NIS2 Directive
The EU's updated Network and Information Security directive, expanding cybersecurity obligations to more sectors and imposing stricter incident reporting and management requirements.
What Is NIS2?
The NIS2 Directive (Network and Information Security Directive 2) is an EU regulation that came into force in January 2023, with member states required to transpose it into national law by October 2024. It replaces the original NIS Directive (2016) with significantly broader scope, stricter requirements, and higher penalties.
NIS2 aims to raise the baseline cybersecurity maturity across critical sectors in the EU by imposing concrete obligations on organisations, their management teams, and supply chains.
Who Does NIS2 Apply To?
NIS2 covers a much wider range of sectors than its predecessor, split into two categories:
Essential entities: Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space
Important entities: Postal services, waste management, chemicals, food production, manufacturing, digital providers, research organisations
Organisations with 50+ employees or €10M+ annual turnover in these sectors are typically in scope — and the obligations extend to their supply chains.
Key NIS2 Requirements
- Risk management: Implement appropriate technical and organisational cybersecurity measures
- Incident reporting: Report significant incidents to national authorities within 24 hours (early warning) and 72 hours (full notification)
- Supply chain security: Assess and manage the security of your suppliers and service providers
- Management accountability: Senior management can be held personally liable for non-compliance
- Business continuity: Maintain backup, disaster recovery, and crisis management capabilities
Penalties
Fines of up to €10 million or 2% of global annual turnover for essential entities; up to €7 million or 1.4% for important entities.
NIS2 for SMBs
Even if your company isn't directly in scope, your enterprise customers likely are — and NIS2's supply chain provisions mean they will increasingly require security evidence from vendors. Being prepared protects both compliance and commercial relationships.