The  Package consist of three components: an EU Cyber Security strategy; Proposal for a revised Directive on Network and Information Systems (NIS2); and a Proposal for a Directive on the Resilience of Critical Entities.

Medium and large companies are included in the scope, and different sectors are categories under either ‘essential entities’ or ‘important entities’. The two different type of entities are subject to different supervisory and penalty regimes, but will have the same risk management requirements and reporting obligations. Read our note to learn more.