標準簡介
NIS2 指令(網路與資訊安全指令 2)是一項歐盟範圍內的網路安全立法,旨在在所有成員國建立高水準的共同網路安全標準。該指令於 2022 年 11 月通過,轉化期限為 2024 年 10 月,顯著擴展了原 NIS 指令的範圍,涵蓋 18 個關鍵領域和預計超過 160,000 家實體。
NIS2 引入了更嚴格的要求,包括管理層問責制、統一的事件報告時程以及對違規行為的重大處罰。它代表了歐盟最全面的網路安全立法,強制實施基線安全措施,並透過 CSIRT 和歐盟網路安全局(ENISA)建立合作框架。
Expanded Scope
Covers 18 critical sectors and an estimated 160,000+ entities across the EU — significantly broader than the original NIS Directive, including digital infrastructure, public administration, and space.
Management Accountability
Holds management bodies personally liable for cybersecurity compliance. Executives can face temporary bans from management positions for repeated violations involving gross negligence.
Incident Reporting
Mandates early warning to national CSIRT within 24 hours of becoming aware of a significant incident, full notification within 72 hours, and a final report within one month.
list_alt Key Requirements
- Risk management measures covering at least 10 domains
- Supply chain security and vulnerability management
- Incident reporting within 24/72-hour timelines
- Management body training and accountability
- Use of encryption and multi-factor authentication
- Business continuity and crisis management plans
- Cybersecurity risk assessment and policies
- Essential vs Important entity classification
Who Needs to Comply?
Medium-sized and large organizations (50+ employees or EUR 10M+ turnover) in 18 critical sectors across EU member states, classified as either essential or important entities. Also applies to certain smaller entities providing critical services.
Key Requirements
Cybersecurity Risk Management
Implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. Measures must cover at least 10 domains including incident handling, supply chain, and cryptography.
Incident Reporting Obligations
Report significant incidents to the national CSIRT or competent authority: early warning within 24 hours, incident notification within 72 hours, and a final report within one month including root cause analysis.
Supply Chain Security
Assess and address cybersecurity risks in supply chains and supplier relationships. Consider the vulnerabilities of each direct supplier and the overall quality of their security practices.
Management Body Obligations
Management bodies must approve cybersecurity measures, oversee implementation, and undergo regular cybersecurity training. They can be held personally liable for infringements.
Registration & Cooperation
Entities must register with relevant national authorities. Cooperate with CSIRTs and competent authorities during incidents and share relevant threat intelligence.
Penalties & Enforcement
Essential entities face fines up to EUR 10 million or 2% of global annual turnover. Important entities face fines up to EUR 7 million or 1.4% of global annual turnover. Management can be held personally liable, with potential temporary bans from holding management positions.