Back to overview

Network and Information Security Directive 2 (NIS2)

The NIS2 Directive (Network and Information Security Directive 2) is the European Union’s regulation to improve cybersecurity across essential industries. It replaces the NIS1 Directive from 2016 and brings stricter rules to match today’s digital threats. 

NIS2 aims to make sure that key sectors, like energy, healthcare, finance, and digital services, are protected from cyberattacks and disruptions. 

Why NIS2 Matters 

  • Improve cyber resilience across all member states 
  • Protect critical infrastructure and services from digital threats 
  • Standardize cybersecurity rules across the EU for faster, more effective responses 
  • Strengthen supply chain security and fix gaps in earlier rules 
  • Coordinate better during cross-border cyber crises 

It’s a major step in building a safer, more secure digital Europe. 

Who Must Follow NIS2? 

NIS2 applies to a wide range of medium and large organizations in both public and private sectors. 

There are two main groups: 

Entity Type  Examples 
Essential Entities  Energy, healthcare, digital infrastructure, finance, public administration, and new areas like space, waste, and postal services 
Important Entities  Other key service providers and manufacturers that meet size thresholds 

Around 160,000 organizations in the EU are expected to be affected. 

What Companies Must Do Under NIS2 

To comply with NIS2, affected organizations must: 

  1. Strengthen Cybersecurity
  • Put in place risk management and security policies 
  • Monitor systems for threats and respond quickly 
  • Secure the supply chain 
  • Use tools like multi-factor authentication, encryption, and logging 
  • Have clear processes for disclosing vulnerabilities 
  1. Report Cyber Incidents Quickly
  • Inform national authorities within 24 hours if a cyberattack causes serious damage or disruption 
  1. Accept Oversight and Penalties
  • Be ready for audits and checks 
  • Face fines of up to €10 million or 2% of global turnover for non-compliance 
  1. Cooperate Across Borders
  • Share information and work with other EU countries during large-scale cyber emergencies 
  • Use shared databases and tools managed by EU agencies like ENISA (European Union Agency for Cybersecurity)