Understanding NIS2: A Critical Guide for Businesses

Introduction

The NIS2 Directive represents a significant advancement in the EU's cybersecurity framework, imposing stricter regulations on businesses to enhance their resilience against escalating cyber threats. Since coming into effect on 16 January 2023, NIS2 has required EU member states to transpose its provisions into national law by 17 October 2024. However, as of now, many countries have missed this deadline, leading to a fragmented implementation landscape.

For businesses, this means that NIS2 requirements will soon become legally binding—if they aren’t already. The consequences of non-compliance are severe, ranging from financial penalties to reputational damage and even personal liability for executives. This article explores what NIS2 entails, which companies are affected, and what steps organisations must take to achieve compliance.

Background: Why NIS2 Matters

Cyber threats have grown in both frequency and sophistication, costing an estimated €5.5 trillion globally in 2021. While no regulation can eliminate all cyber risks, NIS2 sets minimum security standards that EU member states must uphold, ensuring a higher level of protection and resilience.

NIS2 builds upon its predecessor (NIS1) by covering a broader range of industries and enforcing stricter risk management, incident reporting, and governance requirements. Member states can expand these requirements but cannot weaken them, meaning businesses should prepare for stricter cybersecurity obligations across the EU.

The urgency to comply is critical. In Germany, for example, 71% of companies have yet to implement NIS2 measures, and similar statistics are expected across Europe. Given the complexity of compliance—some measures can take up to 18 months to fully implement—companies that haven’t started yet must act immediately to avoid serious repercussions.

Who Must Comply with NIS2?

NIS2 significantly expands its scope compared to NIS1 by classifying companies into two categories based on their size, sector, and economic importance:

1. Essential Entities

• Companies in critical sectors such as:
  • Energy (including IT and Operational Technology, OT)
  • Transport
  • Finance
  • Healthcare
  • Water supply
  • Digital infrastructure
  • Space industry
• Must have:
  • At least 250 employees or
  • An annual turnover exceeding €50 million
• Telecommunications providers also fall into this category if they have:
  • 50+ employees or
  • Annual turnover above €10 million

2. Important Entities

• Companies in sectors such as:
  • Postal and courier services
  • Waste management
  • Chemical production and trade
  • Food production
  • Medical device and automotive manufacturing
  • Digital service providers and research institutions
• Must have:
  • 50+ employees or
  • Annual turnover above €10 million

Do Non-EU Companies Need to Comply?

Yes—non-EU businesses may also be affected if they operate within the EU or have significant ties to an EU member state. Companies in the UK and Switzerland should particularly assess their exposure, as compliance will depend on their market presence and interactions with EU-based clients and partners.

NIS2 Implementation: Current Status

The transposition of NIS2 into national law has been inconsistent across the EU:

• Countries like Italy and Croatia have already enacted their NIS2 laws, making compliance immediately enforceable.
• Most EU member states have missed the October 2024 deadline and are still finalising their regulations.

What This Means for Businesses

• If your country has transposed NIS2 into law, your company must comply immediately.
• If your country has delayed implementation, you must still prepare for compliance, as once the law is enacted, enforcement will follow within a short timeframe.

Companies should stay informed by consulting national cybersecurity authorities to track progress and ensure early compliance before full enforcement begins.

The Risks of Non-Compliance

Authorities responsible for NIS2 enforcement will conduct unannounced inspections and compliance audits. Businesses that fail to act promptly may face:

1. Time Pressure and Delays

• Implementing Identity and Access Management (IAM) strategies and risk management frameworks can take over 18 months.
• Late adopters may struggle to meet compliance deadlines, risking fines and reputational damage.

2. Misclassification Risks

• Many small and mid-sized businesses wrongly assume they are exempt from NIS2.
• Authorities have the power to reclassify companies, forcing them to comply with stricter regulations.

3. Rising Cyber Threats

• Cyberattacks are increasing in scale and sophistication.
• Companies that fail to implement NIS2 measures risk both financial losses and permanent reputational damage.

What Are the Penalties for Non-Compliance?

The financial consequences of failing to comply with NIS2 can be severe:

• Fines start at €100,000 for minor violations
• Serious breaches can result in fines of up to €10 million or 2% of global annual turnover
• Management can be held personally liable, particularly if it is proven that insufficient investment was made in security measures
• Additional penalties may apply in cases of data protection violations, increasing overall costs

Key Steps for NIS2 Compliance

A strong Identity and Access Management (IAM) strategy is one of the most effective ways to meet NIS2 security requirements. Companies should focus on the following areas:

1. Cybersecurity Risk Management

• Review risk assessment frameworks to detect and mitigate threats proactively.

2. Incident Response, Reporting & Recovery

• Implement Security Information and Event Management (SIEM) solutions.
• Develop a structured incident reporting process.

3. Business Continuity & Crisis Management

• Ensure your organisation can continue operations during cyber incidents.

4. Supply Chain Security

• Verify that third-party suppliers comply with NIS2 and ISO 27001.
• Establish clear Service Level Agreements (SLAs).

5. Strong Access Controls & Zero Trust Security

• Enforce Multi-Factor Authentication (MFA).
• Adopt a Zero Trust security model.

6. Compliance & Auditing

• Conduct regular internal and external audits.
• Maintain detailed security documentation.

7. Cyber Hygiene & Employee Training

• Provide ongoing cybersecurity awareness training.

New NIS2 Compliance Requirements: Reporting & Audits

Incident Reporting Obligations

Under NIS2, companies must report cybersecurity incidents according to the following timeline:

• Within 24 hours: Initial warning report.
• Within 72 hours: Detailed impact assessment.
• Within 1 month: Final report with mitigation measures.

Authorities may also conduct random inspections, and in some cases, businesses may be required to notify customers directly about security breaches.

Mandatory Audits

• Operators of critical infrastructure must undergo audits every three years.
• Other important entities are subject to random compliance inspections.

All businesses must maintain detailed documentation of their cybersecurity measures to prove compliance when audited.

Conclusion: The Time to Act is Now

The NIS2 Directive is a game-changer in European cybersecurity, imposing strict obligations on a wider range of businesses than ever before. With steep penalties and growing cyber threats, compliance is not optional—it is a necessity.

Key Takeaways

✔️ NIS2 applies to a vast range of industries, including digital service providers and manufacturing.

✔️ Non-EU companies may also be affected if they operate in the EU.

✔️ Authorities will impose heavy fines for non-compliance, potentially up to 2% of global revenue.

✔️ Implementing IAM and Zero Trust strategies can significantly streamline compliance.

Act now to secure your organisation’s future and avoid the risks of late compliance.