NIS 2 Cybersecurity Directive

New Enhanced Cybersecurity Rules in the European Union

The new directive on cybersecurity, NIS 2, which came into effect in January 2023, introduces mandatory information security measures and reporting requirements for cybersecurity incidents. Failure to comply with these requirements may result in substantial fines for many companies in specific sectors.


What are NIS and NIS 2 directives?

NIS refers to the security of Network and Information Systems. Currently, the NIS directive from 2016 is in effect. The existing rules primarily apply to critical infrastructure companies and providers of digital services (online marketplaces, online search engines, and cloud computing services).

The sectoral scope of the previous NIS Directive has been expanded through NIS2 to encompass a much larger portion of the economy, ensuring comprehensive coverage of sectors and services critical to the fundamental social and economic activities within the internal market.

The cybersecurity directive aims to enhance cyber resilience and improve response to security incidents in both the public and private sectors in the EU.

When does NIS 2 come into force?

The NIS Directive is the first legislative act on cybersecurity at the EU level. By May 9, 2018, all EU member countries were required to incorporate this act into their national legislation. NIS2 came into effect on January 16, 2023, and fully replaces the existing Directive on the security of network and information systems (NIS) on October 17, 2024.

Who does NIS 2 apply to?

NIS2 applies to organizations in the following sectors: 

Critical industriesImportant industries
EnergyPostal and courier services
TransportationWaste management
BankingChemical industry
Financial market infrastructureFood industry
HealthcareIndustrial production
Water supplyDigital service providers
Sewerage systemsResearch (optional)
Digital infrastructure
Management of B2B information technology services
Public administration
Space research

Thus, the directive establishes requirements for organizations providing essential services in the fields of energy, logistics, finance, healthcare, utilities, digital infrastructure, industry, government administration, and research.

Does the NIS 2 directive apply to small businesses?

Companies with fewer than 50 employees and an annual turnover or annual balance not exceeding 10 million euros are considered small and therefore are not subject to the NIS 2 directive.

However, there are exceptions, and the following companies fall under the directive’s scope regardless of their size:

  1. Trust service providers;
  2. Operators of public telecommunications networks or providers of public electronic communications services;
  3. TLD registry operators and DNS service providers, excluding operators of root name servers;
  4. Companies that are the sole providers of services in an EU member state necessary for maintaining critical social or economic activities.

In this way, NIS 2 applies not only to large organizations but also to certain small businesses. These small businesses must comply with the directive’s requirements to ensure a high overall level of cybersecurity throughout the EU and avoid penalties for non-compliance.


Requirements of NIS 2

Measures and scope

The NIS 2 directive, which came into effect on January 16, 2023, aims to improve the existing state of cybersecurity in the EU by establishing the necessary cyber crisis management structure, enhancing the level of harmonization of security requirements and reporting obligations, and setting a baseline for cybersecurity risk management measures and reporting obligations across all sectors covered by the directive.

Cybersecurity strategy and management

NIS 2 directive requires organizations to have a cybersecurity strategy and management in place to counter emerging cyber threats. This includes measures such as risk management, incident management, and collaboration.

Information security management

The NIS 2 directive mandates that organizations have an information security management system in place to ensure the confidentiality, integrity, and availability of information. This includes measures such as access control, encryption, and incident response.

Reporting obligations

The NIS 2 directive requires organizations to report cybersecurity incidents to the competent national authority within 24 hours of becoming aware of the incident. Within 72 hours, a full incident report must be submitted, including an assessment of the incident, its severity, consequences, and indicators.

Training and awareness

NIS 2 directive requires organizations to provide training to their management and employees to deepen their knowledge in cybersecurity. This includes measures such as awareness campaigns, training programs, and simulations.

Penalties for Non-Compliance with NIS 2 Requirements

The NIS 2 directive includes penalty provisions for non-compliance with its requirements. The imposed measure of responsibility depends on the severity of the violation and the size of the organization.


For large organizations, member states must establish a maximum fine of no less than 7,000,000 euros or no less than 1.4% of the organization’s total worldwide annual turnover.


Member states can impose sanctions on organizations that fail to comply with the NIS 2 directive. These sanctions may include the suspension or revocation of licenses, permits, and authorizations.

Reputational damage

Non-compliance with the NIS 2 directive can result in reputational damage to the organization. This can lead to the loss of customers, partners, and investors.

It is important to note that the sanctions for non-compliance can vary depending on the country and the specific circumstances of the violation. Furthermore, it is crucial for organizations to ensure compliance with the NIS 2 directive to avoid reputational damage, which can be even more significant than the fines imposed.

Implementation of the NIS 2 Directive

We strive to give top priority to system safety, the protection of confidential data, and the preservation of our clients’ trust. Implementing compliance with NIS 2 Directive will enhance your cybersecurity level, and demonstrate commitment to maintaining a high overall cybersecurity standard. As a result, you will receive:

Improved cybersecurity level
NIS 2 includes legal measures aimed at raising the overall level of cybersecurity in the EU. Adhering to these requirements will elevate cybersecurity levels and safeguard your systems and data from potential threats.
Resilience and incident response
Implementing NIS 2 will support your resilience to external influences and enhance your ability to respond to incidents. It will also improve your capacity to detect and respond to incidents, minimizing potential damage and disruptions.
Compliance with requirements and legal obligations
Complying with NIS 2 will help you avoid fines, reputational damage, and legal consequences associated with non-compliance with the directive.

Don’t wait until the last moment or face legal action; take proactive measures to ensure compliance now. The unfortunate experiences of GDPR implementation show that companies that were negligent paid a high price. Conversely, companies that approached us in advance were able to ensure compliance with EU directives quickly and seamlessly.

Our experts are well-versed not only in technical and organizational cybersecurity matters but also in the nuances of EU legislation. Do you want to meet all the requirements of NIS 2 and reduce the risks of hefty fines starting today? Then request a free consultation here!

Business cases of projects we completed

Audit of smart contracts and blockchain
Business Automation
Information security incident response and investigation
Managed security and compliance (ISO 27001, etc.)
Security analysis of software source code
Security assessment: audits and penetration tests
Security Operations Center cases