Directive (EU) 2022/2555, the so-called NIS2 Directive, updates and replaces the original 2016 NIS Directive, expanding its scope and strengthening cybersecurity obligations for essential and important entities.
The energy sector – including electricity and gas market operators, TSOs, DSOs, and market platforms – is explicitly included.
Entities in scope must implement risk management practices, incident response protocols, and governance controls. The Directive also introduces stricter reporting requirements, supervisory powers, and coordinated EU-level response mechanisms.
Implementation and enforcement vary across Member States, with national authorities responsible for designating in-scope entities and applying the rules.