Article 44: Repeal

Article 44: Repeal requirement means you must stop treating the NIS 1 Directive (EU) 2016/1148 as the governing EU cybersecurity directive after 18 October 2024, and transition your compliance basis to NIS 2. Operationally, update your obligation register, policies, audits, third-party requirements, and incident reporting playbooks so they map to NIS 2 transposition in each EU Member State where you operate. (Directive (EU) 2022/2555, Article 44)

Key takeaways:

• Replace NIS 1 references across governance, contracts, and audit materials with NIS 2 as the controlling directive after 18 October 2024. (Directive (EU) 2022/2555, Article 44)
• Translate the repeal into a jurisdiction-by-jurisdiction compliance mapping because enforcement runs through national transposition, not the directive text alone. (Directive (EU) 2022/2555)
• Keep exam-ready evidence that you executed the transition: decisions, mapping, training, control updates, and supplier change management.

Article 44 is short, but operationally disruptive. It repeals the prior NIS 1 Directive effective 18 October 2024, which forces a compliance “source of truth” change across your program: what you cite, what you test, what you ask third parties to do, and what you can defend under supervision. (Directive (EU) 2022/2555, Article 44)

For a CCO or GRC lead, the practical problem is rarely the legal statement itself. The problem is residual NIS 1 dependence hidden in policies, internal control matrices, incident response runbooks, procurement templates, and assurance narratives. That residue creates exam friction: assessors find inconsistent citations, outdated requirements, and controls that no longer align to the governing directive (and local transposition). (Directive (EU) 2022/2555)

This page treats the article 44: repeal requirement as a transition control. Your job is to (1) formally sunset NIS 1 as a compliance basis after the effective date, (2) re-baseline obligations to NIS 2 and to the national laws that implement it, and (3) produce clean evidence that the organization made the change in an accountable, repeatable way.

Regulatory text

Regulatory excerpt: “Directive (EU) 2016/1148 is repealed with effect from 18 October 2024.” (Directive (EU) 2022/2555, Article 44)

Operator meaning (what you must do):

• Treat NIS 1 as no longer in force as an EU-level directive after the repeal date, and do not represent NIS 1 as your controlling requirement set after that point. (Directive (EU) 2022/2555, Article 44)
• Re-anchor your cybersecurity compliance program to NIS 2 and to each applicable Member State’s implementing law, because a directive becomes operational through national transposition and supervisory practice. (Directive (EU) 2022/2555)

What this is not: Article 44 does not list new cybersecurity controls by itself. It triggers governance cleanup and re-mapping work so your controls, reporting, and third-party requirements are aligned to the current directive and local law.

Plain-English interpretation of the requirement

The article 44: repeal requirement is a “stop using the old rulebook” mandate. After the effective date, you should expect internal stakeholders, auditors, and regulators to question any compliance claim, risk acceptance, or control test that still points to NIS 1 as the standard.

In practice, this requirement lands as four concrete expectations:

1. Your compliance references must be current. Policies and procedures should cite the correct directive and the correct national legal basis where you operate. (Directive (EU) 2022/2555)
2. Your scope logic must be refreshed. If you previously categorized yourself under NIS 1 concepts, reassess classification and obligations under NIS 2 and local transposition. (Directive (EU) 2022/2555)
3. Your operational playbooks must match the governing regime. Incident handling, reporting triggers, and third-party dependency management need to be exam-ready under the new baseline. (Directive (EU) 2022/2555)
4. Your evidence has to show a managed transition. Examiners often accept that programs evolve. They do not accept undocumented evolution.

Who it applies to (entity and operational context)

This requirement applies to organizations that previously built a NIS 1-aligned program or referenced NIS 1 in any compliance artifacts, and that now must align to Directive (EU) 2022/2555 (NIS 2) and applicable national implementing laws after the repeal effective date. (Directive (EU) 2022/2555, Article 44)

Operational contexts where this shows up:

• GRC and internal audit: control matrices, audit plans, issues logs, and testing scripts that cite NIS 1.
• Security governance: policies, standards, and risk assessments referencing NIS 1 terminology or obligations.
• Incident response: notification decision trees and escalation criteria built around older assumptions.
• Third-party risk management: due diligence questionnaires, contract clauses, and assurance cycles anchored to NIS 1.
• Executive reporting: board packs and risk registers that label the compliance target incorrectly.

What you actually need to do (step-by-step)

Treat this as a controlled change to your compliance baseline.

1) Declare the “source of truth” switch (governance decision)

• Document a formal decision that NIS 2 is the governing directive and NIS 1 is sunset as of the repeal effective date. (Directive (EU) 2022/2555, Article 44)
• Assign an accountable owner (usually GRC) and identify stakeholders (Security, Legal, Procurement, Internal Audit, IT Ops).

Deliverable: a short memo or change record in your compliance management system stating what changed, when, and who approved it.

2) Build a NIS 1 → NIS 2 crosswalk (even if high level)

• Inventory where NIS 1 appears: policies, standards, control mappings, third-party templates, incident playbooks, training, audit workpapers.
• For each artifact, decide: replace citation, rewrite requirement, or retire document.

A simple register works:

Artifact	Where used	NIS 1 reference?	Required action	Owner	Status
Incident notification SOP	SOC/IR	Yes	Update to NIS 2 + local law mapping	SecOps	In progress

Tip: Use Daydream to maintain a living obligation register with jurisdictional applicability notes, owners, and milestones so the repeal is reflected program-wide and does not regress during the next policy refresh. (Directive (EU) 2022/2555)

3) Re-baseline “applicability” by jurisdiction

Because NIS 2 is an EU directive, the day-to-day obligations you will be examined against are driven by the Member State laws that implement it. Your operational job is to:

• List the EU Member States where you have regulated operations, services, or in-scope establishments.
• For each, identify the internal business owner and the systems/services that fall in scope.
• Record what your teams will treat as the enforceable rule set: national implementing law + supervisory guidance, with NIS 2 as the directive basis. (Directive (EU) 2022/2555)

Exam risk to manage: “We comply with NIS 2” is not specific enough if you cannot show how you translated it into local requirements and operational workflows. (Directive (EU) 2022/2555)

4) Update three operational pillars that regularly get tested

Even though Article 44 is about repeal, the transition commonly exposes gaps in areas authorities focus on during supervision.

A. Obligation register (program backbone)

• Create/refresh a NIS 2 obligation register: obligations, applicability, control owner, implementation state, evidence pointers.
• Track differences by jurisdiction in a structured way.

B. Incident triage and reporting readiness

• Codify your incident triage and escalation steps with clear timing triggers tied to the governing regime (NIS 2 and national law). (Directive (EU) 2022/2555)
• Define what evidence you preserve during incident handling: logs, timelines, communications, decision rationale.

C. Third-party dependency management

• Identify critical third parties that underpin essential/important services.
• Integrate these dependencies into risk assessment, remediation tracking, and assurance activities (security questionnaires, contract requirements, performance monitoring). (Directive (EU) 2022/2555)

5) Close the loop with internal audit and training

• Update audit criteria and test steps so audits don’t continue to test against NIS 1.
• Provide targeted training to policy owners, SOC/IR leadership, procurement, and contract managers so they stop reintroducing NIS 1 language through templates.

Required evidence and artifacts to retain

Your evidence should prove two things: (1) you recognized the repeal and (2) you executed a controlled transition.

Minimum artifacts (practical set):

• Compliance baseline change record referencing the repeal and effective date. (Directive (EU) 2022/2555, Article 44)
• NIS 2 obligation register with jurisdiction notes, owners, and milestones. (Directive (EU) 2022/2555)
• Crosswalk inventory showing where NIS 1 appeared and what you changed/retired.
• Updated policies/standards with NIS 2 citations where appropriate. (Directive (EU) 2022/2555)
• Incident response workflow documentation including escalation criteria and reporting decision logs. (Directive (EU) 2022/2555)
• Third-party dependency register (critical third parties, services supported, key risks, assurance status). (Directive (EU) 2022/2555)
• Audit plan updates and revised control test scripts.
• Training records for functions that author compliance-impacting artifacts.

Common exam/audit questions and hangups

Expect questions like:

• “Show me where you document the legal basis for your cybersecurity obligations post-repeal.” (Directive (EU) 2022/2555, Article 44)
• “Which Member State laws implement NIS 2 for your operations, and how did you translate them into controls?” (Directive (EU) 2022/2555)
• “Where did you previously reference NIS 1, and how did you remove it from policies and third-party contracts?”
• “Demonstrate incident notification readiness: who decides, what triggers escalation, and what evidence is retained?” (Directive (EU) 2022/2555)
• “How do you govern critical third parties supporting in-scope services?” (Directive (EU) 2022/2555)

Hangups that slow audits:

• Multiple competing “authoritative” documents (policy cites NIS 1, control matrix cites NIS 2).
• A register that lists obligations but has no owners or evidence pointers.
• Third-party controls that exist in policy but have no operational workflow in procurement.

Frequent implementation mistakes and how to avoid them

1. Mistake: treating Article 44 as “FYI” only.
   Fix: open a tracked compliance change, with deliverables, owners, and evidence.

2. Mistake: global rewrite without jurisdiction mapping.
   Fix: maintain one core NIS 2 control baseline, then add Member State deltas in your obligation register. (Directive (EU) 2022/2555)

3. Mistake: updating policies but not audit programs and templates.
   Fix: include internal audit workpapers, procurement templates, and third-party contract addenda in your inventory from day one.

4. Mistake: leaving third-party dependency handling informal.
   Fix: document how you identify critical third parties, how you assess them, and how remediation is tracked to closure. (Directive (EU) 2022/2555)

Enforcement context and risk implications

No public enforcement cases were provided in the source catalog for this requirement, so you should not expect an Article 44-specific “fine story” to guide implementation here.

Your practical risk is supervisory credibility: if an authority or auditor finds that your program still cites a repealed directive, they may question whether other parts of your program are current, tested, and reliable. That can expand the scope of an exam and increase follow-up requests, especially around incident handling readiness and third-party dependencies. (Directive (EU) 2022/2555)

A practical 30/60/90-day execution plan

Time-boxing helps, but the real goal is clean change control and exam-ready evidence. Use phases:

First phase (Immediate)

• Create the compliance baseline change record referencing the repeal. (Directive (EU) 2022/2555, Article 44)
• Inventory all NIS 1 references across policies, control matrices, audit scripts, incident playbooks, and third-party templates.
• Stand up (or refresh) the NIS 2 obligation register with owners and evidence pointers. (Directive (EU) 2022/2555)

Second phase (Near-term)

• Execute prioritized document updates: anything customer-facing, regulator-facing, or audit-facing first.
• Update incident triage/escalation workflow documentation and begin capturing evidence in tabletop exercises or operational drills. (Directive (EU) 2022/2555)
• Integrate critical third-party dependencies into risk assessments and remediation tracking, starting with the providers that support core service delivery. (Directive (EU) 2022/2555)

Third phase (Operationalize and sustain)

• Align internal audit testing to the updated baseline and retire NIS 1 test steps.
• Roll out role-based training for policy owners, procurement, SOC/IR, and third-party risk teams.
• Add a regression control: periodic scans of templates and policy libraries for disallowed NIS 1 references, with remediation tickets.

Daydream fits naturally here as the system to keep the obligation register current, assign owners, track milestones, and attach evidence so the repeal is not a one-time cleanup that drifts back over time. (Directive (EU) 2022/2555)

Frequently Asked Questions

Does Article 44 require us to “do” anything beyond acknowledging the repeal?

Yes. You need to operationalize the repeal by removing NIS 1 as a compliance basis and re-mapping your program to NIS 2 and applicable national transposition. The practical output is updated governance documentation and evidence of a controlled transition. (Directive (EU) 2022/2555, Article 44)

We operate in several EU countries. Can we implement one NIS 2 program globally?

You can run a single control baseline, but you still need jurisdiction-level applicability notes and deltas because implementation and supervision are executed through national law. Document the mapping in your obligation register. (Directive (EU) 2022/2555)

What’s the most common audit failure tied to the article 44: repeal requirement?

Residual NIS 1 references in audit criteria, incident runbooks, and third-party templates. Auditors treat that as a sign your compliance baseline is not controlled.

Do we need to update third-party contracts because of Article 44?

If your third-party clauses cite NIS 1 or embed NIS 1-specific obligations, update the templates and decide whether to amend existing agreements based on criticality and renewal cycles. Track the decision and rationale for each contract class.

How do we prove we handled the repeal correctly?

Keep a change record, a crosswalk inventory of NIS 1 references and remediation actions, and an obligation register with owners and evidence links. Pair that with updated incident and third-party workflows. (Directive (EU) 2022/2555, Article 44)

What should we tell Internal Audit to test after the repeal?

Ask them to test that the compliance baseline is current (no NIS 1 citations), that NIS 2 obligations are mapped to controls and evidence, and that incident and third-party processes run as documented. (Directive (EU) 2022/2555)