The NIS2 Directive (Network and Information Security 2) significantly broadens the scope of European cybersecurity regulation. Many organizations that were not covered by NIS1 now are, often without realizing it. Here is what you need to know about your obligations and how to act.
What is the NIS2 Directive?
NIS2 is the European directive that harmonizes and strengthens the cybersecurity level of entities deemed critical to the economy and society. It replaces the 2016 NIS directive, considered too limited, and imposes stricter requirements for risk management, incident notification and management accountability.
Who is concerned?
NIS2 distinguishes two categories of entities, based on their size and sector:
- ✓Essential entities (EE): large companies in highly critical sectors (energy, transport, banking, health, water, digital infrastructure, public administration…).
- ✓Important entities (IE): medium-sized companies in these sectors and additional critical sectors (postal services, waste management, food, manufacturing, digital providers…).
As a rule, organizations with more than 50 employees or over €10M in revenue in the targeted sectors are covered. Exceptions exist: some small but critical entities are included regardless of size.
What are the key obligations?
- ✓Implement cyber risk management measures (risk analysis, security policy, access control, encryption, business continuity…).
- ✓Notify significant incidents to the competent authority, with an early warning within 24 hours.
- ✓Secure the supply chain and supplier relationships.
- ✓Involve management: governing bodies must approve and oversee measures and may be held liable.
What penalties for non-compliance?
Penalties are dissuasive: up to €10M or 2% of global revenue for essential entities, and up to €7M or 1.4% for important entities. Directors can also be held personally liable.
How to become compliant?
- ✓Determine whether your organization is covered and under which category (EE or IE).
- ✓Run a gap analysis between your current practices and NIS2 requirements.
- ✓Implement a risk analysis and the expected technical and organizational measures.
- ✓Define an incident detection and notification process.
- ✓Raise awareness among management and teams, and formalize governance.
Need NIS2 support?
Cyber-SSI helps you determine your eligibility, run your gap analysis and implement the expected measures, step by step.
NIS2 is not just a regulatory constraint: it is an opportunity to durably structure your cybersecurity. The earlier you anticipate, the smoother and more controlled the path to compliance.
Go further
Compliance →