NIS 2 Directive Article 38 – Exercise of the Delegation

by adam tang

The NIS 2 Directive Article 38 outlines the provisions related to the exercise of delegation within the European Union in the context of information security. This directive empowers the Commission to adopt delegated acts under specific conditions, providing a framework for effective decision-making and regulatory oversight. Let's delve deeper into the critical aspects of Article 38 and its implications:

NIS 2 Directive Article 38 – Exercise of the Delegation
  • Delegated Acts and Commission's Authority: Under Article 38 of the NIS 2 Directive, the Commission has the authority to adopt delegated acts, as outlined in Article 24(2), for five years starting from January 16, 2023. This authority enables the Commission to further elaborate on and supplement the provisions of the directive, ensuring its effective implementation.
  • Revocation of Delegation: While the Commission holds the power to adopt delegated acts, this delegation can be revoked by either the European Parliament or the Council at any time. The revocation becomes effective the day after its publication in the Official Journal of the European Union or on a later date. Significantly, the revocation does not impact the validity of any existing delegated acts.
  • Consultation Process: Prior to adopting a delegated act, the Commission is required to engage with experts from each Member State. This consultation process is in line with the principles laid out in the Interinstitutional Agreement of April 13, 2016, which focuses on enhancing the quality and transparency of legislative decision-making within the EU.
  • Notification to Institutions: Once the Commission adopts a delegated act, it must simultaneously notify the European Parliament and the Council. This ensures that key stakeholders are kept informed of new regulatory measures and have the opportunity to provide feedback or raise objections where necessary.
  • Objection Period and Entry into Force: A delegated act under Article 24(2) will only come into force if neither the European Parliament nor the Council raises any objections within two months of notification. At either institution's initiative, this period can be extended by an additional two months, allowing for thorough scrutiny and deliberation on the proposed act.


In conclusion, Article 38 of the NIS 2 Directive defines the process and parameters for the Commission's delegation exercise in information security regulation.

This article contributes to a robust and accountable decision-making framework within the European Union by delineating the procedures for adopting delegated acts, consulting with Member States, and engaging with EU institutions.