Navigating NIS2 Compliance: What You Need to Know About the Updated EU Cybersecurity Directive
As cyber threats continue to evolve, the European Union has introduced new legislation to strengthen the cybersecurity and resilience of critical infrastructure across its member states.
Building on the first piece of EU-wide legislation on cybersecurity, the NIS Directive, passed in 2016, NIS2 entered into force on January 16, 2023. It expands the original NIS Directive’s scope to include more sectors, imposes stricter obligations, and enforces tougher penalties for noncompliance.
While NIS2 member states were required to transpose NIS2 into local laws by October 17, 2024, many member states are expected to miss this deadline, which means in-scope organizations are facing uncertainty and practical challenges when it comes to implementation.
To help organizations navigate these complexities and start to prepare for NIS2 compliance, we’ve created this guide covering the fundamentals of NIS2, including its purpose, who it applies to, key compliance requirements, and the penalties for failing to meet them.
What is NIS2?
NIS2 is a proposed update to the European Union directive aimed at strengthening the collective cybersecurity level of Member States by increasing cybersecurity enforcement requirements for operators of critical infrastructure and essential service.
Designed to replace the original Network and Information Security (NIS) Directive from 2016, NIS2 expands its scope and strengthens its security requirements to address the growing cyber threats to critical industries, sectors, and services such as energy, transport, finance, and water supply.
Recommended reading
Cybersecurity Explained: What It Is & 13 Reasons Cybersecurity is Important
Purpose of NIS2
The main purpose of NIS2 is to strengthen the cybersecurity framework within the European Union, ensuring that essential and digital services are better protected against cyberattacks. It is designed to improve incident reporting, enhance cooperation between Member States, and foster a more resilient digital infrastructure.
NIS2 aims to ensure that organizations that manage critical infrastructure such as health and manufacturing take the necessary steps to protect their systems from cyber risks, minimizing the potential for service disruptions that could affect the broader economy and society.
To achieve this goal, NIS2 introduces stricter cybersecurity and incident reporting obligations for both public and private entities that manage essential services and critical digital infrastructure. Let’s take a closer look at how the NIS Directive has evolved over time.
Evolution of the NIS Directive
The original NIS Directive was adopted in 2016 as the EU’s first comprehensive cybersecurity legislation. Its primary goal was to achieve a high common level of cybersecurity across the Member States.
While the original directive was considered effective at increasing the Member States' cybersecurity capabilities, it had its shortcomings. Most notably, its implementation proved difficult. Member states transposed it into local laws in different ways, leading to fragmentation and inconsistency at different levels. Also, cyber attacks continued to surge, including ransomware attacks and incidents targeting public institutions like the EU Commission.
As a result of the intensifying cyber insecurity and disruptive cyber attacks in the EU and across the globe, the original directive was deemed insufficient in addressing the growing complexity and interdependence of digital infrastructure.
NIS2 represents a significant evolution. Here are the key changes in NIS2:
- Broader scope: NIS2 covers a wider range of sectors than the original, including transport, financial market infrastructures, digital infrastructure, pharma and medtech, chemical manufacturers, digital service providers, and public administration. It also applies to managed service providers.
- New categories of entities: NIS2 introduces "essential" and "important" entities, with a more onerous set of requirements imposed on essential entities. The original NIS distinguished entities as “operators of essential services” and “digital service providers.”
- Harmonization across member states: NIS2 aims to create more uniform cybersecurity standards across the EU, addressing inconsistencies in how the original NIS Directive was implemented by different countries.
- Stricter cybersecurity measures: NIS2 more explicitly mandates the cybersecurity measures entities must put in place, compared to the more general requirements in its predecessor. This includes but is not limited to risk management, incident reporting, business continuity, and governance measures.
- Stringent incident reporting requirements: Whereas the original NIS Directive had looser guidelines, NIS2 has some of the strictest incident reporting requirements. Organizations are required to notify authorities of significant incidents within 24 hours of discovering them, and failing to meet this deadline could result in penalties.
- Focus on supply chain security: NIS2 emphasizes the need for managing third-party risk and ensuring that suppliers and vendors also comply with cybersecurity standards, a concept less stressed in the original.
- Increased responsibility for senior management: NIS2 imposes direct obligations on “management bodies” with regard to the implementation of the required cybersecurity measures. This makes senior members of staff responsible for overseeing compliance, which was less explicit in the original NIS Directive.
- Stronger enforcement and penalties: NIS2 introduces stricter enforcement requirements and more severe fines for noncompliance, up to €10 million or 2% of global turnover.
Who does NIS2 apply to?
NIS2 applies to a broad range of public and private organizations that provide services that are deemed essential or important to the European economy and society. These include:
- Providers of essential services such as energy, healthcare, transport, and water supply
- Digital infrastructure providers, including cloud service providers, data centers, and content delivery networks
- Key players in the manufacturing, food, and chemicals industries
- Public administration entities that perform essential services
NIS2 entity categories
The directive distinguishes between essential entities and important entities, with slightly different obligations depending on their size and sector. Let’s take a closer look at these categories.
Essential entities
Size threshold: Generally 250 employees but varies by sector
Revenue: Annual turnover of € 50 million or balance sheet of € 43 million
Sectors:
- Energy
- Transport
- Finance
- Public Administration
- Health
- Space
- Water supply
- Digital Infrastructure (e.g. cloud computing service providers and ICT management)
Important entities
Size threshold: Generally 50 employees but varies by sector
Revenue: Annual turnover of € 10 million or balance sheet of € 10 million
Sectors: All sectors under essential entities but within this size threshold are defined as important entities plus:
- Postal Services
- Waste Management
- Chemicals
- Research
- Foods
- Manufacturing (e.g. medical devices and other equipment)
- Digital Providers (e.g. social networks, search engines, online marketplaces)
| Essential Entities | Important Entities | |
| Size threshhold | Generally 250 employees but varies by sector | Generally 50 employees but varies by sector |
| Revenue | Annual turnover of € 50 million or balance sheet of € 43 million | Annual turnover of € 10 million or balance sheet of € 10 million |
| Sectors | Energy Transport Finance Public Administration Health Space Water supply Digital Infrastructure |
Postal Services Waste Management Chemicals Research Foods Manufacturing Digital Providers *Plus all sectors under essential entities but within this size threshold |
| Administrative fines for non-compliance | Up to €10 million or 2% of the company’s total global annual turnover, whichever is higher | Up to €7 million or 1.4% of the company’s total global annual turnover, whichever is higher |
Does NIS2 apply to the UK?
NIS2 does not directly apply to the UK since the UK is no longer a member of the EU, but it has retained elements of the original NIS Directive in its national cybersecurity framework. The UK’s version, known as the NIS Regulations, are still in effect post-Brexit.
That said, organizations operating in both the EU and UK, or providing services to the EU market, may still need to comply with NIS2 and/or other frameworks depending on their activities and relevant data types.
NIS2 requirements: How to comply with the NIS Directive
Complying with NIS2 involves several steps aimed at ensuring that critical infrastructure is protected from cyber threats. Here's a step-by-step guide to compliance readiness:
1. Perform a gap analysis
The first crucial step towards NIS2 compliance is conducting a comprehensive gap analysis. This process involves assessing your organization's current cybersecurity posture against the requirements outlined in the NIS2 Directive.
The goal is to identify any gaps or deficiencies in existing security controls, policies, and processes that could hinder compliance. A gap analysis allows you to pinpoint areas that need improvement, such as risk management, incident reporting, governance, or third-party security. Once these gaps are identified, you can create a roadmap to address them and prioritize actions based on risk severity and resource availability.
For European organizations that have already achieved compliance with the popular ISO 27001 standard, this step will involve mapping the organization's existing control set to the requirements of the NIS2 directive to identify common controls that meet the intent of both frameworks. Since ISO 27001 covers most of the requirements laid out in the NIS2 directive, there may only be a few gaps for specific NIS2 requirements (like for incident reporting) that organizations need to fill.
By starting with a gap analysis, organizations can optimize their compliance efforts, strategically allocating their resources, reducing duplicate work, and speeding up time-to-compliance.
2. Implement risk management measures
A foundational element of NIS2 compliance is developing a robust risk management framework to identify, assess, and mitigate cybersecurity risks. Organizations must conduct comprehensive risk assessments to identify vulnerabilities in their network and information systems. This process involves understanding potential cybersecurity threats, assessing the likelihood and impact of those threats, and implementing measures to mitigate them.
These measures should be both technical and organizational, such as:
- Firewalls
- Intrusion detection systems
- Governance structures
- Risk assessment policy and process
- A risk register that records risk mitigation strategies and the development and modification of controls
- Policies and procedures to assess the effectiveness of cybersecurity risk management measures, such as continuous control monitoring
Risk management should be an ongoing process that evolves with emerging threats and changes in the organization’s operations.
Risk Management Resources Kit
This free risk management resources kit simplifies the process with essential tools you’ll need to identify, prioritize, and mitigate risk, including policy templates, worksheets, and more.
3. Develop and test incident response plan
NIS2 places a strong emphasis on incident detection and response, requiring organizations to have a formalized incident response plan in place. This plan should outline the process of identifying, prioritizing, communicating, assigning, and tracking confirmed incidents through to resolution.
Testing the incident response plan regularly is crucial to ensure that it is effective and that employees are familiar with their roles in the event of an incident. Simulated cyberattack drills or tabletop exercises can help validate the plan’s readiness and reveal potential areas for improvement.
Organizations must also implement notification processes and communication channels for timely incident reporting, as significant incidents that are suspected of being caused by unlawful or malicious acts or could have a cross-border impact must be reported to relevant authorities within 24 hours of detection. The incident notification must then be updated within 72 hours to include assessment information, including its severity and impact, as well as, where available, the indicators of compromise
4. Focus on governance and accountability
NIS2 mandates that organizations establish clear governance structures for cybersecurity, ensuring that there is accountability at the highest levels of the organization. This means appointing individuals responsible for cybersecurity, such as a chief information security officer (CISO) or equivalent, who will oversee the implementation of NIS2 requirements.
The directive also requires board-level oversight, meaning that top executives and the board of directors must be engaged in managing cybersecurity risks. This is a shift from its predecessor, which did not explicitly require board-level involvement.
In practice, organizations will need to integrate cybersecurity into their corporate governance strategies, ensuring that it is a priority alongside other operational risks.
5. Secure your supply chain
Since the supply chain poses a significant business risk, NIS2 requires organizations to manage third-party risks by ensuring that their supply chain also adheres to cybersecurity best practices. This involves conducting regular cybersecurity assessments of vendors and suppliers, as well as incorporating security requirements into contracts. Organizations should establish third-party risk management programs that include vetting new vendors, conducting ongoing monitoring of existing vendors, and requiring compliance with NIS2 standards.
Failure to secure the supply chain can expose the organization to significant risks and penalties under the directive.
6. Develop and test business continuity plan
NIS2 requires organizations to have a business continuity plan (BCP) that outlines how they will maintain or quickly restore operations after a cyberattack, including performing and retaining full backups of their data. This plan goes hand-in-hand with the incident response plan, but focuses on minimizing downtime and ensuring service availability.
As with the incident response plan, testing the BCP plan is vital—simulations and drills will help validate that the organization can recover quickly from a cyber incident without major disruptions to its services.
Organizations should also consider dependencies on external service providers and factor them into their continuity plans to avoid service interruptions.
7. Provide cybersecurity awareness and training to employees
Since employees are often the first line of defense against cyber threats, cybersecurity awareness and training is an essential component of NIS2 compliance. Regular training programs should be implemented to educate employees about basic cyber hygiene practices.
A key goal of the training is to instill a security-first culture, ensuring that every employee understands their obligations and responsibilities related to security.
8. Perform regular audits
Regular audits are critical to maintaining compliance with NIS2. Audits can be conducted internally by the organization or by third-party assessors to ensure that cybersecurity measures are effective and that the organization is adhering to NIS2 requirements. The audit process should review key areas such as risk management practices, incident reporting procedures, supply chain security, and employee training programs.
Any gaps identified during audits should be addressed promptly to ensure continuous improvement.
By performing regular audits, organizations can proactively identify vulnerabilities and ensure that they remain compliant with evolving cybersecurity regulations.
NIS2 Compliance Checklist
This checklist serves as a foundational guide for organizations to align their cybersecurity practices with the NIS2 directive, helping them enhance their security posture and achieve compliance.
NIS2 Compliance Checklist
Use this checklist to help gauge your company’s NIS2 compliance readiness.
When is NIS2 effective?
NIS2 came into force on January 16, 2023. However, member states were given until October 17, 2024 to transpose the directive into their national laws. While some Member States such as the Netherlands and Denmark have indicated they won’t meet this deadline, some Member States, such as Belgium, Hungary and Croatia, have already implemented NIS2. Others, including Germany, Poland and Sweden, have already published drafts of legislation implementing NIS2. This means organizations covered by NIS2 should already be preparing for compliance, as enforcement will begin shortly after this transposition deadline.
Organizations can start their compliance efforts based on the NIS2 Directive itself or by looking at Member States that have already transposed NIS2 requirements into national legislation that is enacted or nearly final.
Is NIS2 mandatory?
Yes, NIS2 is mandatory for all organizations that fall within its scope. This includes both essential and important entities as defined by the directive. Noncompliance can result in significant penalties, including financial fines and reputational damage.
NIS2 fines and penalties for noncompliance
NIS2 introduces more stringent penalties for failure to meet security requirements and report incidents compared to its predecessor.
While NIS2 gives Member States and national supervisory authorities the authority to specify administrative fines and enforce non-monetary remedies, NIS2 does specify a minimum list of administrative sanctions if an organization breaches the cybersecurity risk management and reporting obligations. It also provides examples of non-monetary penalties. These are listed below.
Organizations that fail to comply with the directive can face administrative fines:
- up to €10 million or 2% of the company’s total global annual turnover, whichever is higher, for essential entities
- Up to €7 million or 1.4% of the company’s total global annual turnover, whichever is higher, for important entities
They can face additional penalties such as binding instructions, security audit implementation orders, threat notification orders to entities’ customers, and compliance orders as well.
NIS2 also includes new measures to hold top management personally liable and responsible for gross negligence in the event of a security incident. Under NIS2, Member States may hold senior management personally liable and take the following measures.
- Order their organization to make compliance violations public.
- Make public statements identifying the natural and legal person(s) responsible for the violation and its nature.
- Temporarily ban that individual from holding management positions in case of repeated violations and if the organization is an essential entity.
The financial and operational penalties make it critical for organizations to take NIS2 compliance seriously.
Recommended reading
5 Hardest Things About Security Compliance and How Technology Can Help
How Secureframe can help simplify NIS2 compliance
Secureframe offers comprehensive solutions to help organizations navigate the complexities of NIS2 compliance. By providing automated risk management, continuous monitoring, and supply chain security capabilities, Secureframe simplifies the process of meeting NIS2 requirements.
Automating NIS2 compliance with Secureframe not only saves time but also reduces the risk of error, helps maintain continuous compliance, and frees up your team to focus on more strategic tasks. Here is some key features and functionality that Secureframe offers to reduce the efforts and costs associated with compliance:
- Automated control testing: Secureframe automates the testing of NIS2 requirements through integrations with your existing tech stack, ensuring continuous compliance with NIS2 requirements without the manual burden.
- Continuous monitoring: Secureframe continuously monitors your security controls, automatically identifying compliance gaps, misconfigurations, and failing controls. Maintain a strong security posture and continuous NIS2 compliance without the need for constant manual checks.
- Policies developed by experts: Secureframe offers policies and procedure templates, developed and vetted by compliance experts specifically for NIS2. You can easily publish this documentation, assign them to owners, and track policy acceptance and regular review within Secureframe.
- European Data Center: Secureframe customers in Europe have the flexibility to choose where their data is stored and processed so they can further ensure data privacy of their customers, and easily achieve and maintain compliance with privacy standards like GDPR.
- Expert and EU-based support: Our team of compliance managers and former security and compliance auditors provide essential support to help you navigate NIS2 requirements effectively and implement best practices to enhance your cybersecurity posture. We also have a dedicated support team in the EU to ensure that you receive timely and localized assistance.
- Comprehensive framework support: In addition to NIS2, Secureframe supports 40+ regulatory and security standards out of the box, including ISO 27001, EU DORA, Cyber Essentials, and GDPR — more than any other solution on the market.
Schedule a demo to see how you can confidently meet NIS2 requirements as they continue to evolve over time with Secureframe.
FAQs
What does NIS2 stand for?
NIS2 stands for Network and Information Systems Directive 2. It is the updated version of the original NIS Directive, aimed at improving cybersecurity across the EU.
What is NIS2 compliance?
NIS2 compliance involves adhering to the cybersecurity requirements outlined in the EU directive, including risk management, incident reporting, supply chain security, business continuity, and vulnerability management.
When does NIS2 come into effect?
NIS2 came into force in January 2023, but member states were given until October 2024 to transpose it into their local laws. Since the requirements of NIS2 must be implemented into law by each EU Member State by that date, organizations should start preparing for compliance as soon as possible based on the NIS2 Directive itself.
Do US companies need to comply with the NIS2 Directive?
US companies that provide essential services or operate digital infrastructure within the EU may need to comply with NIS2. The directive applies to entities that offer services or have operations in the EU, regardless of where the company is headquartered.
Use trust to accelerate growth
Request a demo
