Inconsistencies in NIS addressed by NIS2


Directive (EU) 2016/1148 of the European Parliament and of the Council (7)Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (OJ L 194, 19.7.2016, p. 1). was the first horizontal cybersecurity framework enacted at Union level, applying also to three types of financial entitiesas defined in Article 2, points (a) to (t), namely credit institutionsmeans a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (32);, trading venuesmeans a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; and central counterpartiesmeans a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012;. However, since Directive (EU) 2016/1148 set out a mechanism of identification at national level of operators of essential services, only certain credit institutionsmeans a credit institution as defined in Article 4(1), point (1), of Regulation (EU) No 575/2013 of the European Parliament and of the Council (32);, trading venuesmeans a trading venue as defined in Article 4(1), point (24), of Directive 2014/65/EU; and central counterpartiesmeans a central counterparty as defined in Article 2, point (1), of Regulation (EU) No 648/2012; that were identified by the Member States, have been brought into its scope in practice, and hence required to comply with the ICT security and incident notification requirements laid down in it. Directive (EU) 2022/2555 of the European Parliament and of the Council (8)Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive) (see page 80 of this Official Journal). sets a uniform criterion to determine the entities falling within its scope of application (size-cap rule) while also keeping the three types of financial entitiesas defined in Article 2, points (a) to (t) in its scope.