eco Comments on New EU Cybersecurity Rules: NIS 2 Confronts Companies with Disproportionate Red Tape

The directive “for a high common level of cybersecurity” appeared in the EU Official Journal at the end of December and will enter into force on 16 January 2023. The NIS 2 Directive now reforms the existing regulations on network and information security (NIS). This means that numerous companies, state-owned enterprises and public authorities will have to comply with new requirements in the area of cybersecurity.

eco Board Member Klaus Landefeld comments:

“The noticeable increase in serious cyberattacks makes it necessary to sustainably strengthen the cyber resilience of European companies and critical institutions. It is crucial that companies are able to react quickly to any IT security incidents. In NIS 2, the scope is extended to a larger number of sectors and activities. The establishment of a European vulnerability database is also to be welcomed. However, NIS 2 must be designed in a much more practical way for companies. The currently planned reporting and notification requirements confront companies with a disproportionate amount of bureaucracy that delays processes. Also, the extension of the scope of NIS 2 must not lead to double or multiple regulation. Particular attention must be paid here to the telecommunications sector, which is already regulated under special legislation.”


The new “NIS 2” Directive replaces the current “NIS” Directive and was adopted by the Council of the EU and the European Parliament in November 2022. On 27.12.2022, the NIS 2 Directive was published in the Official Journal of the EU and will enter into force on 16.01.2023. Member States then have 21 months to transpose it into national law.

eco Board Member Klaus Landefeld on the German Coalition Agreement: “A surveillance overview bill must not just be lip service”