NIS2 FAQ

NIS2 FAQ

  • The NIS2 Directive (Revised Directive on Security of Network and Information Systems) is an EU law aimed at strengthening cybersecurity across member states. It is an updated version of the original NIS Directive and introduces stricter requirements for critical infrastructure and digital service providers.

    NIS2 expands the scope of covered entities, meaning more organizations are now required to implement risk management measures and report serious incidents. It also introduces tougher penalties for non-compliance.

    EU member states were required to transpose the Directive into national law by October 2024. However, some countries have experienced delays in this process, and legal implementation is still ongoing in certain areas.

    Given these uncertainties, it is crucial for companies to determine whether they fall within the scope of NIS2 and to begin preparing as early as possible, while closely monitoring regulatory developments in their respective countries.

  • NIS2 defines 18 key sectors as essential or important, and organizations operating in these sectors may fall within the scope of the Directive if they meet one of the following criteria:

    • 50 or more employees, or
    • Annual turnover of €10 million or more

    In addition, certain infrastructure operators—such as DNS service providers, TLD registries, and qualified trust service providers—are subject to NIS2 regardless of company size.

    The full list of sectors is outlined in Annexes I and II of the Directive:

    • Annex I: Highly critical sectors
    • Annex II: Other important sectors

    Each annex includes detailed subsectors and service types, so even if your industry is listed, it does not automatically mean your organization is in scope.

    To help you determine whether NIS2 applies to your business, we offer a quick and easy self-assessment tool.

    Take the NIS2 Applicability Quick Check

  • The NIS2 Directive requires organizations in scope to implement enhanced cybersecurity measures. Non-compliance can lead to significant penalties, including fines and other enforcement actions.

    According to Article 34 of the Directive, the maximum administrative fines are as follows:

    • Essential Entities: up to €10 million or 2% of worldwide annual turnover—whichever is higher
    • Important Entities: up to €7 million or 1.4% of worldwide annual turnover—whichever is higher

    In addition, executive involvement and accountability are a central focus of NIS2.
    Member states are required to establish legal frameworks that may impose personal liability on executives where necessary. This means that, in some cases, penalties may extend beyond the organization to include its leadership and decision-makers.

    NIS2 compliance is not just an IT issue—it is a strategic governance and risk management challenge. Organizations must approach it at the executive level and integrate it into their overall compliance and operational strategy.

  • Article 23 of the NIS2 Directive mandates that organizations experiencing a significant cybersecurity incident must report it to the relevant authority or CSIRT without undue delay and in a phased manner.

    The reporting process must follow these three steps:

    • Early Warning – within 24 hours of becoming aware of the incident
    • Initial Report – within 72 hours
    • Final Report – within one month

    These reporting obligations apply even if no personal data breach is confirmed. Additional reports may also be required if new information becomes available.

    In some countries, national regulations may introduce additional requirements, such as mandatory customer notifications or public disclosures. For example, in Germany, proposed amendments to the BSI Act would impose stricter obligations, particularly for organizations in finance, insurance, and IT/telecommunications sectors.

  • NIS2 is an enhanced and expanded version of the original NIS Directive, which came into effect in 2016. Its goal is to raise cybersecurity standards across the EU even further.
    The Directive introduces four major improvements:

    1. Expanded Scope

    The range of affected sectors and organizations has been significantly broadened.
    As a general rule, all medium-sized and large companies in key sectors are now in scope.
    In addition to critical infrastructure and digital service providers, NIS2 also applies to sectors such as:

    • Healthcare
    • Food production
    • Waste management
    • Research institutions
    • Public electronic communications

    2. Greater Executive Responsibility

    NIS2 places direct accountability for cybersecurity on executive leadership.
    It includes requirements for executive training and introduces the possibility of personal liability for management in the event of non-compliance.

    3. Stricter Incident Reporting Requirements

    Organizations must report significant security incidents in three stages:

    • Early warning within 24 hours
    • Initial report within 72 hours
    • Final report within one month

    This obligation applies regardless of whether a personal data breach has occurred.

    4. Stronger Risk Management Obligations

    NIS2 requires the implementation of a comprehensive, risk-based security framework, including both technical and organizational measures.
    This means proactive prevention, detection, and response—not just reactive fixes.

  • Article 21 of the NIS2 Directive emphasizes that organizations within its scope must implement appropriate technical and organizational measures to effectively manage cybersecurity risks.

    These measures include:

    • Risk assessment and analysis
    • Incident handling and response
    • Business continuity and data backup
    • Supply chain security
    • Secure acquisition, development, and maintenance of ICT systems (including vulnerability management)
    • Evaluation of the effectiveness of cybersecurity measures
    • Cyber hygiene practices and regular staff training
    • Use of cryptographic solutions and encryption
    • Human resources-related security (e.g., access controls)
    • Use of multi-factor authentication and secure communication tools for emergencies

    Executive Responsibility Clearly Defined

    NIS2 makes it clear that executive leadership is responsible for ensuring these measures are implemented and properly resourced.

    Cybersecurity is no longer just an IT issue—under NIS2, it is a core business and governance priority that must be addressed at the highest levels of the organization.

  • As of October 17, 2024, EU member states were required to transpose the NIS2 Directive into national law. However, the progress of implementation varies significantly by country.

    🟢 Countries that have adopted NIS2 legislation (7 countries):

    • Belgium
    • Italy
    • Croatia
    • Latvia
    • Lithuania
    • Romania
    • Hungary

    🟡 Countries where draft legislation has been submitted or is under discussion (12 countries):

    • Germany
    • Austria
    • Finland
    • Netherlands
    • Poland
    • Sweden
    • Cyprus
    • Czech Republic
    • Luxembourg
    • Bulgaria
    • Greece
    • Slovakia

    🔴 Countries with no published draft yet (7 countries):

    • France
    • Spain
    • Ireland
    • Malta
    • Slovenia
    • Denmark
    • Estonia