What is NIS2 and Why Does it Matter?
The cyber threat landscape is constantly evolving, becoming more sophisticated and impactful.
In response, the European Union has introduced the NIS2 Directive, a significant update to its cybersecurity legal framework, superseding the original NIS Directive (NIS1). This briefing aims to provide a comprehensive overview of NIS2 and what it means for organizations operating within the EU.
What is NIS2 and Why Does it Matter?
The NIS2 Directive (Directive (EU) 2022/2555) is the EU's latest legislative effort to strengthen cybersecurity across Member States. Its principal aims are to establish a high common level of security for network and information systems, enhance the cyber resilience of essential and important entities, streamline cybersecurity practices, and improve the EU's collective ability to prevent, detect, and respond to cyberattacks. The directive recognizes the "escalating threat posed by the increasing number, scale, sophistication, frequency, and impact of cyber incidents". Robust cybersecurity is now a "fundamental enabler for critical sectors to successfully navigate digital transformation".
NIS2 builds upon NIS1 by introducing clearer and more specific rules, stronger tools for supervision and enforcement, and stricter penalties for non-compliance. It also updates the terminology, now distinguishing between "essential" and "important" entities, replacing the previous terms of Operators of Essential Services (OES) and Digital Service Providers (DSP). This change reflects a broader understanding of interconnectedness and the need for a more comprehensive approach.
Who Falls Under the Scope of NIS2?
NIS2 significantly expands the range of sectors subject to obligations, employing a dual classification system based on an entity's size, sector, and criticality to society and the economy. The "size-cap rule" generally brings medium and large entities within covered sectors under NIS2.
Large Entity: ≥250 employees OR >€50 million annual turnover.
Medium Entity: 50-249 employees OR >€10 million and ≤€50 million annual turnover.
Organizations are classified as either Essential Entities or Important Entities.
Essential Entities: Provide services fundamental to societal and economic functions, where disruptions could have "significant adverse impacts". Large entities in "Sectors of High Criticality" are typically Essential.
Important Entities: Critical to the economy and society, but not as fundamentally vital as essential entities. Disruptions would likely have serious consequences, but potentially less widespread. Medium-sized entities in "Sectors of High Criticality" and both medium and large entities in "Other Critical Sectors" are generally Important.
The directive covers a wide array of sectors, categorised as "Sectors of High Criticality" (typically Essential) and "Other Critical Sectors" (typically Important).
Sectors of High Criticality include:
Energy (electricity, gas, oil, hydrogen, district heating/cooling, EV charging)
Transport (air, rail, water, road (ITS))
Banking (credit institutions)
Financial Market Infrastructure (trading venues, CCPs)
Health (providers, pharma R&D/manufacturing)
Drinking Water (supply)
Waste Water (if principal activity)
Digital Infrastructure (QTSPs, DNS, TLD registries, public comms networks, non-QTSPs, IXPs, cloud, data centres, CDNs)
ICT-Service Management (MSPs, MSSPs)
Public Administration Entities (central governments - with exclusions, regional governments - optional)
Space (operators of ground-based infrastructure)
Other Critical Sectors include:
Postal and Courier Services
Waste Management (if principal economic activity)
Manufacture/production/distribution of chemicals
Production/processing/distribution of food (wholesale/industrial)
Manufacturing of certain products (in vitro diagnostics, electronics, electrical equipment, machinery, vehicles, other transport)
Digital Providers (online marketplaces, search engines, social networks)
Research organisations (excluding educational - optional)
Entities providing domain name registration services
While small and micro enterprises are generally excluded due to the size-cap rule, exceptions exist for certain critical digital infrastructure providers (e.g., providers of public electronic communications networks/services, trust service providers, TLD registries, and domain name registration service providers). They may also be indirectly affected by supply chain security requirements.
Key Cybersecurity Risk Management Measures and Obligations
Both essential and important entities are obligated to implement cybersecurity risk management measures that are "appropriate and proportionate" to the risks and reflect the "current state-of-the-art". These measures must take a "comprehensive and proactive approach" and include:
Policies on information system security, including risk analysis
Incident handling procedures for prevention, detection, and response
Business continuity and crisis management plans
Supply chain security measures
Security in network and information systems acquisition, development and maintenance
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures, such as security audits
Basic cyber hygiene practices and cybersecurity awareness training
Use of cryptography and encryption where appropriate
Human resources security, access control policies and asset management
The use of multi-factor authentication, secured communications, and emergency communication systems
Entities also have incident reporting requirements for "significant incidents" that compromise the availability, authenticity, integrity, or confidentiality of data or services and have a "substantial impact". This involves a phased reporting obligation:
Early Warning: Within 24 hours of awareness
Incident Notification: Within 72 hours of awareness
Intermediate Report: Upon request
Final Report: No later than one month after the initial notification
Progress Report: As needed for ongoing incidents
Reports must be submitted to designated national authorities or Computer Security Incident Response Teams (CSIRTs).
Implementation Timeline and Current Status
The NIS2 Directive was formally adopted on 14 December 2022 and entered into force on 16 January 2023. The deadline for Member States to transpose it into national law was 17 October 2024, and NIS1 was repealed and replaced on 18 October 2024.
However, many Member States were not fully prepared by the transposition deadline. In November 2024, the European Commission initiated infringement procedures against 23 Member States for incomplete transposition. Only a limited number of Member States (Belgium, Croatia, Hungary, Italy, Latvia, Lithuania) had successfully transposed by the deadline.
In Austria, the implementation into the Austrian Cybersecurity Act (Cyberbeveiligungsgesetz) is taking longer than anticipated, with the specific NIS2 obligations projected to take effect in the third quarter of 2025. Until then, the existing NISG remains applicable for already covered organisations.
Despite varying national timelines, organisations within the scope of NIS2 should not delay preparations. Key steps include assessing current cybersecurity posture, developing a roadmap, conducting risk assessments, updating policies, establishing training programs, securing senior management buy-in, and monitoring national transposition progress.
Penalties and Consequences of Non-Compliance
Non-compliance with NIS2 can result in significant financial penalties:
Essential Entities: Up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
Important Entities: Up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher.
National authorities also have a range of administrative enforcement powers, including issuing warnings, binding instructions, ordering cessation of non-compliant conduct, mandating implementation of measures, ordering public disclosure of non-compliance, and temporarily prohibiting senior management from exercising managerial functions for Essential Entities.
NIS2 introduces accountability for top management, who must "approve and actively oversee" the implementation of cybersecurity risk management measures and "can be held liable for infringements of the directive". For Essential Entities, this can extend to potential personal liability for gross negligence.
Relationship with Other EU Regulations
NIS2 has an interplay with other key EU regulations:
GDPR: While GDPR focuses on personal data protection, NIS2 focuses on the security of essential network and information systems. A NIS2 incident could also be a GDPR breach, triggering obligations under both.
Cyber Resilience Act (CRA): CRA ensures digital products meet baseline cybersecurity requirements, complementing NIS2's operational resilience objectives.
Digital Operational Resilience Act (DORA): Specific to the financial sector, DORA's rules take precedence over NIS2 where both apply.
Cyber Solidarity Act: Establishes a framework for collective EU preparedness and response to large-scale cybersecurity incidents, complementing NIS2's individual entity resilience focus.
Guidance and Resources for Compliance
Organizations can leverage various resources for NIS2 compliance
Official text of the NIS2 Directive on EUR-Lex.
European Commission's Digital Strategy website with FAQs and guidelines.
ENISA's technical guidance on cybersecurity risk management measures.
NIS Cooperation Group's guidance on transposition and best practices.
Conclusion
The NIS2 Directive represents a crucial step towards a more secure and resilient digital environment across the European Union. By expanding its scope and strengthening obligations, it requires a wide range of organisations to take proactive steps towards enhancing their cybersecurity posture. Understanding the directive's requirements, preparing for implementation, and leveraging available guidance are essential for compliance and for contributing to a safer digital future for all.
Is Your Organization Ready?
Understanding the EU NIS2 Cybersecurity Directive
