NIS2 is the European Union’s updated cybersecurity directive, adopted in 2022. It replaces the original NIS Directive (2016) and significantly strengthens cybersecurity rules across the EU. EU Member States must transpose NIS2 into national law by October 17, 2024.
Improve cybersecurity resilience
Harmonize security standards across EU Member States
Increase reporting obligations
Expand the number of sectors and companies required to comply
Risk Management: Implement comprehensive policies for identifying, assessing, and mitigating cyber risks.
Incident Response: Develop strong detection, response, and recovery plans, with mandatory reporting of significant incidents to authorities and customers.
Supply Chain Security: Ensure third-party providers meet strict security standards.
Business Continuity: Plan for operational resilience and data backup.
Security of Network and Information Systems: Implement strong measures like MFA, network segmentation, zero-trust principles, encryption, patch management, vulnerability management, monitoring and detection capabilities.
Security Awareness: Provide training for staff on cyber hygiene.
Governance: Management bodies (executives) must approve policies, oversee implementation, ensure effectiveness, and can be personally held liable for non-compliance.
Reporting Obligations: Strict rules for reporting cybersecurity incidents:
Initial notification within 24 hours
Incident report within 72 hours
Final report within 1 month
NIS2 applies to more sectors and more organizations than NIS1. Two categories of regulated entities:
Essential Entities (EE): Critical sectors such as: Energy, Transport, Health, Drinking water, Wastewater, Financial market infrastructures, Digital infrastructure, Public administration.
Important Entities (IE): Other key sectors such as Postal and courier services, Waste management, Chemicals, Food production, Manufacturing of critical products, Digital providers (cloud, data centers, DNS services).
NIS2 introduces much tougher penalties:
Essential Entities: up to €10 million or 2% of global turnover.
Important Entities: up to €7 million or 1.4% of global turnover.