The NIS2 Directive is a major step forward in strengthening cybersecurity across critical EU sectors. In this post, you’ll find a simple definition of NIS2, a breakdown of how it differs from the original NIS Directive, and a summary of the steps your organization must take to achieve compliance.
NIS2 in a nutshell
NIS2, or Directive (EU) 2022/2555, was created to improve the level of cybersecurity across the European Union. It was adopted on December 14, 2022, and took effect on January 16, 2023. Although each EU Member State was required to transpose the Directive into its own national law by October 17, 2024, as of November 2024, twenty-three Member States had still not done so.
NIS2 builds on the original NIS Directive adopted in 2016 and aims to raise the standard of cybersecurity posture for both public and private entities that play a crucial role in the EU’s economy and society.
How NIS2 differs from the original NIS Directive
While the original NIS Directive focused on a limited number of operators of essential services and digital service providers, NIS2 has a broader scope. It introduces two new classifications: essential entities and important entities.
The NIS2 Directive applies to a wider range of sectors than the original Directive. The new Directive also automatically applies to the majority of medium and large enterprises within the covered sectors, reducing gaps and inconsistencies across the EU.
Comparison between the scope of the NIS Directive (2016) and the NIS2 Directive (2022)
Covered entities: Operators of essential services and digital service providers
Sectors covered: Energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, digital services
Covered entities: Essential entities and important entities
Sectors covered: Energy, transport, banking, financial market infrastructure, health, drinking water, waste water, ICT service management (B2B), public administration, postal and courier services, waste management, chemical industry, food, manufacturing, digital providers, research
NIS2 also introduces stricter penalties for non-compliance. Unlike the original Directive, which effectively left enforcement up to individual Member States, NIS2 sets EU-wide minimum standards for supervision and sanctions. Penalties for failure to comply include administrative fines of up to €10 million (~$11.33 million) or 2% of total annual worldwide turnover, whichever is higher, as well as personal accountability for executive management in cases of repeated or severe violations.
Four key focus areas of NIS2
The Directive outlines several core NIS2 requirements that organizations operating in the EU must meet to strengthen their cybersecurity posture:
Core focus areas in the NIS2 Directive
Risk management
NIS2 requires entities to adopt appropriate technical and organizational measures to minimize cybersecurity risks. They include incident management processes, supply chain security, network protection, access controls, and encryption of sensitive data.
Corporate accountability
Senior management is responsible for understanding, overseeing, and approving cybersecurity practices within the organization. Failure to comply can result in management’s personal liability, fines, or even temporary leadership bans.
Reporting obligations
The Directive mandates that essential and important entities promptly report incidents that impact their services. It also introduces specific deadlines for reports:
- Early warning (within 24 hours) — A high-level alert with basic facts and potential cross-border impact.
- Incident notification (within 72 hours) — A more complete review, including initial impact assessment.
- Final report (within 1 month) — Root cause analysis, mitigation steps, and lessons learned.
Business continuity
The NIS2 regulation requires organizations to develop and maintain resilience and incident recovery plans in order to be permitted to continue operating during and after cyber incidents. These plans should include system recovery strategies, emergency response procedures, and the members of crisis management teams.
How to comply with NIS2: 10 cybersecurity measures
NIS2 lays out ten mandatory cybersecurity practices for organizations. Here are the measures you need to implement for compliance:
1. Risk analysis and security policies
Regularly assess cybersecurity risks that could impact your organization’s network and information systems. Based on these assessments, adopt and maintain up-to-date security policies designed to address and mitigate identified risks.
2. Incident handling
Establish formal procedures for detecting, managing, and responding to cybersecurity incidents. These should include early threat identification, timely containment, recovery processes, and communication strategies for internal and external stakeholders.
3. Business continuity and disaster recovery
Develop and maintain business continuity plans to ensure the resilience of critical operations during and after a cybersecurity incident. Regularly back up important data and have recovery strategies and predefined emergency response protocols in place.
4. Supply chain security
You must also manage risks that arise from your third-party service providers and suppliers. Assess the security posture of your vendors, require all third parties to adhere to cybersecurity standards while working with your systems and data, and ensure they follow appropriate risk management practices within their IT environments.
5. Secure network and information systems acquisition, development, and maintenance
Security must be embedded throughout the whole lifecycle of your network and information systems. Adhere to secure design principles, conduct security tests, and ensure that software updates and patches are properly managed.
6. Testing for the efficacy of cybersecurity measures
NIS2 compliance requires regular monitoring, testing, and evaluation of security controls to verify their efficacy. Develop and document procedures for audits, vulnerability assessments, penetration testing, and security performance reviews.
7. Cyber hygiene and training
Promote a strong security culture by providing ongoing cybersecurity training for employees, contractors, and third-party users. Educate them on effective cyber hygiene practices, such as using secure passwords and recognizing phishing attempts and other threats.
8. Cryptography and data protection
Protect your organization’s sensitive data with robust cryptographic techniques. Encryption should be applied to data at rest and in transit to prevent unauthorized access, manipulation, or theft.
9. Access control and asset management
Ensure that access to internal systems and data is granted only to authorized individuals based on their roles and responsibilities. Develop asset management policies to keep track of all hardware and software and maintain oversight of your organization’s digital environment.
10. Multi-factor authentication
Implement multi-factor authentication (MFA) to protect access to internal networks and systems. MFA adds an extra layer of defense against unauthorized access and account compromise.
To gain a full understanding of how to comply with all NIS2 requirements, download our comprehensive ebook:
Syteca Privileged Access Management helps organizations authenticate users securely and manage access to sensitive internal systems with ease. From two-factor authentication to granular access controls to password management, Syteca PAM provides the necessary tools to help you reduce risk, enhance accountability, and stay compliant with NIS2 and other cybersecurity requirements. Syteca User Activity Monitoring also supports your NIS2 compliance efforts by monitoring and recording user sessions, providing a variety of user activity reports, and helping you mitigate security threats.
Want to try Syteca? Request access
to the online demo!
See why clients from 70+ countries already use Syteca.