What is NIS2?
NIS2 (Network and Information Security 2) is the European directive that replaces the original NIS directive adopted in 2016. It raises the cybersecurity bar across the European Union and was to be transposed into national law by member states by October 2024.
Where the first NIS directive targeted a narrow set of operators, NIS2 substantially broadens the scope, harmonizes obligations across countries and introduces a more dissuasive penalty regime.
Why it matters for your organization
NIS2 classifies organizations as "essential" or "important" entities, with differentiated obligations and penalties. Breaches can lead to fines of up to 10 million euros or 2% of worldwide turnover for essential entities.
An often underestimated point: the directive holds management bodies personally accountable. They must approve risk-management measures and undergo training. Cybersecurity becomes an explicit board-level topic.
The key obligations
- Risk management: put in place proportionate technical and organizational measures, including supply-chain security.
- Incident notification: meet the 24-hour, 72-hour and one-month deadlines.
- Business continuity: backups, crisis management and recovery plans.
- Supply-chain security: assess and govern the risk from direct suppliers and service providers.
- Governance and accountability: documented management involvement and leadership training.
- Registration: identify to the competent national authority.
Where organizations most often fall short
Many still believe NIS2 only concerns large energy or telecom operators. In practice, scope becomes real the moment a customer sends a security questionnaire or a contract adds a notification clause. Common gaps involve supply-chain security, the ability to meet the 24-hour deadline, and the lack of evidence of board involvement.