Cyberattacks are becoming increasingly frequent and sophisticated across the EU, yet fewer than one in three organizations feel prepared to prevent or manage them. As digital threats intensify, the EU has made cybersecurity a long-standing priority, introducing a series of regulations to strengthen resilience and protect critical infrastructure. 

The original NIS Directive aimed to raise cybersecurity standards through improved national capabilities, stronger cross-border cooperation, and clear risk management and incident reporting rules. However, it applied only to a limited group of essential service providers, which left many sectors unregulated and vulnerable. To address these gaps, the European Commission revised the directive, leading to the adoption of NIS2. 

What Is NIS2? A Modern Directive for an Interconnected Europe

The Network and Information Security Directive (NIS2) entered into force on January 16, 2023. As a continuation and expansion of the previous cybersecurity directive, NIS2 was brought into effect to expand the scope and rectify the deficiencies of the original NIS directive.  

NIS2 continues to focus on strengthening the security of network and information systems across the EU. It broadens the directive’s scope, raises cybersecurity standards, and introduces stricter rules for reporting, governance, and supply chain oversight. 

What are the Key Requirements of NIS2?

The NIS2 Directive sets out definitive rules within the following four main areas: Risk Management, Reporting Obligations, Corporate Accountability, and Business Continuity. Non-compliance within these areas leads to strict penalties. Here’s a rundown of these primary areas in more detail. 

Robust Risk Management  

The directive introduces measures to strengthen cyber risk management and mitigation. It does not prescribe specific technologies but defines key outcomes and control areas that organizations must address, particularly in the following areas: 

1. Implementation of multi-factor authentication (MFA) where applicable 
2. Systematic encryption and backups of sensitive data for quick recovery 
3. Implementation of firewalls and intrusion detection/prevention systems (IDS/IPS) 
4. Setting up clear incident response procedures 
5. Cybersecurity analysis of third-party vendors and suppliers 

Corporate Accountability Measures for Responsible Leadership 

Within the NIS2, senior management is directly accountable for compliance. It places explicit responsibility at the top, making cybersecurity a boardroom priority rather than an operational afterthought. Management must lead, approve, monitor, and be able to prove their active involvement in compliance. Here are some specific measures that leadership teams should take: 

1. Strategize and approve cybersecurity measures to ensure alignment with the directive 
2. Undergo cybersecurity training to stay up to date on threats and compliance requirements 
3. Take accountability for failures in cybersecurity 

Strict Incident Reporting Obligations  

Companies are required to promptly report any cybersecurity related incidents to the appropriate national authorities. A brief overview of the timeline: 

1. Early warning notifications should be given within 24 hours from when the incident occurred 
2. The full incident report should be drafted within 72 hours. This report should cover the breach and mitigation measures as well 
3. The final report should be produced within one month. This report should outline the recovery measures and long-term improvements 
4. Failure to report these incidents will result in hefty fines and increased scrutiny 

Business Continuity for Improved Cyber Resilience

For the post incident recovery process, organizations should prepare a structured business continuity plan, which may include the following steps:

1. Minimize downtime with proper system recovery and emergency procedures 
2. Establish crises response teams to streamline incident recovery 

Who’s Affected? Understanding the Expanded Scope of NIS2 

The sectors within NIS2 are categorized based on High Criticality and Other Critical Sectors (as stated in Annex I & Annex II).  Refer to the infographic below for a detailed insight into the sectors within the updated scope of NIS2. 

Due to an increase in the number of sectors, a larger number of public and private entities are now covered by the NIS2 directive. Here’s how you can check if your company falls within the scope of the directive: 

1. Your company falls within one of the sectors stated in Annex I or Annex II of the directive, and 
2. Your company is a medium-sized organization, or in terms of the directive, an important entity (containing at least 50 employees or with a balance sheet total of over €10 million), or 
3. Your company is a large organization, or in terms of the directive, an essential entity (containing at least 250 employees or with a net turnover of over €50 million and a balance sheet total of more than €43 million) 
4. Notably, companies based outside the EU are also affected if they provide critical services within the EU

Simplifying NIS2 Compliance with the osapiens HUB 

The osapiens HUB for NIS2 provides a streamlined, scalable solution to help businesses of all sizes meet the directive efficiently and transparently. Developed with cybersecurity experts from VICCON, it is legally compliant by design and fully aligned with NIS2 requirements, with optional expert consulting available. 

The solution combines risk management, procurement, and supplier governance in one platform, covering ESG topics, cyber risks, and more. Features such as risk analysis, incident reporting, case management, and automation make it easy to verify and document supplier compliance. Guided workflows reduce manual effort, fit seamlessly into existing structures, and simplify even complex processes. 

Is your business ready to meet the evolving NIS2 requirements with confidence? Start your journey today with the osapiens HUB for NIS2 and benefit from a single, integrated platform built for security, efficiency, and transparency.