NIS2 Directive

Directive (EU) 2022/2555 — the second-generation Network and Information Security Directive. Establishes cybersecurity obligations for entities classified as essential or important across 18 sectors, including incident reporting (24-hour early warning, 72-hour incident notification, 1-month final report), risk-management measures, and management-body accountability. Member-state implementation deadline was October 2024; enforcement is now active across the bloc with material national variation.

NIS2 sits adjacent to the EU AI Act in the agentic-AI compliance stack but is not redundant with it. Where the AI Act governs the system, NIS2 governs the security posture of the operating entity. An agent incident that triggers EU AI Act Article 73 reporting will typically also trigger NIS2 Article 23 reporting — different timelines, different competent authorities, different record requirements. Programmes that build incident-response playbooks against EU AI Act obligations alone discover the NIS2 overlap on the first incident.

Related frameworks

• GAUGE →
• MTTD-for-Agents →

Articles that analyse this term

• Agent incident response: the six-step playbook for when an autonomous-AI deployment breaks production
• The EU AI Act and agentic AI: what August 2026 actually requires
• Data residency for agentic AI: what CIOs must ship before EU AI Act enforcement on 2 August 2026

Primary sources

• European Union. Directive (EU) 2022/2555 (NIS2 Directive)
• ENISA. NIS2 implementation guidance