The countdown is over. The NIS2 directive (Network and Information Systems Directive 2) is no longer a distant regulatory threat - it’s the law across all 27 EU member states. For cybersecurity professionals, this was expected. For many business leaders, it’s a wake-up call that arrived faster than anticipated.
If your company operates in energy, healthcare, banking, manufacturing, food production, chemicals, postal services, water management, or digital infrastructure anywhere in the European Union - this directive will change how you think about IT security. It will reshape your budgets, your procedures, and potentially your entire vendor ecosystem.
Why did the EU introduce NIS2 in the first place?
The original NIS directive from 2016 was the EU’s first attempt at creating a unified cybersecurity framework. It worked - to a point. But the threat landscape evolved faster than the regulation. Ransomware attacks on hospitals, supply chain compromises affecting thousands of companies, critical infrastructure breaches - the old rules simply couldn’t keep up.
NIS2 is the EU’s response to this reality. It dramatically expands the scope of regulated entities, introduces stricter security requirements, and backs them up with substantial penalties. The directive also addresses a critical gap: supply chain security. The SolarWinds attack demonstrated how compromising a single vendor can cascade across thousands of organizations. NIS2 makes supply chain risk management a legal obligation, not just a best practice.
The implementation deadline was October 17, 2024. Member states were required to transpose the directive into national law by that date. Some made it on time, others are still catching up. But regardless of local implementation status, the direction is clear - cybersecurity is no longer optional for any significant business in the EU.
📚 Read the complete guide: SOC: Security Operations Center - czym jest, jak działa, jak wybrać
Which companies are affected by NIS2?
NIS2 introduces a fundamental change in how regulated entities are classified. The old distinction between “operators of essential services” and “digital service providers” is gone. In its place: essential entities and important entities.
This isn’t just terminology. The list of covered sectors has expanded significantly. Beyond the original sectors - energy, transport, health, banking, financial market infrastructure, water supply, and digital infrastructure - NIS2 adds:
- Wastewater management
- ICT service management (including cloud services)
- Space
- Postal and courier services
- Manufacturing and distribution of chemicals
- Food production and distribution
- Public administration
- Research organizations
The size thresholds matter too. Generally, medium-sized companies (50+ employees or 10M+ EUR turnover) and large companies in these sectors fall under NIS2. But member states can designate smaller entities as essential or important if they provide critical services.
For many companies in the “new” sectors, this is their first encounter with mandatory cybersecurity requirements. A food manufacturer that previously thought of IT only in terms of ERP systems now needs a comprehensive information security management system.
What specific obligations does NIS2 impose?
The directive requires essential and important entities to implement a range of security measures. These aren’t suggestions - they’re legal requirements with significant penalties for non-compliance.
Mandatory measures include:
- Risk analysis and information system security policies
- Incident handling procedures
- Business continuity and crisis management
- Supply chain security
- Security in network and system acquisition, development, and maintenance
- Policies for assessing the effectiveness of cybersecurity measures
- Basic cyber hygiene practices and cybersecurity training
- Policies on cryptography and encryption
- Human resources security and access control
- Multi-factor authentication where appropriate
The directive takes a risk-based approach. Measures must be “appropriate and proportionate” to the risks faced. But this flexibility comes with responsibility - companies must be able to justify their security decisions if challenged by regulators.
Particularly demanding is the supply chain security requirement. Organizations must now assess and manage cybersecurity risks arising from their relationships with direct suppliers and service providers. This means evaluating vendor security practices, including security requirements in contracts, and monitoring compliance.
How does the incident reporting work?
NIS2 introduces strict timelines for reporting significant cybersecurity incidents. This is where the operational impact of the directive becomes most acute.
The reporting cascade:
- 24 hours: Early warning to the competent authority or CSIRT (Computer Security Incident Response Team)
- 72 hours: Incident notification with initial assessment of severity and impact
- 1 month: Final report with detailed description, root cause, and mitigation measures
A “significant incident” is one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
Ask yourself: Can your organization detect an attack, confirm its severity, and prepare a formal notification - all within 24 hours? On a Saturday night? During the Christmas holiday? For most companies, the honest answer is “no.” This single requirement effectively mandates 24/7 security monitoring capabilities, either in-house or through managed security services.
What penalties does NIS2 introduce?
The EU learned from GDPR that penalties need teeth to drive compliance. NIS2 follows the same philosophy.
For essential entities:
- Maximum fine: 10 million EUR or 2% of total worldwide annual turnover (whichever is higher)
For important entities:
- Maximum fine: 7 million EUR or 1.4% of total worldwide annual turnover (whichever is higher)
But financial penalties are only part of the picture. NIS2 also introduces personal accountability for management. Senior management can be held personally liable for non-compliance. Member states must ensure that management bodies can be subject to sanctions for breaching their obligations to ensure and oversee cybersecurity.
This changes the conversation at the board level. Cybersecurity is no longer something to delegate to IT and forget. Directors and C-suite executives have a legal duty to understand cyber risks and ensure appropriate measures are in place.
NIS2 penalty framework:
| Entity type | Maximum fine | % of turnover | Management liability |
|---|---|---|---|
| Essential | 10M EUR | 2% | Yes |
| Important | 7M EUR | 1.4% | Yes |
How does NIS2 address supply chain security?
Supply chain attacks have become one of the most effective vectors for sophisticated threat actors. The compromise of a single widely-used software vendor can provide access to thousands of organizations simultaneously. NIS2 addresses this directly.
Organizations must take into account the vulnerabilities specific to each direct supplier and service provider, and the overall quality of products and cybersecurity practices of their suppliers. This includes:
- Assessing the security practices of suppliers before engagement
- Including cybersecurity requirements in contracts
- Monitoring supplier compliance over time
- Having contingency plans for supplier security failures
For many organizations, this means building entirely new capabilities. Procurement teams need to understand security requirements. Legal teams need to draft appropriate contract clauses. Security teams need to develop vendor assessment methodologies.
The challenge is particularly acute for organizations with complex supply chains. A manufacturer might have hundreds of suppliers, each with their own technology stack and security practices. Assessing and monitoring all of them requires systematic processes and often specialized tools.
What role do national authorities play?
NIS2 strengthens the supervisory framework significantly. Each member state must designate competent authorities responsible for cybersecurity and one or more CSIRTs (Computer Security Incident Response Teams).
Supervisory powers include:
- On-site inspections and off-site supervision
- Regular and targeted security audits
- Security scans based on objective, non-discriminatory criteria
- Requests for information and evidence of security policy implementation
- Requests for evidence of compliance (such as audit results)
For essential entities, supervision is proactive - authorities will actively monitor compliance. For important entities, supervision is reactive - authorities act primarily when evidence of non-compliance emerges (through incidents, complaints, or other means).
The cross-border dimension is important too. NIS2 creates mechanisms for cooperation between national authorities, including joint supervisory actions and mutual assistance. A company operating across multiple EU countries may find itself dealing with multiple national authorities.
How should companies prepare for NIS2 compliance?
Preparation should start with a gap assessment. Without knowing where you stand, you can’t plan effectively. The assessment should cover:
- Asset inventory: What systems and data do you have?
- Current security controls: What measures are already in place?
- Gap analysis: Where do you fall short of NIS2 requirements?
- Supply chain mapping: Who are your critical ICT suppliers?
Next comes risk assessment. NIS2 requires a risk-based approach, so you need documented risk analysis to justify your security decisions. This should be an ongoing process, not a one-time exercise.
Then build or adapt your ISMS (Information Security Management System). Organizations with ISO 27001 certification have a head start - there’s significant overlap with NIS2 requirements. Others need to develop policies, procedures, incident response plans, and business continuity arrangements.
Address supply chain security systematically. Identify your critical suppliers, assess their security practices, update contracts to include security requirements, and establish ongoing monitoring.
Finally, ensure you have incident detection and response capabilities that can meet the 24-hour reporting requirement. For many organizations, this means engaging managed security service providers or building internal SOC capabilities.
What does NIS2 mean for IT strategy?
Cybersecurity budgets will need to increase - significantly for many organizations. Security can no longer be an afterthought or a line item that gets cut when times are tight. The potential penalties alone justify substantial investment.
Talent acquisition becomes even more challenging. The cybersecurity skills shortage is already acute - NIS2 will intensify competition for qualified professionals. Managed security services and strategic outsourcing become more attractive when you can’t hire enough specialists.
Vendor relationships will change fundamentally. Security requirements will become standard in procurement processes. Vendors unable to demonstrate adequate security practices will lose business. This creates both risk and opportunity - companies that get security right can differentiate themselves.
Board engagement is no longer optional. Directors need sufficient understanding of cybersecurity to exercise proper oversight. This often means training, regular briefings, and inclusion of cyber risk in board-level reporting.
NIS2 compliance roadmap:
| Phase | Action | Timeline |
|---|---|---|
| 1 | Gap assessment - understand current state | 0-3 months |
| 2 | Risk assessment and prioritization | 2-4 months |
| 3 | Build/adapt ISMS | 4-12 months |
| 4 | Supply chain security program | 3-6 months |
| 5 | Staff and management training | Ongoing |
| 6 | Security testing and validation | Every 6-12 months |
| 7 | Pre-audit assessment | Before enforcement |
Is your organization ready for the new reality?
NIS2 represents the most significant expansion of cybersecurity regulation in the EU’s history. Thousands of companies that never faced mandatory security requirements are now in scope. The penalties are substantial. Management accountability is personal.
But NIS2 isn’t just about compliance and avoiding fines. It’s a framework for building genuine cyber resilience. Organizations that approach it purely as a checkbox exercise will struggle. Those that see it as an opportunity to strengthen their security posture will emerge better protected against real-world threats.
The directive recognizes a fundamental truth: in a connected economy, cybersecurity is everyone’s problem. A breach at one company can cascade through supply chains, affecting customers, partners, and entire sectors. By raising the baseline across the EU, NIS2 aims to make the entire ecosystem more resilient.
The implementation timeline varies by member state, but the direction is irreversible. Companies that start preparing now will have time for thoughtful, systematic implementation. Those that wait will find themselves scrambling to meet requirements while facing potential enforcement action.
In a world where cyberattacks can halt production, steal intellectual property, or destroy reputation - investment in security is investment in survival. NIS2 simply makes that investment mandatory.
Related Terms
Learn key terms related to this article in our cybersecurity glossary:
- Ransomware — Ransomware is a type of malicious software (malware) that blocks access to a…
- Security Operations Center (SOC) — Security Operations Center (SOC) is a central location where a team of security…
- SOC as a Service — SOC as a Service (Security Operations Center as a Service), also known as…
- Network Security — Network security is a set of practices, technologies, and strategies aimed at…
- Cybersecurity — Cybersecurity is a collection of techniques, processes, and practices used to…
Learn More
Explore related articles in our knowledge base:
- How Does the NIS2 Directive Affect Enterprises? A New Era of Business Cybersecurity
- NIS2 directive in practice: What does a manufacturing plant manager need to know about the new obligations?
- How to effectively map the NIS2 directive to ISO 27001, NIST and CIS Controls standards?
- Key Requirements of NIS2 Directive - Actions, Process, Obligations, Preparations, Implementation Deadline, and Incident Reporting
- KSC and NIS2: why is the board now personally responsible for cyber security?
Explore Our Services
Need cybersecurity support? Check out:
- NIS2 Compliance - NIS2 directive compliance
- NIS2 Readiness Check - NIS2 readiness assessment
- Security Audits - comprehensive security assessment
Cybersecurity for Your Industry
Learn more about cybersecurity in your industry:
Related topics
See also:
- NIS2 for hospitals — implementation and funding
- Security Audit Pricing Calculator
- NIS2 for hospitals — compliance
