What is NIS2 – ITAdviser

What is NIS2?

The path society has taken the last decades has led to the integration of technology into all aspects of our life. The information systems are not just a form of support today, they became an integral part of our daily activities. As a result, NIS2 – abbreviation of “Network and Information Systems” – is a directive implemented by the European Union, that refers to the networks and information systems in order to establish a certain level of cybersecurity across EU member states.

The NIS2 Directive was created to manage the development and evolution of cyber threats and sets out clear requirements in this regard. The EU facilitates interconnection through monitoring measures, enforcement of rules, and joint reviews between states to enhance mutual trust as well as resilience, monitoring, and adaptability when dealing with risks and cyber threats.

The directive makes a significant contribution by establishing teams and structures that encourage cooperation among EU member states and strengthen cybersecurity defense measures. Among these are the CSIRTs – Computer Security Incident Response Teams, which are essential for maintaining a comprehensive overview of the current situation and providing appropriate assistance. Support is also ensured in the case of large-scale incidents through the creation of a European network called EU-CyCLONe – European Cyber Crisis Liaison Organisation Network – which facilitates regular data exchange between member states. Additionally, the EU has established a stable framework with the help of the NIS Cooperation Group, which provides recommendations and guidance for implementing the measures imposed by the NIS2 Directive.

Who must comply with NIS2?

The EU NIS2 Directive aims to maintain an interconnected and resilient European network, capable of addressing the increasingly complex challenges of the digital world and chooses to include a wide range of organizations and companies. It is estimated that at least 100,000 entities are regulated by the directive. For a clearer overview, two categories of organizations have been established that are required to implement a series of cybersecurity-related activities: essential and important entities. The directive sets obligations depending on the category.

Essential entities (ES) are subject to stricter compliance requirements, as any incident affecting their operations could have a major impact on European society and infrastructure. These entities are considered to have a minimum of 250 employees and either an annual turnover of €50 million or a balance sheet total of €43 million.

Examples of Essential Entities:

ENERGY

TRANSPORT AND LOGISTICS

FINANCE

HEALTH

WATER SUPPLY

DIGITAL INFRASTRUCTURE

PUBLIC
ADMINISTRATION

In addition to essential entities, the directive also covers Important Entities (IE) – organizations that, while not considered critical, still have significant cybersecurity obligations. These entities are considered to have a minimum of 50 employees and either an annual turnover of €10 million or a balance sheet total of €10 million.

Examples of Important Entities:

POSTAL SERVICES

FOOD INDUSTRY

CHEMICAL INDUSTRY

MANUFACTURING

DIGITAL SERVICES

RESEARCH
INSTITUTIONS

WASTE
MANAGEMENT

It is important to mention that some organizations fall under the directive even if they do not perfectly meet the criteria above, as their activities are considered critical to the economy and society. According to Article 2, paragraph 2 of the directive, compliance is required when the entity:

Provides public electronic communications services or publicly available electronic communication services
Is a trust service provider · Is a top-level domain administrator or DNS service provider
Is the sole provider in a member state for an essential service that maintains critical societal or economic activities
Could have a significant impact on public safety, security, or public health in case of interruption of the service
Could generate a major systemic risk in case of interruption of the service, especially in sectors where effects may be felt in other member states
Is considered critical due to its specific importance at national or regional level for the sector, type of service, or other interdependent sectors
Is a public administration structure at central or regional level, as defined by the member state, which, following a risk-based assessment, provides services whose interruption could significantly impact societal or economic activities

Additionally, non-EU countries must comply with the directive if their organizations operate within the territory of an EU member state or provide essential or important services to an EU entity.

Why does NIS2 matter?

The NIS2 requirements have been established to ensure a minimum level of cybersecurity across the European Union. In today’s interconnected world, implementing strict rules is essential, as the compromise of a service or organization can trigger cascading effects with potential consequences for society or economy. The primary objective is to reduce the impact of cyberattacks.

NIS2 compliance ensures confidentiality, integrity, and availability. Confidentiality guarantees that only authorized individuals have access to sensitive data, integrity ensures that data and systems remain correct and unaltered, and availability means that they are accessible and fully functional when needed.

Understanding the NIS2 meaning is essential for organizations to comply with the directive’s requirements.

From NIS to NIS2:
What are the key changes?

NIS2 is the updated version of the NIS Directive, which was established in 2016. The changes in information systems required modifications to adapt the previous requirements and guidelines of the directive. Since 2023, NIS2 has contributed by addressing gaps and correcting existing limitations.

Key Changes Introduced by NIS2

More Sectors covered

With the adoption of NIS2, two main categories were introduced to define which entities must implement the required measures: essential entities (such as those in energy, transport, health, etc.), and important entities (such as those in the food industry, postal services, chemical industry, etc.).

Entities are also classified by size: large, medium, or small. Large entities are organizations with at least 250 employees or an annual turnover of € 50 million or more and a balance sheet total of € 43 million or more. Medium entities are organizations with 50 or more employees or an annual turnover and balance sheet total of € 10 million or more. Small entities are organizations with fewer than 50 employees and an annual turnover or balance sheet total below € 10 million. In most cases, small organizations are not covered by NIS2, but it is recommended to check the compliance criteria listed above.

Stricter Security Requirements

All covered entities must adopt technical, operational, and organizational measures that are proportionate and appropriate to the services provided and their activities. Compared to NIS, NIS2 imposes much stricter incident reporting requirements. Organizations and companies are required to report incidents within a specified timeframe, implement effective risk management policies, and prioritize employee training.

Proportionate and Adequate Penalties

Non-compliance with the directive can result in administrative or criminal penalties. Administrative fines for essential entities can reach up to €10 million or 2% of the global annual turnover, and for important entities, up to €7 million or 1.4% of the global annual turnover. Criminal sanctions may include requiring organizations to make compliance violations public, making public statements identifying the legal person responsible for the violation and its nature, or, in the case of essential entities, temporarily ban individuals from holding management positions in case of repeated violations. These provisions are specific to NIS2 and were not included in the original NIS Directive.

Stricter Supervision

This measure allows national authorities to conduct periodic audits and inspections of organizations to ensure compliance with NIS2 standards. Organizations may receive fines and penalties proportionate to the severity of non-compliance.

Who enforces NIS2?

The national competent authorities in each EU Member State are responsible for enforcing the NIS2 regulation. These national entities maintain order, monitor compliance, and detect irregularities, with support from the European Commission and other relevant bodies. The European Union promotes peace and security while upholding fundamental rights — a principle that also extends to the field of cybersecurity. Therefore, NIS2 seeks to strengthen cybersecurity measures and enhance cooperation among Member States.

Timeline for meeting
NIS2 requirements

In January 2022, the NIS2 Directive was adopted by the European Council and the European Parliament, expanding the scope of the original NIS Directive adopted in 2016. As of October 17, 2024, NIS2 became the new European Union law on cybersecurity, and all organizations and companies operating or providing services within EU Member States must comply with its requirements. On average, an entity needs approximately 12 months to achieve the required level of compliance, depending on the company’s size and the demand for its services. Companies can also benefit from the support of specialized partners who manage the entire NIS2 compliance process.

Understanding the consequences of non-compliance

The NIS2 Directive introduces a clear and much stricter framework for sanctioning entities that fail to comply with its requirements. The purpose of the directive is not to enforce these measures, but to ensure a high level of cybersecurity resilience across the European Union.

The sanctions are divided into three main categories:

Non-monetary remedies

Competent authorities may impose non-monetary measures, which may include:

Issuing mandatory compliance orders requiring organizations to correct deficiencies within a specified timeframe
Conducting additional security audits
Temporarily suspending operations
Requiring entities to inform clients, partners, or the public about cybersecurity incidents

Administrative fines

NIS2 establishes minimum thresholds for administrative fines but allows member states to impose stricter penalties if necessary:

For essential entities – such as those in the transport, energy, or healthcare sectors – fines can reach up to € 10 million or 2% of the global annual turnover, whichever is higher.

For important entities – such as those in the food industry or digital service providers – the maximum fine is € 7 million or 1.4% of the global annual turnover, depending on the higher value.

This approach, based on a percentage of the organization’s turnover, ensures that penalties are proportionate to the size and impact of the entity.

Criminal sanctions

One of the key updates in NIS2 is the stronger emphasis on holding management accountable.

If a violation results from gross negligence or a failure to implement minimum security measures, authorities may impose:

A temporary ban from holding management positions for those involved
Public disclosure of those responsible and details of the violation
In some member states, criminal penalties for intentional acts or those causing significant consequences

Through these measures, organizations are encouraged to adopt a proactive approach to cybersecurity and compliance.