The NIS2 Directive is often confused with other regulations, such as GDPR. Despite certain similarities, it focuses on cyber resilience, covering a wide range of sectors, including public and private institutions. Many misconceptions concern the scope of obligations, incident reporting, and the role of small enterprises under NIS2. Entities operating in the EU, as well as those outside the Union, must meet new requirements for risk management and reporting.
What Exactly Is NIS2 and Why Is It Confused with Other EU Regulations?
The NIS2 Directive (Network and Information Security 2) is EU legislation aimed at raising the level of cybersecurity in member states. It is an update and expansion of the scope of the original NIS directive from 2016. NIS2 introduces stricter requirements for cyber risk management, incident reporting, and cooperation between EU countries. Despite its importance, NIS2 is sometimes confused with other EU regulations, such as GDPR (General Data Protection Regulation) or the PSD2 directive (Payment Services Directive). This is due to certain similarities, such as the emphasis on data security or information obligations. However, NIS2 has a much broader scope, covering not only data protection but the overall security of network and information systems in key economic sectors.
📚 Read the complete guide: NIS2: Kompletny przewodnik po dyrektywie NIS2 - obowiązki, kary, terminy
Is NIS2 Simply “Another GDPR”?
Although NIS2 and GDPR have some common points, such as concern for data security, they are two separate legal acts with different goals and scopes. GDPR focuses on protecting personal data and individual privacy, establishing rules for processing such data by organizations. NIS2, on the other hand, focuses on the resilience and security of network and information systems, especially in sectors key to society and the economy. While GDPR applies to virtually all companies processing personal data, NIS2 covers primarily entities operating in strategic sectors such as energy, transport, and healthcare. Perceiving NIS2 as “another GDPR” is therefore a significant simplification that does not reflect the specificity and importance of this directive for cybersecurity in the EU.
What Are the Key Differences Between NIS2 and GDPR?
Despite some similarities, NIS2 and GDPR differ in several key aspects. First, GDPR focuses on protecting personal data, while NIS2 concerns the cybersecurity of network and information systems as a whole. Second, GDPR applies to all organizations processing personal data, regardless of sector, while NIS2 covers mainly entities operating in key economic sectors. Third, GDPR emphasizes individual rights, such as the right of access to data or the right to be forgotten, while NIS2 focuses on organizational obligations regarding cyber risk management and incident reporting. Finally, GDPR violations are subject to high administrative fines (up to 20 million euros or 4% of global turnover), while in the case of NIS2, member states determine the sanction system. Although both legal acts aim to improve data security, they do so from different perspectives and using different tools.
Who Does NIS2 Really Apply To?
Contrary to common misconceptions, the subjective scope of NIS2 is very broad. The directive covers two main categories of entities: essential and important. Essential entities include, among others, energy, transport, banking, financial market infrastructure, healthcare, water, and digital enterprises. Important entities include, for example, postal, waste management, food production, and chemical companies. Importantly, NIS2 applies not only to large enterprises but also to medium and small companies meeting the directive’s criteria. Additionally, some NIS2 provisions also apply to entities outside the EU if they offer services within the Union. Public authorities are also subject to NIS2 if they meet the definition of an essential or important entity. Such a broad scope is intended to ensure comprehensive protection of critical infrastructure and services key to the functioning of EU society and economy.
Does NIS2 Cover Only the Private Sector?
No, this is a common misconception. NIS2 applies to both private and public entities, provided they meet the criteria for recognition as an essential or important entity. Many public institutions, such as hospitals, water utilities, or administrative bodies, are subject to NIS2 provisions due to their importance for public security and continuity of key services. The directive imposes on them obligations regarding cyber risk management, incident reporting, and implementing security measures. The goal of NIS2 is to ensure a high level of cybersecurity throughout the EU, regardless of the ownership character of the given entity. Limiting the scope of the directive only to the private sector would be unjustified, given the key role that many public institutions play in the functioning of the state and society.
Why Do Some Mistakenly Believe That NIS2 Does Not Apply to Public Institutions?
The belief that NIS2 does not cover public institutions may result from several factors. First, the original NIS directive from 2016 focused mainly on operators of essential services and digital service providers, which were primarily private entities. However, NIS2 significantly expands the scope, clearly including public institutions that meet the criteria for essential or important entities. Second, some organizations may mistakenly equate NIS2 with GDPR, which as a rule does not apply to the processing of personal data within activities not covered by EU law, such as public security. However, NIS2 concerns cybersecurity as such, not just personal data protection. Third, public institutions may not realize their critical role in ensuring the continuity of key services and public security, and consequently - their subjection to NIS2 provisions. State authorities should therefore carefully analyze their status in light of the directive’s criteria and, if necessary, take appropriate adaptation actions.
Are Small Enterprises Really Excluded from the Scope of NIS2?
Although NIS2 as a rule covers medium and large enterprises (employing more than 50 people and with annual turnover exceeding 10 million euros), in some cases it may also apply to small companies. This happens when a small enterprise provides services essential for maintaining critical social or economic activity, and disruption of these services would have a significant impact on public safety, public health, or consumer interests. Additionally, NIS2 provides for the possibility of including small enterprises in the directive’s provisions if they are identified by a member state as entities of particular importance at national or regional level for a given sector or type of service. It is also worth remembering that some NIS2 obligations, such as reporting serious incidents, apply to all enterprises in specified sectors, regardless of their size. Small companies should therefore not automatically assume that they are completely excluded from the scope of the directive, but carefully analyze their status and obligations in light of national regulations implementing NIS2.
What Obligations Does NIS2 Introduce and Why Are They Often Underestimated?
NIS2 imposes a number of obligations on covered entities aimed at ensuring a high level of cybersecurity. Key is the implementation of appropriate technical and organizational measures for managing the security risk of network and information systems. This includes, among others, security policies, employee training, threat monitoring, and regular testing and audits. Entities must also report serious cybersecurity incidents to relevant national authorities within 24 hours of their detection. NIS2 also requires designating a person responsible for cybersecurity and applying recognized standards and best practices in this area. Underestimating these obligations may result from lack of awareness of the scale of cyber threats, perception of cybersecurity as a purely technical issue, or the belief that it only concerns large organizations. Meanwhile, effective implementation of NIS2 requirements requires the involvement of the entire organization, from the board to rank-and-file employees, and treating cybersecurity as a strategic priority. The consequences of negligence can be severe - from financial penalties to loss of reputation and customer trust.
Why Is Incident Reporting So Important in the Context of NIS2?
The obligation to report serious cybersecurity incidents is one of the key elements of NIS2. It aims to quickly detect and respond to threats, minimize damage, and prevent incidents from spreading to other entities or sectors. Reports also allow relevant authorities to monitor the state of cybersecurity on a national or EU scale, identify trends and new threats, and coordinate actions in case of cross-border incidents. For organizations themselves, incident reporting can be an opportunity to benefit from external support and expert knowledge, as well as to draw conclusions and improve their security in the future. NIS2 precisely defines the criteria for qualifying an incident as serious (e.g., number of affected users, duration, geographic scope) and the reporting deadline (24 hours). Failure to report or delayed reporting is subject to financial sanctions. It is therefore worth treating this obligation not as a burdensome formality, but as an important tool for building incident resilience and an element of cooperation for cybersecurity on an EU-wide scale.
Are Companies Aware of the Consequences of Not Reporting Incidents?
Many companies still underestimate the importance of timely reporting of cybersecurity incidents. This may result from fear of losing reputation, underestimating the scale of the incident, or the belief that they can handle it on their own. Meanwhile, failure to report or delayed reporting of a serious incident under NIS2 can entail severe consequences. First, there are financial penalties - the directive provides for fines up to 10 million euros or 2% of global annual turnover of the enterprise. Second, failure to report an incident makes it difficult for authorities to properly assess the situation and take supporting or coordinating actions at national or EU level. This can lead to escalation of the incident and greater damage, also for the company itself. Third, covering up incidents undermines the trust of customers, business partners, and public opinion, which translates into measurable reputational and financial losses. It is therefore worth treating incident reporting not as an obligation but an opportunity to quickly receive support and minimize negative effects. Companies should implement clear incident reporting procedures and regularly train employees in this area.
What Is the Geographic Scope of NIS2?
NIS2, as an EU directive, applies in all EU member states. However, its actual geographic scope is broader. First, NIS2 covers not only entities headquartered in the EU but also those that offer services within the Union, even if they are physically located outside its borders. This is to ensure equal treatment and a high level of cybersecurity regardless of the service provider’s location. Second, some NIS2 provisions, such as those concerning supply chain security, may indirectly affect entities outside the EU that are subcontractors or business partners of companies covered by the directive. Third, NIS2 provides for cooperation with third countries and international organizations to promote global cybersecurity standards and respond to cross-border incidents. The directive may therefore become a reference point and inspiration for similar regulations in other parts of the world. Although NIS2 formally binds only EU countries, its impact extends beyond the Union’s borders, contributing to raising the level of cybersecurity on a global scale.
Does NIS2 Only Apply to Companies Headquartered in the EU?
No, this is a common misconception. NIS2 applies not only to entities headquartered in the EU but also to those that offer their services within the Union, even if they are physically located outside its borders. This means that, for example, an American company providing cloud services to customers in the EU will have to meet NIS2 requirements regarding risk management, incident reporting, and cybersecurity certification. The purpose of this solution is to ensure a uniformly high level of protection for citizens and companies in the EU, regardless of where service providers come from. This is particularly important in an era of globalization and digitization, when many services are provided across borders. Entities outside the EU therefore cannot ignore NIS2 if they want to operate in the EU market. They must carefully analyze whether they meet the directive’s criteria and, if necessary, adapt their processes and security measures. It is also worth remembering that some countries outside the EU, such as the United Kingdom after Brexit, are planning to introduce regulations modeled on NIS2, which will further expand the directive’s reach.
Why Do Companies Outside the EU Mistakenly Assume That NIS2 Does Not Apply to Them?
The belief that NIS2 only applies to companies headquartered in the EU may result from several factors. First, as an EU directive, NIS2 is implemented through national regulations in member states, which may give the impression that it only applies within the EU territory. Meanwhile, what matters is the place of service provision, not the location of headquarters. Second, companies outside the EU may not realize their role in providing key services to the EU market and society, and consequently - their subjection to NIS2 provisions. This especially applies to entities operating in sectors such as energy, transport, and healthcare. Third, some organizations may mistakenly assume that meeting local cybersecurity requirements is enough to freely operate in the EU market. Meanwhile, NIS2 establishes additional, often stricter requirements, non-compliance with which is subject to sanctions. Companies outside the EU should therefore carefully analyze the scope of their activities and assess whether they are subject to NIS2. In case of doubt, it is worth consulting with cybersecurity experts and lawyers specializing in EU law.
What Are the Most Common Wrong Assumptions About NIS2 Implementation?
Implementing NIS2 is a complex process accompanied by numerous misunderstandings. One of the most common is the belief that it is enough to implement appropriate technical solutions, such as firewalls or antivirus software, to meet the directive’s requirements. Meanwhile, NIS2 emphasizes a holistic approach to risk management, also including organizational measures such as security policies, employee training, and audits. Another wrong assumption is thinking that NIS2 is a one-time project - implementing appropriate measures and controls is just the beginning. The directive requires continuous monitoring, testing, and improving security in response to evolving threats. Another misconception is the belief that NIS2 only applies to large companies or selected sectors. In reality, the directive covers a wide range of entities, including medium and small enterprises, provided they meet the criteria for recognition as an essential or important entity. Finally, some organizations mistakenly assume that they can simply transfer solutions implemented for GDPR or other regulations. Although some elements, such as risk assessment and incident reporting, are similar, NIS2 has its own specificity and requires a dedicated approach. Effective NIS2 implementation therefore requires overcoming these wrong assumptions and treating the directive as a strategic challenge for the entire organization.
Is NIS2 Implementation Only a Task for IT Departments?
No, this is a common misconception. Although IT departments play a key role in implementing NIS2, the directive requires the involvement of the entire organization. Of course, many security measures, such as data encryption and network monitoring, are technical in nature and fall within the purview of IT specialists. However, NIS2 also emphasizes organizational and human aspects. For example, the board must provide appropriate resources and oversight of the cybersecurity program. The legal department must ensure that policies and contracts comply with the directive’s requirements. HR is responsible for training and building employee awareness. The communications department must develop incident information procedures. Finally, every employee, regardless of position, must apply good practices, such as caution when opening attachments or reporting suspicious events. Effective NIS2 implementation therefore requires cross-departmental cooperation, clear division of roles, and involvement of all staff. Perceiving the directive as a task only for IT is a direct path to negligence and security gaps. Cybersecurity must become part of organizational culture and the responsibility of all employees.
Why Do Some Organizations Underestimate the Importance of NIS2 for Their Operations?
Underestimating the importance of NIS2 may result from several factors. First, many organizations do not realize that the directive applies to them. This especially applies to medium and small companies that may not perceive themselves as essential or important entities. Meanwhile, NIS2 criteria are quite broad and cover many sectors, from energy to digital services. Second, some organizations may underestimate the scale and severity of cyber threats. The belief that “it doesn’t concern us” or “it will be fine” is a direct path to a painful collision with reality in case of an incident. Third, NIS2 implementation is perceived as costly and burdensome, especially by smaller entities. However, the costs of omission or delays can be much higher - from financial penalties to loss of reputation and customers. Fourth, some organizations may hope to “wait out” or “circumvent” the directive’s requirements. This is a short-sighted approach, given the growing regulatory pressure and customer expectations regarding cybersecurity. Finally, underestimating NIS2 may result from a lack of understanding of its strategic importance. The directive is not just an obligation but an opportunity to strengthen resilience, customer trust, and competitive advantage. Organizations that see NIS2 as an impulse for transformation and innovation will be better prepared for the challenges of the digital era.
In summary, the NIS2 directive is comprehensive and demanding regulations that raise many misconceptions. Contrary to popular opinion, NIS2 is not “another GDPR” but a legal act with a different purpose and scope. It covers not only the private sector but also many public institutions. It is not limited to large companies but in some cases also applies to SMEs. Its reach extends beyond EU borders, covering entities providing services in the EU market. NIS2 implementation is a strategic challenge for the entire organization, not just a task for IT departments.
Misconceptions about NIS2 can have serious consequences. Underestimating the importance of the directive, wrong assumptions about its scope, or a superficial approach to implementation is a direct path to negligence, incidents, and painful sanctions. Meanwhile, proper understanding and implementation of NIS2 is not just an obligation but an opportunity to increase cyber resilience, customer trust, and competitive advantage.
That is why reliable education and awareness-raising of organizations about the real meaning and requirements of NIS2 is so important. It is key to break myths, invest in expert knowledge, and build a cybersecurity culture at all levels of the organization. Only a holistic and strategic approach to NIS2 implementation will allow full utilization of the directive’s potential and effective protection of key services and infrastructure in the era of growing digital threats.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- NIS2 — NIS2 (Network and Information Security Directive 2) is an EU directive…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
- Cybersecurity Incident Management — Cybersecurity incident management is the process of identifying, analyzing,…
- NIST Cybersecurity Framework — NIST Cybersecurity Framework (NIST CSF) is a set of standards and best…
- 0-Day Exploit — A 0-Day Exploit (zero-day exploit) is a security vulnerability in a computer…
Learn More
Explore related articles in our knowledge base:
- What is the NIS2 Directive? Definition, Objectives, Obligations, Consequences and Deadlines
- Who Does the NIS2 Directive Affect? Criteria, Sectors, and Size Thresholds
- A security operations center (SOC) in every office? We demystify a key requirement of the KRI and NIS2
- How is KSC NIS2 revolutionizing procurement processes? A Guide for the Head of Procurement
- How to conduct a KSC NIS2 readiness audit? A practical guide for CISOs
Explore Our Services
Need cybersecurity support? Check out:
- Security Audits - comprehensive security assessment
- Penetration Testing - identify vulnerabilities in your infrastructure
- SOC as a Service - 24/7 security monitoring
