Overview
The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation, replacing the original NIS Directive of 2016. It entered into force in January 2023, and EU member states had until October 17, 2024 to transpose it into national law. NIS2 significantly expands the scope of covered entities, introduces stricter cybersecurity risk management requirements, tightens incident reporting timelines, and introduces personal accountability for management bodies. If your organization operates in a covered sector within the EU, NIS2 compliance is mandatory.
Covered Sectors
| Category | Sectors |
|---|---|
| Essential Entities (Annex I) | Energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space |
| Important Entities (Annex II) | Postal services, waste management, chemicals, food production and distribution, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networking), research |
Cybersecurity Risk Management Measures
- NIS2 Article 21 prescribes minimum cybersecurity risk management measures that all covered entities must implement:
- Risk analysis and information system security policies
- Incident handling procedures (prevention, detection, and response)
- Business continuity and crisis management, including backup management and disaster recovery
- Supply chain security, including security assessments of direct suppliers and service providers
- Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies on the use of cryptography and, where appropriate, encryption
- Human resources security, access control policies, and asset management
- Use of multi-factor authentication, secured communication, and secured emergency communication systems
Incident Reporting Timeline
- NIS2 introduces a multi-stage incident reporting process for significant incidents that cause or are capable of causing severe operational disruption or financial loss:
- Early Warning: Within 24 hours of becoming aware of a significant incident, submit an early warning to the CSIRT or competent authority
- Incident Notification: Within 72 hours, submit a full incident notification with initial assessment of severity and impact
- Final Report: Within one month of the incident notification, submit a detailed final report including root cause analysis, mitigation measures, and cross-border impact
- For incidents affecting multiple member states, coordinated disclosure through the CSIRT network applies.
Management Body Accountability
NIS2 introduces personal accountability for management bodies (boards, C-suite executives). Management bodies must approve the cybersecurity risk management measures, oversee their implementation, and can be held personally liable for non-compliance. Management members must undergo regular cybersecurity training to develop sufficient knowledge and skills to identify risks and evaluate cybersecurity practices. This is a significant shift from the original NIS Directive and aligns NIS2 with the growing trend of regulatory personal accountability for cybersecurity.
Implementation Priorities
- Determine your classification as an essential or important entity based on sector, size, and criticality
- Conduct a comprehensive risk assessment aligned with NIS2 Article 21 requirements
- Establish or update your incident response capability to meet the 24/72-hour/1-month reporting timelines
- Assess supply chain cybersecurity risks and establish supplier security requirements
- Implement management body training programs on cybersecurity governance
- Register with the relevant national competent authority if required
- Review and update business continuity and crisis management plans
- Deploy multi-factor authentication and encryption across critical systems
- Document all cybersecurity policies and procedures for audit readiness
Frequently Asked Questions
How is NIS2 different from the original NIS Directive?
NIS2 covers significantly more sectors and organizations, removes the distinction between operators of essential services and digital service providers, introduces standardized incident reporting timelines, mandates supply chain security assessments, introduces management body personal accountability, and harmonizes enforcement with maximum fines of 10 million euros or 2% of global turnover for essential entities.
What are the penalties for non-compliance?
Essential entities face maximum administrative fines of 10 million euros or 2% of annual worldwide turnover (whichever is higher). Important entities face maximum fines of 7 million euros or 1.4% of annual worldwide turnover. Member states can also impose additional sanctions including compliance orders, binding instructions, and temporary suspension of management functions.
Does NIS2 apply to non-EU companies?
NIS2 applies to entities that provide services within the EU, regardless of where they are established. Non-EU entities covered by NIS2 must designate a representative in one of the EU member states where they provide services. This makes NIS2 extraterritorial in scope.
How does NIS2 interact with GDPR?
NIS2 and GDPR are complementary but distinct regulations. NIS2 focuses on the cybersecurity of network and information systems, while GDPR focuses on personal data protection. A cyber incident may trigger obligations under both regulations simultaneously. NIS2 requires incident notification to CSIRTs, while GDPR requires breach notification to data protection authorities.
What is the size threshold for NIS2 applicability?
NIS2 generally applies to medium and large enterprises in covered sectors. Medium enterprises are those with 50 or more employees or annual turnover above 10 million euros. However, certain entities are covered regardless of size, including providers of DNS services, TLD registries, cloud computing, data centres, and public electronic communications networks.
Ready to use this resource?
Download it now or schedule a demo to see how Hunto AI can automate your security workflows.