In the proposed Commission revision agricultural and forestry machinery are inserted as important entities. The result would be more compliance rules.


The first EU-wide law on cybersecurity, the NIS Directive, came into force in 2016 and helped achieve a higher and more even level of security of network and information systems across the EU. In view of the unprecedented digitalisation in the last years, pressure has been building to refresh it. As a result, the European Commission launched a proposal for NIS2 on 16th December 2020.

What has changed?

Capabilities of Member States: more stringent supervision measures and enforcement are introduced including a list of administrative sanctions, establishing fines for breach of the cybersecurity risk management and reporting obligations.

Cooperation: the main point is the establishment of a European Cyber crises liaison organisation network (EU - CyCLONe).

Cybersecurity risk management: much more detailed, focussed and more stringent requirements including on incident response and crisis management, vulnerability handling and disclosure, cybersecurity testing, and the effective use of encryption.  Companies have detailed requirements with more focus on cybersecurity of the supply chain, accountability of the company management for compliance with cybersecurity risk-management measures, and streamlined incident reporting obligations with more precise provisions on the reporting process, content and timeline.

And most importantly the scope has been made more clear with essential and important sectors/subsectors/entities being mentioned under dedicated annexes I and II.  Under annex II point 5 ‘manufacturing’/ (d) Manufacture of machinery and equipment n.e.c/ Undertakings carrying out any of the economic activities referred to in section C division 28 of NACE Rev. 2, also the ‘Manufacture of agricultural and forestry machinery’ is mentioned.

The full text can be found here:  

Several consultations were already carried out in 2020. The Commission has now opened a further possibility for stakeholders to provide feedback on the adopted act from 16 December 2020 to 18 March 2021. All feedback will be bundled and provided to Council and Parliament.

More information can be found here: