What is the NIS2 Directive?
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated framework for achieving a high common level of cybersecurity across all member states. It replaces the original NIS Directive from 2016 and significantly expands its scope and requirements.
Key Changes from NIS1 to NIS2
The evolution from NIS1 to NIS2 represents a fundamental shift in European cybersecurity regulation:
- Expanded Scope: Coverage increased from approximately 450 entities to over 150,000 organizations
- Stricter Requirements: More detailed security measures and incident reporting obligations
- Harmonized Enforcement: Consistent penalties and supervision across all EU member states
- Personal Liability: Management can now be held personally accountable for compliance failures
Who Must Comply with NIS2?
NIS2 applies to two categories of entities:
Essential Entities
- Energy (electricity, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructures
- Healthcare
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD registries, cloud computing, data centers)
- ICT service management (B2B)
- Public administration
- Space
Important Entities
- Postal and courier services
- Waste management
- Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)
- Production and distribution of chemicals
- Production, processing, and distribution of food
- Digital providers (online marketplaces, search engines, social networks)
- Research organizations
Key Requirements Under NIS2
1. Cybersecurity Risk Management
Organizations must implement appropriate technical, operational, and organizational measures to manage cybersecurity risks. This includes:
- Risk analysis and information system security policies
- Incident handling procedures
- Business continuity and crisis management
- Supply chain security
- Security in network and information systems acquisition
- Cybersecurity training for staff
- Cryptography and encryption policies
- Human resources security and access control
- Multi-factor authentication
2. Incident Reporting
NIS2 introduces strict incident reporting requirements:
- Early warning: Within 24 hours of becoming aware of a significant incident
- Incident notification: Within 72 hours with initial assessment
- Final report: Within one month of the incident notification
3. Governance and Accountability
Management bodies must:
- Approve cybersecurity risk management measures
- Oversee implementation of these measures
- Undergo cybersecurity training
- Ensure staff receive regular training
Compliance Timeline
- October 2024: Member states must transpose NIS2 into national law
- October 2026: Full compliance required for all entities
Penalties for Non-Compliance
NIS2 introduces significant penalties:
- Essential entities: Up to €10 million or 2% of global annual turnover
- Important entities: Up to €7 million or 1.4% of global annual turnover
How to Prepare for NIS2
- Assess your scope: Determine if your organization falls under NIS2
- Conduct gap analysis: Compare current security measures against NIS2 requirements
- Develop implementation roadmap: Create a timeline for addressing gaps
- Train your team: Ensure staff understand their cybersecurity responsibilities
- Establish incident response: Develop procedures for detecting and reporting incidents
- Review supply chain: Assess third-party security practices
- Document everything: Maintain records for compliance audits
NIS2 represents the most significant evolution in EU cybersecurity regulation to date. Organizations should begin preparation now to ensure compliance by the October 2026 deadline. Early action not only ensures compliance but also strengthens overall cybersecurity posture.
