Awareness Training - Save 60% on Yearly Plan.
Prices
Book Demo

Article 40

Review

By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council. The report shall in particular assess the relevance of the size of the entities concerned, and the sectors, subsectors and types of entity referred to in Annexes I and II for the functioning of the economy and society in relation to cybersecurity. To that end and with a view to further advancing the strategic and operational cooperation, the Commission shall take into account the reports of the Cooperation Group and the CSIRTs network on the experience gained at a strategic and operational level. The report shall be accompanied, where necessary, by a legislative proposal.

Frequently Asked Questions

The European Commission will first review the NIS2 directive by 17 October 2027, then continue reviewing it regularly every three years, ensuring it remains effective, relevant and appropriate in improving cybersecurity, and meeting changing cybersecurity needs and conditions across the economy and society within the European Union.
The European Commission handles the reviews of the NIS2 directive, compiling information from detailed reports submitted by cooperation groups and cybersecurity incident response teams (known as CSIRTs) within the EU, in order to effectively assess how well the directive operates and whether changes or updates may be needed going forward.
During the review, the Commission examines if the sizes of entities involved, the specific economic sectors, subsectors, or particular industries listed within the directive are still relevant and appropriate; it considers their importance for maintaining strong cybersecurity protections in daily business activities and services that citizens and society depend upon.
If the Commission finds significant need for changes after a review, it can propose new legislation or amendments, improving and updating the directive to better protect the economy and essential services from cybersecurity risks, ensuring European cybersecurity measures remain strong, practical, and effective for years to come.

NIS2 Training

Start Training

Book Demo

We will get back to you via email as soon as possible.