What is the NIS2 directive?

What is the NIS2 directive?

The NIS2 directive is a European Union law designed to strengthen cybersecurity across critical sectors by setting out clear rules and expectations for protecting network and information systems. As the successor to the original NIS directive, NIS2 aims to address the growing risks of cyber threats that could disrupt essential services or the economy.

The directive establishes a unified legal framework, requiring EU countries to adopt national strategies and collaborate on cross-border cybersecurity challenges. By raising the bar for security standards, the NIS2 directive ensures that organisations handling vital infrastructure are better prepared to prevent, detect, and respond to cyber incidents.

The evolution from NIS1 to NIS2

Understanding the definition of the NIS2 directive starts with its origins. The first NIS directive, introduced in 2016, was a pioneering step in creating a baseline for cybersecurity across the EU.

However, as technology evolved and threats became more sophisticated, gaps in the original legislation became apparent. The meaning of the NIS2 directive lies in its response to these new challenges. It expands the scope to cover more sectors and introduces stricter requirements for risk management, reporting, and oversight.

This evolution reflects the EU’s recognition that digital transformation brings both opportunities and vulnerabilities, demanding a more robust and adaptive legal framework.

Core objectives and guiding principles

At its heart, the NIS2 directive is about building resilience. The overview of the NIS2 directive reveals three core objectives: enhancing the overall level of cybersecurity, improving cooperation among Member States, and ensuring rapid response to emerging threats.

The directive sets out guiding principles such as risk-based management, accountability, and transparency. These principles shape how organisations approach cybersecurity, moving away from reactive measures toward proactive risk identification and mitigation.

The description of the NIS2 directive also highlights the importance of supply chain security and the need for continuous education and awareness within organisations, supported by strong security awareness programmes.

Legal structure and main components

The legal structure of the NIS2 directive is detailed and comprehensive. It is organised into several chapters, each addressing a specific aspect of cybersecurity governance.

The directive covers everything from general provisions and coordinated frameworks to supervision, enforcement, and international cooperation. A key feature is the requirement for Member States to define their own national cybersecurity strategies while aligning with EU-wide standards.

The NIS2 directive also mandates regular updates to lists of essential service operators and sets out clear rules for information sharing and incident reporting. This structured approach ensures consistency while allowing flexibility for local adaptation.

Who must comply with the NIS2 directive?

The NIS2 directive sets out clear rules about which organisations must comply with its requirements. The scope of the directive is much broader than its predecessor, covering a wide range of sectors and entities that play a critical role in the functioning of society and the economy.

If your organisation operates in one of the sectors listed in the directive and meets certain size or importance thresholds, you are likely required to comply. This includes both public and private entities, as well as some micro and small businesses that provide essential digital services.

Understanding whether your organisation falls under the NIS2 directive is crucial for ensuring compliance and avoiding significant penalties.

Sectors covered by the NIS2 directive

The NIS2 directive expands its reach across numerous sectors that are vital to the stability and security of the European Union. These sectors are divided into two main categories: those of very high criticality and other critical sectors.

Very critical sectors:

• Energy
• Transport
• Banking
• Financial market infrastructure
• Healthcare
• Drinking water
• Digital infrastructure
• ICT service management
• Wastewater
• Public administration
• Space activities

Other critical sectors:

• Digital providers
• Postal and courier services
• Waste management
• Chemical manufacturing
• Food production and distribution
• Research
• General manufacturing

The inclusion of these sectors reflects the directive’s aim to address the growing complexity and interdependence of modern economies. By targeting such a broad array of industries, the NIS2 directive ensures that the most important elements of society’s infrastructure are protected against cyber threats.

The definition of the NIS2 directive makes it clear that any disruption in these sectors could have far-reaching consequences, which is why their operators are subject to strict cybersecurity requirements.

Size and importance criteria for compliance

Not every organisation within the covered sectors is automatically subject to the NIS2 directive. The directive introduces specific size and importance thresholds to determine which entities must comply.

Generally, medium-sized organisations with at least 50 employees or an annual turnover or balance sheet total exceeding €10 million are classified as important entities. Large organisations, defined as having more than 250 employees or a net turnover above €50 million and a balance sheet total over €43 million, are considered essential entities.

These classifications are central to the explanation of the NIS2 directive, as they help focus regulatory efforts on organisations whose operations are most likely to impact society if disrupted. However, there are exceptions for certain micro and small businesses that provide critical digital services, such as trust service providers and domain name registries, which are also brought under the scope regardless of size.

This nuanced approach ensures that the directive targets entities based on their potential impact rather than just their scale, aligning with the overall meaning of the NIS2 directive.

Designation of additional entities by national authorities

National authorities have the power to designate additional organisations as being subject to the NIS2 directive, even if they do not meet the standard size or sector criteria. This provision allows for flexibility in addressing unique national circumstances or emerging risks.

For example, a micro or small company may be designated if its services are deemed vital to the national economy or society. In such cases, the organisation will be formally notified by the relevant authority.

This mechanism ensures that the description of the NIS2 directive remains adaptable to changing threat landscapes and evolving definitions of criticality. It also places a responsibility on national governments to continually assess and update the list of covered entities, ensuring that no significant vulnerabilities are left unaddressed.

The ability to designate additional entities underscores the directive’s commitment to proactive risk management and tailored national implementation.

Cross-border and multinational considerations

The NIS2 directive has important implications for organisations operating across multiple EU Member States or providing services from outside the EU into the Union. Multinational organisations must carefully assess whether their activities fall within the scope of the directive in each country where they operate.

This includes evaluating their role in the supply chain of critical infrastructure and determining which national laws apply. Even organisations based outside the EU may be required to comply if they offer essential or important services within the EU.

The directive’s unified legal framework aims to harmonise cybersecurity standards across the region, but local implementation can vary, making compliance a complex task for cross-border operators. As part of building a consistent governance approach, many teams align NIS2 compliance work with a formal AI policy and related security rules to standardise responsibilities across jurisdictions.

The definition of the NIS2 directive therefore extends beyond simple geographic boundaries, reflecting the interconnected nature of today’s digital economy. Organisations must stay informed about national transpositions and ensure that their compliance strategies are robust enough to meet the requirements in every relevant jurisdiction.

Key requirements of the NIS2 directive

The key requirements of the NIS2 directive are designed to create a unified and robust cybersecurity framework across the European Union. This directive sets out clear expectations for organisations operating in critical sectors, ensuring that they adopt effective risk management measures, report incidents promptly, and maintain a high level of operational resilience.

The NIS2 directive builds on its predecessor by expanding the scope of covered entities and introducing stricter supervision and enforcement mechanisms. In this section, we will explore the main obligations that organisations must meet under the NIS2 directive, providing an overview of the directive’s core requirements and how they shape the cybersecurity landscape in the EU.

Governance and accountability

One of the central pillars of the NIS2 directive is the emphasis on governance and accountability within organisations. The directive requires that roles and responsibilities related to cybersecurity are clearly defined and assigned at all levels.

Senior management must be actively involved in overseeing cybersecurity strategies and ensuring compliance with the directive’s requirements. This means that boards and executives are not only responsible for setting policies but also for monitoring their implementation and effectiveness.

The definition of the NIS2 directive highlights the importance of leadership in fostering a culture of security awareness and continuous improvement. Regular training and awareness programs are expected to be part of the organisational routine, ensuring that all employees understand their role in maintaining cybersecurity.

Risk management measures

A cornerstone of the NIS2 directive is the requirement for comprehensive risk management. Organisations must identify, assess, and mitigate risks associated with their network and information systems.

This includes implementing technical and organisational measures to prevent and minimise the impact of cyber incidents. The explanation of the NIS2 directive makes it clear that risk management is not a one-time exercise but an ongoing process.

The process often aligned with what ISO 27001 requires around continual improvement and structured controls. Entities are expected to regularly review their security posture, update their controls, and adapt to emerging threats.

This proactive approach ensures that vulnerabilities are addressed before they can be exploited, contributing to the overall resilience of essential services and critical infrastructure.

Incident reporting obligations

Timely and accurate incident reporting is another key requirement under the NIS2 directive. Organisations must establish procedures for detecting, managing, and reporting significant cybersecurity incidents to the relevant authorities.

The meaning of the NIS2 directive underscores the need for transparency and swift communication in the event of a breach or disruption. Entities are required to notify authorities without undue delay, providing detailed information about the nature of the incident, its potential impact, and the steps taken to contain and resolve it.

This obligation helps authorities coordinate responses, share information across borders, and prevent the spread of threats within the EU. Effective incident reporting also enables organisations to learn from past events and strengthen their defences.

Supply chain security and third-party risk

The NIS2 directive introduces specific requirements for managing risks arising from supply chains and third-party relationships. Organisations must assess the security practices of their suppliers and service providers, ensuring that these partners adhere to similar standards of protection.

The overview of the NIS2 directive points to the growing complexity of digital ecosystems, where vulnerabilities in one part of the chain can have far-reaching consequences. Entities are expected to include supply chain security in their risk assessments and to implement contractual and technical safeguards.

Regular audits, due diligence, and information sharing with partners are encouraged to maintain a consistent level of security throughout the supply network.

Supervision, enforcement, and penalties

To ensure compliance, the NIS2 directive establishes robust supervision and enforcement mechanisms. National authorities are empowered to monitor organisations, conduct inspections, and impose penalties for non-compliance.

The description of the NIS2 directive highlights that fines can be substantial, reflecting the seriousness of failing to meet cybersecurity obligations. Organisations must be prepared to demonstrate their adherence to the directive’s requirements through documentation, regular reporting, and cooperation with regulators.

The threat of enforcement acts as a strong incentive for entities to prioritise cybersecurity and invest in continuous improvement. By holding organisations accountable, the NIS2 directive aims to raise the overall standard of cybersecurity across the EU and protect society from the growing risks of digital threats.

How does the NIS2 directive impact businesses?

The NIS2 directive brings a significant shift for businesses across the EU. Its impact goes far beyond simple compliance, touching on how organisations manage risk, structure their operations, and interact with partners and customers.

The meaning of the NIS2 directive is not just about meeting legal requirements but about embedding cybersecurity into the core of business strategy. This description of the NIS2 directive highlights its role in shaping a more resilient digital landscape, where companies must rethink their approach to security, governance, and collaboration.

Operational changes and resource allocation

One of the most immediate impacts of the NIS2 directive on businesses is the need to adapt internal operations. The overview of the NIS2 directive reveals that companies must now dedicate more resources to cybersecurity, both in terms of budget and personnel.

This often means hiring or upskilling staff, investing in new technologies, and updating internal policies. For many organisations, especially those in critical sectors, this can require a fundamental restructuring of teams and workflows.

The directive also calls for clear documentation and evidence of compliance, which adds administrative overhead. Businesses must establish processes for continuous monitoring, incident response, and regular reporting. These operational changes are not one-off projects but ongoing commitments that demand sustained attention and investment.

Risk management and supply chain oversight

A key aspect of the definition of the NIS2 directive is its focus on risk management, particularly in relation to third parties and supply chains. Companies are now expected to map out their entire ecosystem of suppliers, partners, and service providers, identifying potential vulnerabilities at every link.

This means conducting regular risk assessments, setting minimum security standards for vendors, and ensuring contractual obligations reflect the requirements of the directive. The explanation of the NIS2 directive makes it clear that businesses cannot afford to overlook indirect risks. If a supplier suffers a cyber incident, the consequences can ripple through the entire network.

As a result, organisations must develop robust processes for vetting, onboarding, and monitoring third parties. This heightened scrutiny extends to due diligence during mergers, acquisitions, and strategic partnerships, fundamentally changing how businesses evaluate and manage external relationships.

Financial implications and penalties

The financial impact of the NIS2 directive is another area where businesses feel its effects. The directive introduces strict penalties for non-compliance, with fines that can reach millions of euros or a significant percentage of global turnover. This creates a strong incentive for organisations to prioritise cybersecurity investments.

However, the costs extend beyond potential fines. Implementing the requirements of the NIS2 directive often involves substantial upfront spending on technology, training, and consultancy. There are also ongoing expenses related to audits, system upgrades, and incident response capabilities.