INFO
What is the NIS2 Directive?
The purpose of the directive
NIS/NIS2 focuses on establishing a high level of security for network and information systems to maintain the integrity of vital services for the economy and society.
Who does NIS/NIS2
apply to?
The directive places obligations on two main groups of organizations:
– Operators of Essential Services (OES)
OES are the organizations that rely on network and information systems to provide critical services to the economy and wider society.
– Relevant Digital Service Providers (RDSP)
RDSP are the key digital service businesses such as online marketplaces, cloud computing services, and search engines.
Why it’s important
The Network and Information Security (NIS) Directive plays a key role in strengthening cybersecurity and resilience across the European Union.
While the original NIS Directive was adopted in 2016, it was officially replaced and reinforced by the NIS2 Directive in 2023.
CHECKLIST
Minimum requirements & Benefits Beyond Compliance
Requirements:
Report incidents within 24–72 hours
A defining feature of NIS2 is the strict requirement to report significant cybersecurity incidents within 24 hours of detection, further information must be provided within 72 hours.
Implement robust cybersecurity measures
The imposed measures are multi-factor authentication (MFA), maintaining a regular patching schedule, and continuous monitoring on threats.
Maintain risk management policies
These policies must cover risk analysis, vulnerability management, supply chain security, and incident handling, among other areas.
Ensure business continuity and recovery plans
Companies should perform risk assessment, create plans for system recovery and crisis response, conduct regular backups, and test these plans through drills and simulations.
Provide staff awareness training
NIS2 requires comprehensive, ongoing cybersecurity awareness training for all the employees and must cover recognizing cyber threats (such as phishing), best practices to protect sensitive information, identifying and reporting cyber security incidents and others.
Benefits:
Stronger defense against cyberattacks
By fulfilling the mandated requirements, organizations implement robust risk management, incident response, and technical measures mandated by NIS2. This significantly strengthens the organization’s defenses against cyberattacks and reduces the risk of incidents.
Reduced downtime and financial impact
Implementing a robust cybersecurity strategy as required by NIS2 minimizes the need for recovery services, helping organizations avoid high expenses associated with the incident recovery.
Competitive edge in regulated markets / Greater trust from customers and partners
Organizations can gain a competitive edge in regulated markets by complying with NIS2 Directive that places them in an advantageous position so they can build trust, demonstrate experience and efficiency, and lead to new business opportunities.
Long-term resilience and readiness
The requirements that the NIS2 Directive implies make organizations more adaptable to evolving threats. These companies become better at anticipating, preventing, and responding to cyberthreats, ensuring long-term operational resilience.
HOW CAN WE HELP?
Your End-to-End NIS2 Compliance Partner
From readiness assessments to managed security operations, we help you every step of the way, ensuring compliance and long-term cyber resilience.
Gap Analysis & Roadmap – Find weaknesses and define a clear path to compliance.
Incident Response Support – Prepare, detect, and meet reporting deadlines.
Staff Training & Awareness Build a security-first culture across your organization.
Continuous Monitoring – Stay ahead of evolving threats and compliance needs.
SERVICES
We provide practical, scalable solutions for organizations of all sizes
Compliance Roadmap & Templates
Incident Response & Reporting
Be prepared to act within 24–72 hours
Managed Security Operations
Vendor & Supply Chain Risk Assessments
Employee Training & Awareness Programs
SOLUTIONS
We understand the unique cybersecurity risks each industry faces
From hospitals to transport operators, we understand the unique cybersecurity risks each industry faces.
– Healthcare & Pharma – Protect patient data and critical systems
– Energy & Utilities – Safeguard infrastructure from sophisticated threats
– Transport & Logistics – Secure supply chains and mobility networks
– Banking & Finance – Prevent fraud and protect sensitive data
– Public Sector – Ensure reliable and resilient digital services
– Digital Services – Build customer trust with secure platforms
From hospitals to transport operators, we understand the unique cybersecurity risks each industry faces.
– Incident Reporting – Meet deadlines with confidence
– Employee Training – Build awareness across your workforce
– Risk Management – Identify and mitigate vulnerabilities
– Business Continuity – Ensure recovery and resilience
– Supply Chain Security – Secure partners and vendors
FAQ
Have any questions? We have answers
Who must comply with NIS2?
The NIS2 Directive should be adopted by the essential and important services operating within the European Union, including both companies and their suppliers.
The Essential Entities (EE) are the entities that have at least 250 employees and annual turnover of €50 million or balance sheet of €43 million (energy, transport, finance, health, etc.).
The Important Entities (IE) are the entities that have at least 50 employees and annual turnover of €10 million or balance sheet of €10 million (postal services, chemicals, foods, etc.).
However, regardless of their size, certain entities considered critical to society must also comply, like providers of public electronic communications networks or of publicly available electronic communications services, trust service providers, top-level domain name registries, and domain name system service providers, and others.
What happens if my company is not compliant?
Non-compliance with the NIS2 Directive may result in non-monetary remedies, administrative fines, or criminal sanctions.
Penalties apply to all entities that must comply and may vary depending on the Member State, although the directive establishes a minimum set of administrative sanctions for non-compliance.
The non-monetary remedies may include compliance orders, security audit implementation orders, or threat notification obligations directed to entities’ customers. Administrative fines depend on the entity type. For Essential Entities, fines can reach up to €10,000,000 or 2% of the global annual revenue, and for Important Entities, €7,000,000 or 1,4% of the global annual revenue.
Criminal sanctions are intended to prevent negligence in the management of cyber risks. These may include orders to make compliance violations public or temporary bans on individuals from holding management positions in case of repeated violations.
How soon do I need to comply?
Member states must enforce NIS2 by October 2024. Companies are encouraged to start complying as soon as possible. Non-compliance can result in heavy fines, reputational damage, and increased risk of cyberattacks.
What’s the difference between NIS and NIS2?
The NIS Directive was introduced in 2016 and established the standard for cybersecurity. However, the cyberthreats evolved, so the defenses must adapt. This is where the NIS2 Directive comes in – to close existing gaps and address limitations.
Firstly, NIS2 covers more sectors by introducing Essential Entities and Important Entities, each with clearly defined specific obligations. NIS2 also extends coverage to smaller entities than those included in NIS. Other differences can be observed in the security requirements – such as mandatory incident reporting based on a clearer set of criteria, stricter reporting timelines, and expanded employee training obligations – as well as in the penalties area, which now ensures effective, proportionate, and adequate penalties based on the organization.
Can small businesses be affected?
Small businesses generally fall outside the scope of NIS2 Directive, but there are some exceptions. Regardless of their size, certain businesses play a critical role in the economy and wider society. These are trust service providers, providers of publicly available electronic communications services, providers of public electronic communication networks, TLD registries and DNS service providers, providers of publicly available electronic communications services.