NIS2 introduces significant changes compared to the original NIS Directive. NIS2 update promotes cooperation between EU Member States and ensures effective monitoring, information sharing, and a coordinated response to cyber threats by imposing new measures. These key changes consist of:

Clearly defined sets of requirements

NIS2 adopts a more detailed, risk-oriented approach, adapted to the specific needs of each organization, compared to NIS. Instead of general security measures, NIS2 requires the implementation of an integrated cybersecurity risk management system adapted to each entity’s risk profile.

All organizations must include the following key elements in their security strategy:

• Business continuity – plans to ensure critical services remain operational in crisis situations
• Supply chain security – suppliers’ security evaluation
• Network and system security – effective technical measures against unauthorized access and attacks
• Access control – measures to limit access to authorized personnel only
• Vulnerability management – monitoring and addressing issues before they can be identified and misused
• Data encryption – protection of sensitive information

NIS2 places special emphasis on the supply chain and collaboration between organizations through sharing information on threats and vulnerabilities in the European Union. Furthermore, the directive requires the implementation of technical and organizational measures to prevent incidents and minimize their impact on services if they occur.

Broader sector coverage

A key difference between NIS and NIS2 is the scope. NIS2 clarifies which organizations fall under the new compliance rules. The directive defines two main categories: essential entities, which include sectors such as energy, transport, and healthcare, and important entities, such as those in the food industry, postal services, or the chemical industry.

Organizations are also classified by size to tailor requirements to available resources

• Large organizations have at least 250 employees or an annual turnover of €50 million or more and a total balance sheet of €43 million or more.
• Medium organizations include companies with at least 50 employees or an annual turnover and balance sheet of at least €10 million.
• Small organizations have fewer than 50 employees and annual turnover or balance sheet below €10 million.

Although small organizations are not directly subject to NIS2, under Article 2, paragraph 2 of the directive, compliance is required when:

• Provides public electronic communications services or publicly available electronic communication services
• Is a trust service provider
• Is a top-level domain administrator or DNS service provider
• Is the sole provider in a member state for an essential service that maintains critical societal or economic activities
• Could have a significant impact on public safety, security, or public health in case of interruption of the service
• Could generate a major systemic risk in case of interruption of the service, especially in sectors where effects may be felt in other member states
• Is considered critical due to its specific importance at national or regional level for the sector, type of service, or other interdependent sectors
• Is a public administration structure at central or regional level, as defined by the member state, which, following a risk-based assessment, provides services whose interruption could significantly impact societal or economic activities

Stricter penalties

Clarifying the classification criteria sets sanctions and penalties specific to each category, proportional to the severity of violations and level of compliance. Non-compliance may result in administrative, non-monetary, or criminal sanctions under NIS2.

Administrative fines for essential entities may reach up to €10 million or 2% of the annual global turnover, and for important entities, up to €7 million or 1.4% of annual global turnover.

Non-monetary remedies may include compliance orders, security audits, or notifying clients about identified risks.

Criminal sanctions may include requiring organizations to make compliance violations public, making public statements identifying the legal person responsible for the violation and its nature, or, in the case of essential entities, temporarily ban individuals from holding management positions in case of repeated violations.

Changes in incident reporting

The NIS Directive required organizations to report significant incidents but did not provide a clear definition of what is a significant incident. NIS2 eliminates these ambiguities and establishes clear criteria for determining when an incident must be reported to competent authorities: when it has caused or could cause significant financial losses and operational disruption or has affected or could affect other individuals or legal entities through damage. Timeframes and specific reporting obligations are defined:

• Within 24 hours of detection – an initial notification including the impact and whether attackers were involved
• A detailed report within 72 hours of detection, updating the initial report, assessing severity, and identifying potential compromised points
• Final report within 30 days of notification, including a description of the incident, clear causes, and clarification of actions taken

Stricter supervision

Current NIS2 rules allow national authorities to conduct regular audits and inspections of organizations to verify compliance with NIS2 requirements. In case of violations, organizations can face fines and penalties proportional to the severity of non-compliance.