The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s updated cybersecurity law that sets a common baseline for cybersecurity risk management and incident reporting for organizations operating in designated critical and important sectors across the EU.
Who it applies to
NIS2 expands the scope of regulated entities compared to the original NIS Directive by covering more sectors and distinguishing between essential entities and important entities, with obligations enforced by national authorities.
Core obligations
NIS2 requires in-scope entities to implement appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks and reduce the impact of incidents. Typical control areas include:
– Incident handling and response processes
– Business continuity (backups, disaster recovery, crisis management)
– Supply chain and third-party security
– Vulnerability handling and secure development practices
– Access control policies (often including MFA and least privilege)
– Monitoring, logging, and secure communications where appropriate
Incident reporting timelines
For significant incidents, NIS2 introduces structured notification steps to national authorities/CSIRTs:
– Early warning within 24 hours of becoming aware
– Incident notification within 72 hours
– Final report within 1 month (or a progress report if ongoing, with a final report after resolution)
Timeline and national implementation
NIS2 is an EU directive, so each Member State must transpose it into national law. The directive set a transposition deadline of 17 October 2024 (with application from 18 October 2024).
Why NIS2 matters for EV charging ecosystems
EV charging networks rely on connected systems (chargers, gateways, CPMS, roaming and payment integrations) that can be disrupted by cyber incidents. NIS2 increases expectations for documented controls, monitoring, and incident readiness—supporting better uptime, safer remote operations, and stronger supply chain security across charging deployments.
Related glossary terms
Cybersecurity audits
Incident response plan
Network segmentation
Role-based access control (RBAC)
Multi-factor authentication (MFA)
Secure update pipeline
Data encryption
OCPP
CPMS
Uptime