Introduction to NIS 2: What It Entails and How to Comply

NIS 2 Directive

The NIS 2 Directive updates and expands the first Network and Information Security Directive (NIS 1). Its goal is to strengthen the cybersecurity of networks and information systems across the European Union. This article summarizes the main points of the regulation and explains what companies can do to comply.

From NIS 1 to NIS 2

The first NIS Directive, introduced in 2016, aimed to improve the cybersecurity of critical infrastructures such as energy, transport, healthcare, and finance.
Since then, cyber threats have evolved, becoming more sophisticated and frequent.
For this reason, the European Union introduced NIS 2 to modernize the legal framework and adapt it to new technologies and risks.

NIS 2 and DORA: Two Complementary Frameworks

While NIS 2 focuses on the cybersecurity of networks and information systems, DORA (Digital Operational Resilience Act) applies specifically to the financial sector.
It defines clear rules for managing digital and operational risks in banks, insurance companies, and financial intermediaries.
Both frameworks share the same goal: improving Europe’s overall resilience against cyber threats.
Together, they create a consistent and unified approach to protecting digital infrastructures across the EU.

Scope and Application

NIS 2 broadens the number of organizations covered by the directive.
Unlike NIS 1, where each member state defined “essential service operators,” NIS 2 applies a uniform rule across the European Union.
It covers medium and large companies with at least 50 employees and an annual turnover above 10 million euros.
Small and micro enterprises are generally excluded, unless their activity is considered critical to society or the economy.

The directive also extends to the entire supply chain.
IT companies that provide hardware, software, or services to essential operators must comply with the same cybersecurity standards.

Industries Covered by NIS 2

The directive applies to organizations operating in:

• Energy, transport, and finance
• Healthcare, water, and waste management
• Digital infrastructure and cloud services
• Public administration and the space industry

EU Member States must apply NIS 2 from October 17, 2024.

Main Objectives

NIS 2 aims to strengthen Europe’s ability to prevent and respond to cyber incidents.
It introduces clear obligations for risk management, incident reporting, and cooperation between organizations and authorities.
The ultimate goal is to ensure continuity of services and improve the overall security of digital ecosystems.

Incident Reporting

Organizations must follow specific timelines for incident reporting.
A first notification must be sent within 24 hours after an incident, followed by a detailed report within 72 hours.
This process helps authorities coordinate responses and limit the impact of cyberattacks on essential services.

Essential and Important Entities

NIS 2 identifies two categories of organizations subject to its requirements.

Essential Entities operate in sectors whose disruption would seriously affect society, such as:
energy, transport, banking, healthcare, and digital infrastructure.

Important Entities include other key players such as:
postal and courier services, digital platforms, and waste management companies.

Both categories must adopt strong technical and organizational measures and report security incidents promptly.

Main Obligations

All entities covered by NIS 2 must:

• conduct regular risk assessments and apply adequate protection measures;
• report major incidents to national authorities within the required timeframe;
• cooperate and share relevant information to strengthen collective defense across the EU.

How Companies Can Comply

Compliance with NIS 2 requires a structured and proactive approach.
Organizations should:

• define cybersecurity policies and perform regular risk analyses;
• use protection systems such as firewalls, antivirus, and automated backups;
• establish business continuity and incident response plans;
• train staff to improve security awareness and response capability;
• monitor suppliers and partners to ensure they meet equivalent security standards.

A Step Toward a Safer Digital Europe

NIS 2 represents a major step forward in creating a safer digital environment in Europe.
It promotes stronger cooperation between organizations, regulators, and service providers.
For companies, choosing partners who develop and manage their infrastructure internally—within the European legal framework—helps ensure compliance, reliability, and long-term security.