• A broader scope: The NIS2 Directive applies to medium-sized and large public and private enterprises in critical sectors. While still applying to businesses in sectors covered by the original NIS Directive (g., energy, transport, health, banking, and digital infrastructure), the NIS2 Directive now covers a wider range of sectors, such as postal and courier services, medical devices, food distribution, public electronic communications networks and publicly available electronic communications services, and digital providers (including, notably, providers of social networking platforms).
In particular circumstances, the NIS2 Directive shall apply regardless of the size of the enterprise. For example, an entity that is the sole provider of a service in a Member State or to a (central or regional) public administration shall be covered under the NIS2 Directive regardless of size.
• National cybersecurity strategy: The NIS2 Directive requires Member States to adopt a national cybersecurity strategy covering objectives and priorities in the sectors subject to the NIS2 Directive, a governance framework clarifying, among other things, the roles and the responsibilities of relevant stakeholders, a mechanism to identify relevant assets and assess risks, and cybersecurity standards and guidelines (this is also required of entities not subject to the NIS2 Directive)
• Minimum obligations for entities subject to the NIS2 Directive: A set of minimum obligations (to be implemented by Member States) to manage cybersecurity risks has been introduced. These include adoption of policies for risk analysis and information system security, incident handling, business continuity and crisis management, and supply chain security, policies and procedures regarding cryptography and encryption, and periodic assessment of effectiveness of cybersecurity management measures.
• Security incident handling: The NIS2 Directive streamlines the system for handling security incidents, including at the EU level. For this purpose, the NIS2 Directive establishes a European cyber crisis liaison organization network (EU-CyCLONe) that supports coordinated management of large-scale cybersecurity incidents. Additionally, the NIS2 Directive introduces an obligation to submit an early warning to the appropriate authority within 24 hours of becoming aware of a significant incident.
The NIS2 Directive shall enter into force 20 days after it has been published in the EU Official Journal. Member States will have up to 21 months to proceed with national implementation.
 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the European Union.
 NIS2 Directive Explanatory Memorandum.