In a rapidly evolving digital world, cybersecurity is becoming the cornerstone of business stability and trust. In response to growing threats and increasingly sophisticated cyber-attacks, the European Union has introduced the NIS2 Directive. This landmark regulation significantly expands the scope of, and raises, cybersecurity standards for many organisations.
What is the NIS2 Directive?
The NIS2 Directive (Network and Information Systems Directive) is the updated EU regulation on the security of network and information systems.
Adopted in December 2022, NIS2 aims to strengthen cybersecurity across the European Union. It sets uniform standards and obligations for companies to increase their resilience to cyber-attacks. Unlike its predecessor, NIS2 places greater emphasis on accountability, risk management and regulatory harmonisation.
Why is NIS2 so important for cybersecurity?
The NIS2 Directive was drafted to raise the level of protection for networks and information systems in EU member states.
It responds to the rapidly growing number of cyber-threats that can affect national security, economic stability and citizens’ privacy.
NIS2’s new rules are designed not only to prevent attacks but also to improve incident detection and mitigate their impact. In an era of widespread digitisation and technological transformation, this is crucial to ensuring organisational continuity.
Which sectors and entities fall under the directive?
NIS2 introduces a division into essential and important entities, thereby broadening the scope compared with NIS1.
Essential entities cover sectors critical to the economy and society, such as:
- Energy: suppliers of electricity, oil, gas, district heating and hydrogen.
- Transport: aviation, rail, water and road transport.
- Finance and banking: credit institutions, trading-system operators and central securities depositories.
- Health: healthcare providers (including hospitals), laboratories and pharmaceutical R&D entities.
- Drinking-water supply and wastewater management: potable-water suppliers and distributors, wastewater utilities.
- Digital infrastructure: internet-service providers, data centres, content-delivery networks, public electronic-communications services.
- Public administration: entities at central and regional level.
- Space: entities involved in operating space infrastructure.
Important entities span a wider range of sectors, including:
- Postal and courier services.
- Waste management.
- Food production, processing and distribution.
- Chemicals manufacturing and distribution.
- Medical-device manufacturing.
- Electronic, optical and electrical-equipment manufacturing.
- Digital-service providers: e-commerce platforms, search engines, social-network services.
Main organisational duties under NIS2
EU rules require companies to implement comprehensive security measures suited to their size and activities, with the goal of effective risk management and protection of IT infrastructure.
Organisations must at least:
- Identify and analyse IT-system risks and establish an information-security policy.
- Manage incidents, including prevention, detection and effective response.
- Maintain business continuity through backups, disaster-recovery plans and crisis procedures.
- Secure the supply chain by verifying and supervising third parties with system or data access.
- Securely acquire and maintain IT infrastructure, regularly updating software and eliminating known vulnerabilities.
- Conduct audits and tests to assess the effectiveness of protective measures.
- Promote cyber-hygiene via best practices and regular staff training.
- Use encryption and cryptography where required to protect confidential data.
- Manage personnel and access through access-control policies, asset registers and protection against unauthorised entry.
- Implement multi-factor authentication (MFA) or continuous identity monitoring wherever the risk level demands it.
Who in the company is responsible for NIS2 implementation?
Responsibility for implementing and complying with NIS2 rests with an organisation’s governing bodies (board, directors). NIS2 clearly assigns management accountability for establishing, overseeing and enforcing cyber-risk-management measures.
Practical implementation, however, involves various departments and specialists:
- IT/Cybersecurity: implements and maintains technical safeguards, monitors systems, responds to incidents.
- Legal/Compliance: interprets regulations and ensures legal and regulatory compliance.
- Operations: embeds security procedures into daily operations.
- HR: provides cybersecurity training and awareness.
- Senior management: ultimately oversees and allocates resources for NIS2 adoption.
Many organisations may establish a dedicated cybersecurity unit or appoint a coordinator such as a Chief Information Security Officer (CISO).
Financial penalties for non-compliance
Failure to meet NIS2 requirements can lead to severe fines designed to encourage a serious approach to cybersecurity.
- Essential entities: up to €10 million.
- Important entities: up to €7 million.
Such stringent penalties aim to drive preventive measures that reduce incident risk and bolster digital-infrastructure resilience.
Other legal and operational consequences
Non-compliance can have broader repercussions:
Reputation loss – undermines trust among clients, investors and partners.
Contract termination risk – partners, especially in heavily regulated sectors, may withdraw.
Public-tender exclusion – organisations may be barred from bidding for public contracts.
Higher operational costs – remedial measures demand additional spending and resources.
Incident reporting – obligation and procedure
One key NIS2 duty is prompt, effective reporting of security incidents that could disrupt services.
Companies must notify the relevant authority—either the national CSIRT or another body named in domestic legislation—as soon as a serious incident is detected.
The process has two stages:
Stage 1 – Early warning
Deadline: within 24 hours of detection.
Purpose: initial information, indicating whether the event may involve deliberate, unlawful action or cross-border impact.
Stage 2 – Full report
Deadline: within 72 hours.
Required: expanded details, preliminary impact analysis, severity assessment and any indicators of system compromise.
To meet these requirements organisations should:
- implement rapid incident-detection and classification mechanisms,
- define internal reporting procedures,
- ensure IT and security teams are ready to act immediately,
- co-operate with national and EU cybersecurity bodies.
Support for NIS2 implementation
Understanding and fulfilling NIS2 is not merely a legal duty—it is an investment in security, continuity and customer trust.
If your organisation has yet to begin NIS2 preparations, now is the time. A thorough risk analysis, well-chosen IT tools and a trained team form the foundation of effective cybersecurity management.
Contact us to learn more about our cybersecurity services. We will help you implement NIS2 and ensure full compliance with the new regulations.