NIS2 Directive
Directive on Security of Network and Information Systems
Overview
NIS2 replaces and significantly expands the original NIS Directive, establishing a high common level of cybersecurity across the EU. It applies to a much broader range of sectors and entities, introduces stricter supervisory measures, and harmonizes sanctions across Member States.[1]
As a directive, NIS2 required transposition into national law by October 17, 2024. Implementation varies by Member State.
Scope: Essential vs Important Entities
Essential Entities (Higher Scrutiny)[2]
| Sector | Examples |
|---|---|
| Energy | Electricity, oil, gas, hydrogen, district heating |
| Transport | Air, rail, water, road |
| Banking | Credit institutions |
| Financial markets | Trading venues, central counterparties |
| Health | Healthcare providers, labs, pharma, medical devices |
| Drinking water | Water suppliers |
| Wastewater | Wastewater treatment |
| Digital infrastructure | IXPs, DNS, TLD registries, cloud, data centers, CDNs, TSPs |
| ICT service management | Managed service providers, managed security service providers |
| Public administration | Central government entities |
| Space | Ground-based infrastructure operators |
Important Entities (Lighter Scrutiny)
| Sector | Examples |
|---|---|
| Postal services | Postal and courier services |
| Waste management | Waste collection and treatment |
| Chemicals | Manufacturing and distribution |
| Food | Production and distribution |
| Manufacturing | Medical devices, electronics, machinery, vehicles |
| Digital providers | Online marketplaces, search engines, social networks |
| Research | Research organizations |
Size Thresholds
NIS2 generally applies to medium and large entities:
- Medium: 50+ employees OR €10M+ turnover/balance sheet
- Large: 250+ employees OR €50M+ turnover OR €43M+ balance sheet
Some entities apply regardless of size (DNS, TLD registries, cloud providers, data centers, etc.).
Key Requirements
Risk Management Measures (Article 21)[3]
Entities must implement appropriate technical, operational, and organizational measures:
- Policies: Risk analysis and information system security policies
- Incident handling: Detection, response, and recovery procedures
- Business continuity: Backup, disaster recovery, crisis management
- Supply chain security: Security requirements for suppliers
- Network security: Acquisition, development, and maintenance security
- Effectiveness assessment: Policies to evaluate security measure effectiveness
- Basic cyber hygiene: Training and awareness programs
- Cryptography: Policies on cryptographic controls and encryption
- Human resources: Personnel security and access controls
- Multi-factor authentication: MFA and secure communication systems
Incident Reporting (Article 23)[4]
| Timeline | Requirement |
|---|---|
| 24 hours | Early warning to CSIRT/competent authority |
| 72 hours | Incident notification with initial assessment |
| 1 month | Final report with root cause and mitigation |
Significant incidents must be reported if they cause or may cause severe operational disruption or financial loss, or affect other natural or legal persons.
Management Accountability
Management bodies must:
- Approve cybersecurity risk management measures
- Oversee implementation of security measures
- Be personally liable for non-compliance
- Undergo cybersecurity training
Penalties
- Essential entities: Up to €10 million or 2% of global turnover
- Important entities: Up to €7 million or 1.4% of global turnover[5]
Member States may impose additional penalties including temporary management bans.
Developer and ICT Service Provider Obligations
If you provide ICT services or products:
- Managed Service Providers: Directly in scope as essential entities
- Cloud Providers: Directly in scope as essential entities
- Software Developers: Supply chain obligations from customer entities
- Security Vendors: May be designated as important entities