1. What is the NIS2 Directive?

The NIS2 Directive (Network and Information Systems Directive 2) is a fundamental reform of the European Union's cyber security regulations. Its aim is to ensure a uniformly high level of cybersecurity protection in EU member states, thereby increasing the resilience of the economy and society against cyberattacks.

NIS2 replaces the original NIS Directive from 2016.

2. Who does the Directive apply to?

NIS2 significantly expands the scope of organizations covered. It applies not only to organizations operating public and critical infrastructure, but also to many private companies.

Sectors affected include:

• Energy, transport, water supply, healthcare
• Digital infrastructure, telecommunications, data centers
• Financial sector, insurance
• Public administration
• Food industry, pharmaceutical industry, waste management
• Digital service providers (e.g. online marketplaces, cloud service providers)

The size of the companies also matters: in most cases, organizations with more than 50 employees or a turnover exceeding EUR 10 million fall within the scope of the directive.

3. Main obligations

The aim of NIS2 is not only to respond, but also to strengthen prevention. Accordingly, the organizations concerned must fulfill several new obligations:

a) Risk management measures

• Identification and management of cybersecurity risks
• Development of incident management procedures
• Business continuity and crisis management plan
• Ensuring supply chain security
• IT security training for employees

b) Incident reporting obligation

• Early notification within 24 hours in the event of a serious cyber incident
• Detailed report within 72 hours
• Final report within one month

c) Accountability and governance requirements

• Company executives are personally responsible for cybersecurity compliance
• Managers must provide adequate training and resources
• Authorities may impose fines for non-compliance

4. Sanctions

Under NIS2, Member States may impose heavy fines:

• Up to €10 million or 2% of annual global turnover for significant entities
• Up to €7 million or 1.4% of annual turnover for important entities

These are deterrent fines similar to those under the GDPR.

5. Practical implications for businesses

The practical implementation of NIS2 means that affected organizations must:

• Review their IT systems
• Develop cybersecurity policies and processes
• Consider engaging external consultants or lawyers to ensure compliance
• Managers' responsibilities will clearly increase, so it is advisable to document compliance.

The NIS2 Directive is one of the most significant new sets of rules in cybersecurity law in the EU. It is not only a technical issue, but also a legal and managerial responsibility.
Those who fall under its scope should take the necessary steps to ensure compliance in a timely manner – this will not only fulfill their legal obligations, but also reduce their cyber risks and business exposure in the long term.