EU Cybersecurity Rules Just Got a Lot Wider
The NIS2 directive came into force across the EU in October 2024, and it brought a significant change: the list of businesses required to have formal cybersecurity measures in place got much longer. The original NIS directive from 2016 covered critical infrastructure like power grids and hospitals. NIS2 extends the same logic to mid-sized and large organisations across a much broader range of sectors – including digital services, food production, postal services, and manufacturing.
If your business falls in scope, the rules are real and the fines are substantial. Here is what you need to know.
What Is the NIS2 Directive?
The NIS2 Directive (EU) 2022/2555 is the EU’s updated framework for network and information security. EU member states were required to transpose it into national law by October 17, 2024.
The directive divides in-scope organisations into two categories:
- Essential entities – large organisations in highly critical sectors. Think energy companies, banks, hospitals, telecoms, water suppliers.
- Important entities – medium-sized organisations in a broader set of sectors, or large organisations in sectors deemed less critical.
The distinction matters mostly for fines and oversight intensity, not for the underlying obligations – both categories face similar requirements.
Does NIS2 Apply to Your Business?
NIS2 uses a size-based threshold to determine who is in scope. As a starting point: if your organisation has 50 or more employees or an annual turnover of €10 million or more, and you operate in one of the covered sectors, you are likely in scope.
The covered sectors include:
| Highly Critical Sectors | Other Critical Sectors |
|---|---|
| Energy (electricity, gas, oil, hydrogen) | Postal and courier services |
| Transport (air, rail, water, road) | Waste management |
| Banking and financial market infrastructure | Manufacture of critical products (chemicals, medical devices, electronics) |
| Health (hospitals, labs, pharma, medical devices) | Food production and distribution |
| Drinking water and wastewater | Digital providers (marketplaces, search engines, social networks) |
| Digital infrastructure (DNS, cloud, data centres, CDNs) | Research organisations |
| Public administration | Manufacturing (vehicles, machinery) |
Some organisations are in scope regardless of size – including providers of critical national infrastructure and certain digital service providers.
What Does NIS2 Require?
The core of NIS2 is a set of cybersecurity risk management measures that in-scope organisations must implement. These are not optional guidelines – they are legal obligations. The main requirements:
- Risk analysis and information security policies – documented processes for identifying and managing cybersecurity risks
- Incident handling – procedures for detecting, responding to, and recovering from security incidents
- Business continuity and crisis management – backup systems, disaster recovery, and a plan for keeping operations running during an attack
- Supply chain security – assessing the security practices of your suppliers and service providers
- Secure development and procurement – security considerations built into how you acquire or build systems
- Vulnerability disclosure and handling – a process for managing discovered vulnerabilities
- Multi-factor authentication and encryption – where appropriate
NIS2 also holds management directly accountable. Senior leadership can be held personally liable for failures to comply – a significant change from the original NIS directive, which focused solely on the organisation.
Incident Reporting Timelines
If you experience a significant cybersecurity incident, NIS2 sets strict reporting deadlines:
- Within 24 hours: Early warning to your national competent authority
- Within 72 hours: Full incident notification with an initial assessment of severity and impact
- Within 1 month: Final report with a full analysis, root cause, and remediation steps taken
What Are the Fines?
NIS2 fines are set at the EU level as a minimum – member states can go higher:
- Essential entities: at least €10 million or at least 2% of global annual turnover, whichever is higher
- Important entities: at least €7 million or at least 1.4% of global annual turnover, whichever is higher
These fines sit in the same territory as GDPR penalties. If you are already thinking about data protection obligations, it is worth reading how the CLOUD Act and GDPR interact – particularly if you rely on US-based digital infrastructure, which is common in the sectors NIS2 covers.
Where to Start
If you think your business may be in scope, the most useful first step is to check your national transposition law – each EU country has implemented NIS2 slightly differently. The EU Agency for Cybersecurity (ENISA) maintains guidance and resources for organisations working through NIS2 compliance.
If your sector involves AI-powered systems, keep in mind that the EU AI Act adds further obligations around risk management and transparency that overlap with NIS2 in several areas.
Quick Answers
Does NIS2 apply to small businesses?
Generally no – the 50-employee / €10M turnover threshold excludes most small businesses. But check whether you are in a sector where exceptions apply, or whether you are a supplier to an essential entity (NIS2 requires essential entities to assess their supply chains).
When did NIS2 become law?
Member states were required to transpose NIS2 into national law by October 17, 2024. Not all countries met that deadline on time, but the obligation is now in effect across the EU.
Who enforces NIS2?
Each member state designates its own national competent authorities for each sector. There is no single EU-level enforcer.
Do I need to register somewhere?
In-scope organisations may be required to register with their national competent authority, depending on the member state. Check your country’s transposition law for specifics.