NIS2 Repeal Provisions
The content is titled 'Repeal' from NIS2 source material, indicating it contains provisions that repeal or supersede previous legislation. This is a distinct regulatory concept requiring its own topic for proper classification of legislative replacement and transition provisions.
repeal NIS2 repeal repealed directive directive repeal NIS Directive repeal superseded provisions repealing provisions legislative repeal
Overview
Legal Framework
Article 44 NIS2 explicitly repeals Directive (EU) 2016/1148 (the original NIS Directive) with effect from 18 October 2024. This repeal is the central legislative mechanism for replacing the old regime with the new. The article also contains a crucial reference provision: all legal references to the repealed NIS Directive must now be construed as references to NIS2, and Annex III provides a correlation table to facilitate this interpretative transition. The rationale for this comprehensive replacement is underscored by Recital 5 NIS2, which identifies that divergences in national implementation of the first directive led to market fragmentation, inconsistent levels of cyber resilience, and increased vulnerability to cross-border cyber threats.
Practical Application
The repeal is not a simple deletion but an active substitution. From 18 October 2024, the NIS2 Directive is the sole applicable framework. In practice, this means that any existing contractual clause, national law reference, or compliance program citing the original NIS Directive must now be read as applying the corresponding provisions of NIS2. The correlation table in Annex III is the key tool for this exercise, mapping articles of the old directive to those in the new. For instance, a reference to "Article 14 of Directive (EU) 2016/1148" must be understood as pointing to its successor provision within NIS2. National legislators must ensure their existing NIS-implementing laws are fully amended or replaced to align with NIS2 by the transposition deadline, as the old directive ceases to be valid EU law.
Key Considerations
- Active Reference Conversion: Organizations must audit all documentation (contracts, policies, audit reports) for references to Directive (EU) 2016/1148 and, using Annex III, understand and apply the corresponding NIS2 obligations from 18 October 2024 onward.
- Monitor National Transition: The repeal at EU level triggers national legislative action. Entities must closely monitor how their Member State transitions its specific national laws from the old NIS framework to the new NIS2 regime, as this will dictate precise compliance requirements.
Laws (3)
Guidance (36)
View all 36Version history
Guidelines 07/2022 on certification as a tool for transfers
Guidelines on certification and identifying certification criteria
The GDPR requires in its Article 46 that data exporters shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by data exporters under Article 46 for framing transfers to third countries by introducing, amongst others, certification as a new transfer mechanism (Articles 42 (2) and 46 (2) (f) GDPR). These guidelines provide guidance as to the applicati...
Guidelines 04/2021 on Codes of Conduct as tools for transfers
Guidelines on codes of conduct and monitoring bodies
The GDPR requires in its Article 46 that controllers/processors shall put in place appropriate safeguards for transfers of personal data to third countries or international organisations. To that end, the GDPR diversifies the appropriate safeguards that may be used by organisations under Article 46 for framing transfers to third countries by introducing amongst others, codes of conduct as a new transfer mechanism (articles 40-3 and 46-2-e). In this respect, as provi...
Guidelines 1/2020 on processing personal data in the context of connected vehicles and mobility related applications
Guidelines on processing of personal data through video devices
Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the GDPR
Guidelines on the Interplay between the application of Article 3 and the provisions on international transfers as per Chapter V of the GDPR
Richtsnoeren 05/2020 inzake toestemming overeenkomstig Verordening 2016/679
guidelines toestemming
Guidelines 02/2024 on Article 48 GDPR
Article 48 GDPR provides that: ' Any judgment of a court or tribunal and any decision of an administrative authority of a third country requiring a controller or processor to transfer or disclose personal data may only be recognised or enforceable in any manner if based on an international agreement, such as a mutual legal assistance treaty, in force between the requesting third country and the Union or a Member State, without prejudice to other grounds for transfer...
Guidelines 8/2022 on identifying a controller or processor's lead supervisory authority
Guidelines for identifying a controller or processor’s lead supervisory authority
Guidelines 01/2021
Guidelines on Examples regarding Personal Data Breach Notification
Guidelines 1/2018 on certification and identifying certification criteria in accordance with Articles 42 and 43 of the Regulation
Guidelines on certification and identifying certification criteria
Version history
Guidelines on articles 46 (2) (a) and 46 (3) (b) of Regulation 2016/679 for transfers of personal data between EEA and non-EEA public authorities and bodies
Guidelines 1/2019 on Codes of Conduct and Monitoring Bodies under Regulation 2016/679
Guidelines on codes of conduct and monitoring bodies
Guidelines 05/2020 on consent under Regulation 2016/679
Guidelines on consent
Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0 Adopted on 20 October 2020
Guidelines on data protection by design and by default
Guidelines 01/2022 on data subject rights - Right of access
Guidelines on data subject rights - Right of access
The right of access of data subjects is enshrined in Art. 8 of the EU Charter of Fundamental Rights. It has been a part of the European data protection legal framework since its beginning and is now further developed by more specified and precise rules in Art. 15 GDPR.
Guidelines 03/2022 on Deceptive design patterns in social media platform interfaces: how to recognise and avoid them
Guidelines on deceptive design patterns in social media platform interfaces: how to recognise and avoid them
These Guidelines offer practical recommendations to social media providers as controllers of social media, designers and users of social media platforms on how to assess and avoid so-called 'deceptive design patterns' in social media interfaces that infringe on GDPR requirements. To this end, the EDPB recommends that controllers make use of interdisciplinary teams, consisting, among others, of designers, data protection officers and decision-makers. It is important to note ...
Guidelines 2/2018 on derogations of Article 49 under Regulation 2016/679
Guidelines on derogations of Article 49
Guidelines 9/2022 on personal data breach notification under GDPR
Guidelines on personal data breach notification under GDPR
Guidelines 3/2019 on processing of personal data through video devices
Guidelines on processing of personal data through video devices
Guidelines 09/2020 on relevant and reasoned objection under Regulation 2016/679
Guidelines on relevant and reasoned objection under Regulation 2016/679