NIS2 Directive: What European Businesses Need to Know About Cybersecurity Compliance

What Is the NIS2 Directive?

The Network and Information Security Directive 2 (NIS2) is the European Union's updated framework for cybersecurity governance. Adopted in January 2023, it significantly expands the scope, obligations, and enforcement mechanisms of its predecessor, NIS1. NIS2 aims to establish a uniformly high level of cybersecurity across all EU member states.

Who Is Affected?

NIS2 dramatically broadens the range of organizations subject to cybersecurity obligations. The directive divides entities into two categories:

Essential Entities: Energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure, ICT service management, public administration, and space.

Important Entities: Postal and courier services, waste management, manufacturing, food production, digital providers (online marketplaces, search engines, social networking), and research organizations.

Any medium-sized or large organization operating in these sectors within the EU is subject to NIS2, regardless of where the company is headquartered.

Key Obligations

Risk Management Measures

Organizations must implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. The directive specifically requires:

• Policies on risk analysis and information system security
• Incident handling procedures
• Business continuity and crisis management plans
• Supply chain security measures
• Security in network and information system acquisition and development
• Policies on the use of cryptography and encryption
• Human resources security and cybersecurity training
• Multi-factor authentication and secure communication systems

Incident Reporting

NIS2 introduces strict incident reporting timelines:

• 24 hours: Early warning to the relevant CSIRT or competent authority
• 72 hours: Full incident notification with initial assessment
• 1 month: Final report with detailed description, root cause analysis, and remediation measures

Management Accountability

A significant change in NIS2 is the introduction of personal liability for management bodies. Senior leadership must approve cybersecurity risk management measures and can be held personally accountable for failures to comply.

Penalties

Non-compliance with NIS2 can result in significant administrative fines:

• Essential entities: Up to 10 million euros or 2% of total worldwide annual turnover
• Important entities: Up to 7 million euros or 1.4% of total worldwide annual turnover

How to Prepare

Organizations should begin by determining whether they fall within the scope of NIS2, then conduct a gap analysis against the requirements, strengthen incident response capabilities, address supply chain risks, and consider engaging external expertise where internal capacity is lacking.

Conclusion

NIS2 represents a fundamental shift in how the EU approaches cybersecurity regulation. Organizations that begin preparing now will not only avoid penalties but will also build the resilient security foundations needed to withstand the evolving threat landscape.