NIS2 – Network and Information Security Directive 2

Contents

1 📘 What is NIS2?
2 🏛️ Who Does NIS2 Apply To?
- 2.1 🟦 Essential Entities
- 2.2 🟨 Important Entities
3 ⚖️ Key Obligations
4 🔐 Cybersecurity Requirements
5 🚨 Penalties for Non-Compliance
6 🔄 NIS2 vs Original NIS

📘 What is NIS2?

NIS2 is the updated EU-wide cybersecurity directive, replacing the original NIS Directive (2016). It aims to improve the overall level of cybersecurity across the EU, particularly for essential and important sectors.

NIS2 introduces stricter obligations, stronger enforcement, and a broader scope to ensure digital and operational resilience in the face of increasing cyber threats.

Enforcement deadline: 17 October 2024 (member states must transpose into national law by then)

🏛️ Who Does NIS2 Apply To?

NIS2 applies to public and private entities that operate in the following sectors:

🟦 Essential Entities

Energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration, space

🟨 Important Entities

Postal services, food production, chemicals, waste management, manufacturing (e.g. medical devices, electronics)

Even managed service providers (MSPs) and data centre operators are covered if they serve critical sectors.

⚖️ Key Obligations

Obligation	Description
Risk Management	Entities must implement technical and organisational security measures (aligned with ISO/NIST).
Incident Notification	Report major incidents within 24 hours of detection. Updates required at 72 hours and post-incident.
Supply Chain Security	Risk assessments must include third parties and outsourced IT services.
Business Continuity & Recovery	Plans must cover cyber resilience and continuity of essential services.
Governance	Boards are personally liable for compliance and must approve security measures.

🔐 Cybersecurity Requirements

Access control & least privilege enforcement
Multi-factor authentication (MFA)
Encryption in transit and at rest
Vulnerability handling and patch management
Logging and continuous monitoring
Use of ENISA guidance and national CSIRTs

🚨 Penalties for Non-Compliance

Fines of up to €10 million or 2% of global turnover
Temporary bans on executives
Public exposure of non-compliant organisations

🔄 NIS2 vs Original NIS

Category	NIS (2016)	NIS2 (2022)
Scope	Limited to critical sectors	Expanded to include many “important” sectors
Enforcement	Variable by country	Harmonised, with stricter rules
Penalties	Mild	Comparable to GDPR in severity
Governance	Not explicit	Executive responsibility enforced