of global annual turnover. Management can be held personally liable, with potential temporary bans from holding management positions.