What is NIS2?

NIS2 is a high-level directive, strengthening cybersecurity. To enhance Europe’s resilience against existing and emerging cyber threats, the NIS2 Directive introduces new requirements and obligations for organizations in four key areas: 

  • risk management, 
  • corporate accountability, 
  • reporting obligations, 
  • and business continuity.

1. Risk Management:

Organizations are mandated to implement measures aimed at minimizing cyber risks in alignment with the new Directive. These measures encompass incident management, strengthening supply chain security, enhancing network security, improving access control, and implementing encryption strategies.

2. Corporate Accountability:

NIS2 necessitates that corporate management assume the responsibility of overseeing, approving, and being adequately trained in the organization’s cybersecurity measures and addressing cyber risks. Non-compliance with these responsibilities may lead to penalties for management, which could include liability and potential temporary bans from holding management roles.

3. Reporting Obligations:

Entities classified as essential and important are required to establish processes for the timely reporting of security incidents that have a significant impact on their service provision or recipients. The Directive sets specific notification deadlines, including a 24-hour “early warning” period.

4. Business Continuity:

Organizations must develop comprehensive plans for ensuring business continuity in the event of major cyber incidents. These plans should encompass considerations related to system recovery, emergency procedures, and the establishment of a crisis response team.

Who does NIS2 apply to?

NIS2 is relevant to all entities that provide essential or important services to the European economy and society, including companies and suppliers:

  • Essential Entities (EE) – Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million or balance sheet of € 43 million
    • Energy
    • Transport
    • Finance
    • Public Administration
    • Health
    • Space
    • Water supply (drinking & wastewater)
    • Digital Infrastructure (e.g. cloud computing service providers and ICT management)
  • Important Entities (IE) – Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million or balance sheet of € 10 million
    • Postal Services
    • Waste Management
    • Chemicals
    • Research
    • Foods
    • Manufactoring (e.g. medical devices and other equipment)
    • Digital Providers (e.g. social networks, search engines, online marketplaces)
    • Plus all sectors under “essential entities” and within the size threshold for “important entities”

An entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.

What are the requirements for NIS2?

1. Determine if you are within the scope of NIS2 and identify the specific units affected.

2. Review existing security measures, update security policies, and strategize for NIS2 compliance.

3. Integrate new security protocols and fulfill incident reporting obligations throughout the supply chain. Initiate these steps promptly to mitigate the risk of delays.

Along with the requirements in the 4 key areas mentioned above (Risk Management, Reporting, Corporate Accountability, and Business Continuity), NIS2 outlines ten essential security measures that must be implemented by essential and important entities to address specific cyber threats effectively:

1. Conducting risk assessments and establishing security policies for information systems.

2. Implementing policies and procedures for evaluating the effectiveness of security measures.

3. Defining policies and procedures for the use of cryptography and, when relevant, encryption.

4. Developing a comprehensive plan for managing security incidents.

5. Ensuring security in the procurement, development, and operation of systems, including policies for handling and reporting vulnerabilities.

6. Providing cybersecurity training and promoting basic computer hygiene practices.

7. Establishing security procedures for employees with access to sensitive or important data, including data access policies. Organizations must maintain an inventory of relevant assets and ensure their proper utilization and management.

8. Creating a plan for business continuity during and after a security incident, including the maintenance of up-to-date backups and ensuring access to IT systems and their functions.

9. Implementing multi-factor authentication, continuous authentication solutions, voice, video, text encryption, and encrypted internal emergency communication when appropriate.

10. Ensuring security within the supply chain and assessing the relationship between the company and direct suppliers. Companies are required to select security measures tailored to the vulnerabilities of each direct supplier and assess the overall security level of all suppliers.

What is the relationship between NIS2 and DORA?

NIS2 and DORA diverge in their objectives and scope. NIS2 primarily seeks to enhance cybersecurity at the EU level, while DORA concentrates on ensuring the integrity and availability of the financial sector. NIS2 operates as a European directive, necessitating each Member State to enact it into their national laws by October 2024, while DORA functions as a regulation, set to be directly enforceable in all EU countries as of January 17, 2025. These two regulations target distinct categories of entities, with NIS2 addressing Essential Entities (EE) and Important Entities (IE), and DORA encompassing the financial sector through 21 specific entity types. It is noteworthy that DORA holds the status of “lex specialis” for the financial sector, signifying its precedence over NIS2 for entities subject to DORA. However, this does not imply that NIS2 obligations are rendered inapplicable to entities impacted by both regulatory frameworks.

Why should you be NIS2 compliant?

The duty of care and reporting requirements introduce a mechanism for enforcing and promoting the effective adherence to the regulations. Authorities will possess an array of supervisory tools and resources to fulfill this objective.

Minimum Sanctions: The NIS2 Directive enforces a mandatory roster of sanctions, which encompass on-site inspections, security audits, security scans, and the issuance of information requests and access to data. While some sanctions are uniformly applicable across all countries, others, particularly those for severe breaches, necessitate individual countries to ensure the implementation of effective, proportionate, and deterrent penalties. Furthermore, the determination of the nature of sanctions, whether criminal or administrative, is left to the discretion of each country. Penalties are expected to align with the gravity and characteristics of the violation, factoring in considerations such as the extent of damage incurred, collaboration with the competent authority, and contextual circumstances.

Administrative Fines: In lieu of or in conjunction with other measures, administrative fines may be imposed based on the specifics of each case. Similar criteria to those used for other sanctions will guide the imposition of administrative fines. Violations may result in administrative fines of up to 10 million euros or 2% of the company’s annual worldwide turnover, whichever is higher. Local supervisory authorities are tasked with formulating their own guidelines for administering fines.

How to achieve compliance?

The NIS2 directive introduces essential requirements to enhance cybersecurity and regulatory compliance within organizations. With the Centraleyes automated risk and compliance platform, organizations can seamlessly align with these requirements. Centraleyes offers automated tasks and activities, such as real-time risk assessment, remediation, and compliance reporting, enabling swift and efficient compliance with the NIS2 framework. By leveraging Centraleyes, organizations can proactively mitigate cyber risks, enhance their cybersecurity posture, and promptly meet NIS2 compliance standards, positioning themselves for a more secure and compliant future.
Read more:

Start implementing NIS2 in your organization for free

Related Content


What is the CJIS framework? The CJIS (Criminal Justice Information Services) framework is a comprehensive set…


What is the HITECH Act? The Health Information Technology for Economic and Clinical Health (HITECH) Act…

What is the CPRA Act?

The California Privacy Rights Act (CPRA) is a state-wide data privacy law that governs how businesses…
Skip to content