NIS2 Enforcement Starts Now - Are You Ready?

What Is NIS2?

The NIS2 Directive (Network and Information Systems Directive 2) is the EU's updated cybersecurity regulation, replacing the original NIS Directive from 2016. It significantly expands the scope of organizations that must comply and introduces stricter requirements for cybersecurity risk management and incident reporting.

Who Does It Apply To?

NIS2 covers two categories of entities:

Essential entities include energy, transport, banking, health, water, digital infrastructure, and public administration. These face the strictest oversight and penalties.

Important entities include postal services, waste management, manufacturing, food production, digital providers, and research organizations. These have slightly lighter supervision but the same core obligations.

The key change: NIS2 applies to medium and large organizations in these sectors automatically - no more relying on member states to designate entities individually.

Core Requirements

Risk management measures - Organizations must implement appropriate technical and organizational measures to manage cybersecurity risks
Incident reporting - Significant incidents must be reported within 24 hours (early warning), 72 hours (full notification), and one month (final report)
Supply chain security - Organizations must assess and manage risks in their supply chain
Business continuity - Backup management, disaster recovery, and crisis management
Management accountability - Board members can be held personally liable for compliance failures

Penalties

Fines can reach up to €10 million or 2% of global annual turnover for essential entities, and €7 million or 1.4% of turnover for important entities.

What to Do Now

Determine whether your organization falls under NIS2 scope
Conduct a gap analysis against the core requirements
Establish an incident reporting procedure that meets the 24/72-hour timelines
Review your supply chain risk management processes
Ensure board-level awareness and accountability