Key Information on Compliance, Penalties, and Covered Sectors

The NIS 2 Directive (Network and Information Systems Directive 2) is a legislative act aimed at enhancing cybersecurity across the European Union. NIS 2 expands coverage from the original 7 sectors under the first NIS directive to 18 sectors. It applies to both public and private entities deemed "essential" or "important" based on their criticality and size.

NIS 2 is the correct name. The NIS 2 Directive (Directive (EU) 2022/2555) builds upon and expands the scope of the original NIS Directive (Directive (EU) 2016/1148).

If your company operates within the sectors covered by NIS 2, you are required to adhere to stringent cybersecurity standards set by the directive. Compliance is essential not only for organizations directly in these sectors (such as energy, healthcare, and finance) but also for related sectors like tech services and supply chain logistics. Ensuring you meet these requirements is crucial for maintaining your business operations and relationships. Non-compliance with NIS 2 can lead to significant penalties that can be up to €10 million or 2% of the companys total global revenue from the previous year, whichever amount is higher (NIS 2, Article 34). Adhering to NIS 2 helps protect your business from these significant financial repercussions and supports a secure operational environment.

Risk Management Measures

Organizations must implement appropriate technical, operational, and organizational measures to manage cybersecurity risks effectively. This includes regular risk assessments and security policies.

Incident Reporting

Entities are required to report significant cybersecurity incidents to relevant authorities within 24 hours of detection, with a detailed report following within 72 hours.

Supply Chain Security

NIS 2 emphasizes the need for securing supply chains, requiring organizations to assess and manage risks associated with their suppliers and service providers.

Cyber Hygiene Practices

NIS 2 encourages the implementation of basic cyber hygiene measures and regular cybersecurity training for employees.

• Essential sectors (NIS 2, Annex I):
  1. Energy (electricity, oil, gas, district heating/cooling, hydrogen)
  2. Transport (air, rail, water, road)
  3. Banking
  4. Financial market infrastructures
  5. Health
  6. Drinking water
  7. Waste water
  8. Digital infrastructure
  9. ICT service management (business-to-business)
  10. Public administration
  11. Space
• Important sectors (NIS 2, Annex II):
  1. Postal and courier services
  2. Waste management
  3. Manufacture, production and distribution of chemicals
  4. Production, processing and distribution of food
  5. Manufacturing
  6. Digital providers
  7. Research

Non-compliance can result in substantial fines (NIS 2, Article 34):

• For essential entities:
  • This fine could be up to €10 million or 2% of the company's total global revenue from the previous year, whichever amount is higher.
• For important entities:
  • The fine is up to €7 million or 1.4% of the company's total global revenue from the previous year, whichever amount is higher.

EU member states have until October 17, 2024, to transpose NIS 2 into their national laws. This means that each country will incorporate the directive's requirements into its own legal framework by this date. Once NIS 2 is transposed into national law, organizations within the scope of the directive will need to comply with its requirements. The exact compliance deadlines for entities may vary depending on how quickly individual member states implement the directive.

NIS 2 complements other regulations like GDPR and ISO 27001:

• GDPR: While GDPR focuses on personal data protection, NIS 2 is broader, covering the availability and security of services. However, an incident affecting personal data may need to be reported under both GDPR and NIS 2.
• ISO 27001: Organizations already certified under ISO 27001 may find it easier to comply with NIS 2, as both emphasize robust risk management, cybersecurity controls, and incident response.

We’re a diverse team of three IT / Software / Security / AI professionals based in Germany, united by a passion for enhancing cybersecurity across Europe. Collectively, we have more than 40 years of experience, are authors of dozens of publications and patents in cyber security, and have worked across a range of environments—from startups to big tech, government, and large enterprises, building security-focused solutions. Our goal is to empower individuals who want to bring their best to their organizations while building a strong, community-based group.

By establishing a robust framework for cybersecurity across critical sectors, the NIS 2 Directive enhances the overall security landscape in Europe, fostering a safer digital environment for citizens and businesses. In our thorough examination of the NIS 2 Directive, we identified key insights and answers to frequently asked questions. Recognizing the importance of sharing this information, we created this website to help organizations prepare for and gain a deeper understanding of NIS 2 compliance.