The European Union (EU) has taken preliminary steps to protect both public and private organizations from cyber-attacks. The new directive, called “NIS2” (short for network and information systems), updates previous legislation from 2016. The new regulation mandates organizations in energy, transport, financial markets, health, and digital infrastructure sectors to adhere to risk management measures and reporting obligations. The new reporting mandates require companies to report cyber incidents to authorities within 24 hours. European Union member states are mandated to incorporate the provisions into their national law within a period of 21 months after official publication of the directive. The directive widens the scope of cybersecurity rules, although it does not apply to organizations working in defense and national security. The legislation includes a voluntary peer-learning mechanism that aims to increase the overall competency of cybersecurity across the EU through shared experiences and best practices.