The European Union has officially ushered in stricter cybersecurity requirements with the implementation of the Network and Information Security Directive 2 (NIS2 Directive), which took effect on October 17, 2024. This legislation builds on the original NIS directive, significantly expanding its reach and tightening its standards. Under NIS2, critical infrastructure operators and essential service providers across Europe are now required to implement rigorous cybersecurity measures, report incidents, and take a proactive approach to managing cyber risks.
NIS2 Directive aims to bolster the security of networks and information systems within key sectors, improving the resilience of supply chains and enforcing stricter oversight. Its broader scope covers a wider range of industries and organisations, ensuring that more entities meet baseline security requirements. The directive introduces risk-based obligations and emphasizes mandatory compliance—with penalties for non-compliance potentially including substantial financial fines. By standardizing cybersecurity practices, NIS2 Directiveseeks to ensure a safer and more secure digital landscape across all EU member states.
Key Provisions: Compliance, Accountability, and Penalties
The directive categorizes its requirements into three core areas: duty of care, reporting obligations, and supervision. These are supported by specific measures listed in Article 21 and penalties outlined in Article 34(4). The directive obligates organisations to take preventive action through regular risk assessments, incident detection systems, and security training programs. Senior management is held accountable for ensuring cybersecurity is treated as a strategic priority, and they must oversee the implementation of necessary protocols.
A key focus of NIS2 Directive is improving supply chain security and holding companies responsible not only for their own cybersecurity but also for that of their partners and providers. Training is another essential component, requiring organisations to build internal awareness and competence among their staff. The directive also requires timely reporting of cyber incidents to national authorities and ensures that regulators have greater power to enforce compliance and penalize violations. These changes aim to close gaps in oversight and standardization that previously left many organisations vulnerable.
Expanded Reach: Who Needs to Comply?
NIS2 dramatically increases the number of public and private entities required to follow its mandates. Organisations are classified into two major categories: essential entities and important entities. Essential entities include large operators in high-impact sectors such as energy, transport, banking, healthcare, and digital infrastructure. These organisations typically have 250 or more employees and meet financial thresholds of €50 million in turnover and €43 million in balance sheet total.
Meanwhile, important entities—generally medium-sized businesses—span sectors like digital services, food production, chemicals, research, and manufacturing. These organisations have at least 50 employees or an annual turnover and balance sheet total exceeding €10 million. Annex I of the directive outlines high-impact sectors, while Annex II lists industries that are now newly covered.
Organisations unsure of their status under NIS2 are advised to consult local government resources or seek expert guidance. As Europe moves toward a unified cybersecurity framework, compliance with NIS2 is set to become not only a legal obligation but also a crucial element of operational resilience.
