Executive summary: NIS2 Directive for the EU members (updated)

The NIS 2 Directive is a set of cybersecurity guidelines and requirements established by the European Union (EU) . It replaces and repeals the NIS Directive (Directive 2016/1148/EC) . The full name of the directive is “Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148 (NIS 2 Directive)” .

The NIS 2 Directive aims to improve cybersecurity risk management and introduce reporting obligations across sectors such as energy, transport, health, and digital infrastructure . It provides legal measures to boost the overall level of cybersecurity in the EU .

The directive covers a larger share of the economy and society by including more sectors, which means that more entities are obliged to take measures to increase their level of cybersecurity .

The management bodies of essential and important entities must approve the cybersecurity risk-management measures taken by those entities, oversee its implementation, and can be held liable for infringements .


Who is affected?

The NIS 2 Directive significantly expands the sectors and type of critical entities falling under its scope.

As a ground rule, companies from certain areas that meet these conditions are affected:

Essential Entities (EE):

  • at least 250 employees and
  • 50 Mil € revenue

Important Entities (IE):

  • at least 50 employees and
  • 10 Mil € revenue


NIS 2 covers areas such as

  • Essential Entities:
    • energy (electricity, district heating and cooling, oil, gas and hydrogen);
    • transport (air, rail, water and road); banking;
    • financial market infrastructures;
    • health including  manufacture of pharmaceutical products including vaccines;
    • drinking water;
    • waste water;
    • digital infrastructure (internet exchange points; DNS service providers;
    • TLD name registries; cloud computing service providers;
    • data centre service providers;
    • content delivery networks;
    • trust service providers;
    • providers of  public electronic communications networks and publicly available electronic communications services);
    • ICT service management (managed service providers and managed security service providers), public administration and space.

Important Entities:

    • postal and courier services;
    • waste management;
    • chemicals;
    • food;
    • manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment;
    • digital providers (online market places, online search engines, and social networking service platforms) and research organisations.

An entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.



The Member States have until October 17, 2024, to adopt and publish the measures necessary to comply with the NIS 2 Directive. They shall apply those measures from October 18, 2024 .

The benefits of the NIS 2 directive include creating the necessary cyber crisis management structure (CyCLONe), increasing the level of harmonization regarding security requirements and reporting obligations, encouraging Members States to introduce new areas of interest such as supply chain, vulnerability management, core internet, and cyber hygiene in their national cybersecurity strategies, bringing novel ideas such as peer reviews for enhancing collaboration and knowledge sharing amongst Member States .

In order to comply with the NIS 2 directive, entities will need to take measures to increase their level of cybersecurity. This may include following training for members of management bodies of essential and important entities as well as offering similar training to their employees on a regular basis .

How does the NIS 2 Directive differ from the previous directive?

The NIS 2 Directive replaces the previous Network and Information Security (NIS) Directive, which was the first piece of EU-wide legislation on cybersecurity. Its specific aim was to achieve a high common level of cybersecurity across the Member States .

While the NIS Directive increased the Member States’ cybersecurity capabilities, its implementation proved difficult, resulting in fragmentation at different levels across the internal market. To respond to the growing threats posed by digitalization and the surge in cyber-attacks, the Commission submitted a proposal to replace the NIS Directive and thereby strengthen security requirements, address security of supply chains, streamline reporting obligations, and introduce more stringent supervisory measures and stricter enforcement requirements, including harmonized sanctions across the EU .



The proposed expansion of the scope covered by NIS 2, by effectively obliging more entities and sectors to take measures, would assist in increasing the level of cybersecurity in Europe in the longer term . The NIS 2 Directive establishes very strict sanctions for breaches of its obligations. In contrast to the previous NIS Directive, which merely required Member States to set forth effective, proportionate and dissuasive penalties for non-compliance, the NIS 2 Directive introduces a much stricter regime .

NIS 2 will introduce a fining regime for non-compliance. The potential maximum fines for non-compliance could reach either

(i) €10 million or 2% of global annual turnover for “essential” entities or

(ii) €7 million or 1.4% of global annual turnover for “important” entities .

What’s next, if you are in a hurry

Try to identify the following topics in your ISMS and map them to the NIS2 requirements.

1. Scope of Application

  • Expansion of Affected Entities: NIS2 extends its requirements beyond the sectors covered by the original NIS Directive, including essential and important entities across various sectors such as energy, transport, health, and digital services.

2. Risk Management Measures

  • Comprehensive Security Requirements: Entities are required to implement appropriate technical and organizational measures to manage the risks posed to the security of network and information systems, including measures for incident handling, business continuity, and supply chain security.

3. Incident Response and Reporting

  • Incident Reporting Obligations: NIS2 mandates strict incident reporting requirements, where entities must notify relevant national authorities about significant cybersecurity incidents with potentially severe operational impacts, within a short timeframe.

4. Supply Chain Security

  • Security of Supply Chains and Supplier Relationships: Entities need to address cybersecurity risks not only within their own operations but also across their supply chains, ensuring that suppliers meet security requirements to protect against potential vulnerabilities and threats.

5. Interoperability and Cooperation

  • Enhanced Cooperation Among States: NIS2 emphasizes improved information sharing and coordinated response among EU member states, with mechanisms for cross-border collaboration in cybersecurity threat detection, response, and recovery.

6. Security and Network Systems

  • Strengthening of Security Practices: Detailed requirements on securing network and information systems, ensuring the integrity, availability, and confidentiality of services, particularly in critical infrastructure sectors.

7. Regulatory Oversight and Compliance

  • Increased Enforcement Powers: Regulatory authorities are granted more significant powers to enforce the Directive, including the ability to conduct audits, review compliance, and impose sanctions on entities failing to meet the cybersecurity requirements.

8. Financial Penalties

  • Penalties for Non-Compliance: NIS2 introduces substantial financial penalties for non-compliance, aimed at ensuring that entities take their cybersecurity obligations seriously.

9. Cybersecurity Measures Specificity

  • Detailed Guidelines and Standards: The Directive encourages the use of established standards and specifications to fulfill the required security measures, promoting best practices in cybersecurity management.


By addressing these key topics, NIS2 aims to significantly raise the level of cybersecurity across the EU, ensuring a uniform level of security in critical sectors and enhancing the resilience of the internal market against cyber threats.

1. cybertalk.org
2. nis-2-directive.com
3. digital-strategy.ec.europa.eu
4. enisa.europa.eu
5. europarl.europa.eu
6. mondaq.com
7. rapid7.com
8. https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs

The post Executive summary: NIS2 Directive for the EU members (updated) first appeared on Sorin Mustaca on Cybersecurity.

author avatar
EndPoint Cybersecurity