NIS2 Directive: What It Requires and How to Prepare Your Organization

The NIS2 Directive (Directive 2022/2555) is the EU's updated framework for cybersecurity across essential and important sectors. It replaces the original NIS Directive with significantly expanded scope, stricter requirements, and meaningful enforcement teeth. Member states were required to transpose it by October 17, 2024.

Who NIS2 applies to

• Energy (electricity, oil, gas, hydrogen)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Healthcare
• Drinking water and wastewater
• Digital infrastructure (DNS, TLD, cloud, data centers, CDNs)
• ICT service management (B2B)
• Public administration
• Space

• Postal and courier services
• Waste management
• Chemical manufacturing
• Food production and distribution
• Manufacturing (medical devices, electronics, machinery, vehicles)
• Digital providers (online marketplaces, search engines, social platforms)
• Research organizations

Size thresholds: Generally applies to medium-sized enterprises (50+ employees or €10M+ turnover) and above, though some entities are covered regardless of size.

Core requirements

• Risk assessment and security policies — Documented, regularly reviewed
• Incident handling — Detection, response, and recovery procedures
• Business continuity — Backup management, disaster recovery, crisis management
• Supply chain security — Assessment of third-party and supplier risks
• Vulnerability handling — Disclosure, patching, and testing processes
• Cryptography and encryption — Appropriate use of cryptographic controls
• Access control and asset management — HR security, identity management
• Multi-factor authentication — Required for privileged and remote access
• Secure communications — Encrypted voice, video, and text where appropriate
• Cybersecurity training — Regular training for all staff, including management

Incident reporting

• 24 hours — Early warning to the competent authority (CSIRT or similar)
• 72 hours — Incident notification with initial assessment
• 1 month — Final report with root cause analysis and mitigation measures

This is significantly stricter than most existing frameworks and requires organizations to have detection and reporting processes that can operate at speed.

Enforcement and penalties

• Essential entities: Fines up to €10M or 2% of global annual turnover (whichever is higher)
• Important entities: Fines up to €7M or 1.4% of global annual turnover
• Management liability: Senior management can be held personally accountable for non-compliance
• Suspension of certifications — Authorities can suspend relevant certifications

How to prepare

• Determine if you're in scope — Check against the sector lists and size thresholds
• Gap analysis — Compare your current cybersecurity measures against NIS2's requirements
• Incident response — Ensure you can detect, assess, and report incidents within the 24/72-hour windows
• Supply chain review — Assess and document the security of your key suppliers and service providers
• Management training — NIS2 explicitly requires management to undergo cybersecurity training
• Document everything — NIS2 is prescriptive about having documented policies and procedures