NIS2

What is NIS2?

NIS2 (Network and Information Security Directive 2) is a European Union directive (2022/2555) that replaced the original NIS Directive from 2016. It expands the scope of entities required to implement cybersecurity measures, introduces stricter penalties for non-compliance and places personal responsibility on senior management for security oversight.

The directive divides entities into two categories: essential - including energy, transport, health, water, digital infrastructure - and important - including manufacturing, postal services, food, chemicals. Entities in both categories must implement risk management measures, report incidents within defined timeframes (early warning within 24 hours, full notification within 72 hours) and submit to supervision.

Each EU member state transposes NIS2 into national legislation. Organisations covered by the regulation should assess whether they fall within its scope and then align their information security management systems accordingly.

Why does it matter?

NIS2 significantly expands the circle of organisations required to implement formal cybersecurity programmes. Many companies that were previously unregulated now need to meet requirements for risk analysis, incident management, supply chain security and business continuity.

Penalties for non-compliance reach EUR 10 million or 2% of annual turnover for essential entities. More importantly, the management board bears personal responsibility for ensuring compliance - cybersecurity is no longer solely the IT department’s concern.

Related topics

• ISO 27001
• DORA
• IEC 62443