NIS2 Directive and Cybersecurity:
What Organizations Must Do
The NIS2 Directive introduces cybersecurity obligations for thousands of organizations across Europe. The NIST CSF 2.0 is the ideal tool for achieving compliance.
What Is the NIS2 Directive
Directive (EU) 2022/2555, known as NIS2 (Network and Information Security Directive), is the European regulation that establishes measures for a high common level of cybersecurity across the European Union.
Published on 27 December 2022, NIS2 replaces the previous NIS Directive (2016), significantly expanding the number of obligated entities and introducing stricter requirements and more severe penalties. EU Member States were required to transpose it into national law by 17 October 2024.
The goal is to ensure that organizations providing essential or important services adopt adequate measures to prevent, manage, and respond to cybersecurity incidents.
Who Must Comply
NIS2 applies to two categories of entities:
Essential Entities
- • Energy (electricity, gas, oil, hydrogen)
- • Transport (air, rail, maritime, road)
- • Healthcare (hospitals, laboratories, pharmaceuticals)
- • Drinking water and wastewater
- • Digital infrastructure and ICT services
- • Public administration
- • Space
- • Banking and financial sector
Important Entities
- • Postal and courier services
- • Waste management
- • Food production and distribution
- • Manufacturing (medical devices, electronics, machinery, vehicles)
- • Digital service providers
- • Scientific research
- • Chemicals
Generally, it applies to medium and large enterprises (over 50 employees or over EUR 10 million in revenue) operating in the listed sectors. However, critical SMEs may also fall within scope.
Key Requirements of NIS2
Cybersecurity Governance
Senior management is directly accountable. They must approve security measures and undergo specific training.
Risk Management
Adopt proportionate technical and organizational measures: security policies, incident management, business continuity.
Incident Reporting
Mandatory notification to the national CSIRT within 24 hours of identifying a significant incident, with a full report within 72 hours.
Supply Chain Security
Assess and manage cyber risks from suppliers and partners across the supply chain.
Encryption and Access Control
Use of encryption, multi-factor authentication, and identity and access management.
Penalties
Up to EUR 10 million or 2% of global turnover for essential entities. Up to EUR 7 million or 1.4% for important entities.
How NIST CSF 2.0 Helps You Comply with NIS2
The NIST Cybersecurity Framework 2.0 is perfectly aligned with NIS2 requirements. Its 6 functions cover all the areas required by the directive:
| NIS2 Requirement | NIST CSF 2.0 Function |
|---|---|
| Governance and management accountability | GOVERN |
| Risk analysis and asset inventory | IDENTIFY |
| Security measures, encryption, access control | PROTECT |
| Threat monitoring and detection | DETECT |
| Incident management and reporting | RESPOND |
| Business continuity and recovery | RECOVER |
By using our NIST CSF 2.0-based assessment, you can get an immediate snapshot of your organization’s compliance level against NIS2 requirements and identify the areas that need priority attention.
Deadlines and Timeline
17 October 2024 — Deadline for NIS2 transposition into EU Member States’ national law
Late 2024 — National transposition laws entering into force across the EU
2025-2026 — Compliance period for obligated entities, with progressive implementation of security measures
Don’t wait until the last moment. NIS2 compliance requires time to assess risks, implement technical measures, and train staff. Start today with an assessment of your current state.
Check Your Compliance Level
Complete the NIST CSF 2.0 assessment and find out how ready your organization is for NIS2.