Why It Matters
NIS2 replaces the original NIS Directive and dramatically expands the scope of EU cybersecurity regulation. It covers more sectors, imposes stricter requirements, introduces personal liability for management, and harmonizes enforcement across member states. Organizations that previously flew under the radar may now be in scope.
Who Must Comply
NIS2 covers two categories across 18 sectors:
Essential entities (stricter requirements):
- Energy (electricity, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health (hospitals, laboratories, medical devices)
- Drinking water and wastewater
- Digital infrastructure (DNS, TLDs, cloud, data centers)
- Public administration
- Space
Important entities:
- Postal services, waste management
- Chemical manufacturing and food production
- Digital providers (search engines, social platforms, marketplaces)
- Manufacturing of medical devices, computers, vehicles
- Research organizations
Key Requirements
- Risk management measures — policies for risk analysis, incident handling, business continuity, supply chain security, encryption, access control, and vulnerability management
- Incident reporting — early warning within 24 hours, full notification within 72 hours, final report within one month
- Supply chain security — assess and manage risks from direct suppliers and service providers
- Management body accountability — board members must approve cybersecurity measures and can be held personally liable
- Cybersecurity training — mandatory for management and relevant staff
Penalties
- Essential entities: up to €10 million or 2% of global annual turnover
- Important entities: up to €7 million or 1.4% of turnover
- Management liability: individuals can be held personally responsible
Key Regulation
- Directive (EU) 2022/2555 — the NIS2 Directive
- Transposition deadline: October 17, 2024
- Enforced by: National cybersecurity authorities (e.g., CERT in Croatia, BSI in Germany)