The NIS 2 Directive requires critical infrastructure operators to take state-of-the-art measures against all cybersecurity risks, including those from malicious use of frontier AI.
78% confidence
OtherEuropean Union
Omissions
The NIS 2 Directive was adopted in December 2022, before the term 'frontier AI' entered common policy discourse. The directive text contains no explicit reference to artificial intelligence, frontier AI, or AI-specific cybersecurity risks.
The claim frames an implicit coverage (via the all-hazards approach) as an explicit textual requirement, which could mislead listeners into believing the directive specifically addresses frontier AI.
The European Commission has subsequently adopted additional measures — such as the AI Act and the implementing regulation on critical digital infrastructure under NIS 2 — that more directly address AI-related risks, but these are separate legal instruments, not part of the NIS 2 Directive itself.
Sources
PrimaryEUR-Lex — Directive (EU) 2022/2555 (NIS 2 Directive)Article 21(1): 'Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems… Those measures shall… take into account the state-of-the-art.' Recital 85 confirms the directive follows an 'all-hazards approach.' The directive text contains no mention of 'artificial intelligence,' 'AI,' or 'frontier AI.'
SecondaryNIS 2 Directive — Article 21 full text (nis-2-directive.com)Article 21(1): 'Taking into account the state-of-the-art and, where applicable, relevant European and international standards, as well as the cost of implementation, the measures referred to in the first subparagraph shall ensure a level of security of network and information systems appropriate to the risks posed.' Article 21(2) lists specific measures (incident handling, business continuity, supply chain security, etc.). No mention of AI or frontier AI appears in any paragraph of Article 21.
SecondaryEuropean Commission — NIS2 Directive policy pageThe page describes NIS2 as establishing 'a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU.' It does not mention artificial intelligence or frontier AI among the risks or sectors covered by the directive.