Understanding the NIS2 Directive: Complete Guide for Businesses

The NIS2 Directive (Network and Information Security 2) represents a major overhaul of the European regulatory framework for cybersecurity. Adopted by the European Parliament in November 2022, it replaces the original NIS Directive from 2016 and significantly expands both the scope of organizations covered and the obligations imposed upon them.

What is the NIS2 Directive?

Directive (EU) 2022/2555, known as NIS2, is the most ambitious European legislation on cybersecurity to date. It aims to establish a high common level of cybersecurity across the European Union, in response to the rapidly evolving threat landscape and the increasing digitization of our societies.

NIS2 addresses the main shortcomings identified in the original NIS1 Directive: a scope that was too narrow, disparities in transposition between Member States, and a lack of effective cooperation mechanisms. It introduces stricter requirements, harmonizes penalties, and strengthens cross-border cooperation.

The key objectives of NIS2 are:

• Broadening the scope of covered entities to include more critical sectors
• Harmonizing requirements for cybersecurity across the European Union
• Strengthening governance by imposing management body accountability
• Improving cooperation between Member States through the EU-CyCLONe network

Who is Concerned: Essential and Important Entities

One of the most significant changes in NIS2 is the substantial expansion of its scope. The directive distinguishes between two categories of entities:

Essential Entities

Essential entities are those whose activities are deemed critical to the functioning of society and the economy. They are subject to the strictest supervisory regime. This category includes:

• Energy: electricity, oil, gas, hydrogen, district heating and cooling
• Transport: air, rail, maritime, road
• Banking and financial market infrastructures
• Health: hospitals, laboratories, medical device manufacturers, pharmaceutical industry
• Drinking water and wastewater
• Digital infrastructure: Internet exchange point providers, DNS, TLD, cloud, data centers, CDN
• ICT service management (B2B): managed service providers and managed security service providers
• Public administration (central and regional level)
• Space

Important Entities

Important entities benefit from a lighter supervisory regime (ex post control), but remain subject to the same baseline obligations. This category includes:

• Postal and courier services
• Waste management
• Manufacturing, production, and distribution of chemicals
• Production, processing, and distribution of food
• Manufacturing: medical devices, computer, electronic, and optical products, electrical equipment, machinery, motor vehicles
• Digital providers: online marketplaces, search engines, social networks
• Research

A size criterion also applies: generally, organizations with more than 50 employees or annual revenue exceeding 10 million euros are covered. However, certain entities are covered regardless of their size (DNS providers, domain name registries, etc.).

Key Obligations

Article 21 — Cybersecurity Risk Management Measures

Article 21 forms the core of the technical and organizational obligations under NIS2. Covered entities must implement appropriate and proportionate cybersecurity measures covering at minimum:

1. Information systems security policies and risk analysis
2. Incident handling: detection, response, and notification procedures
3. Business continuity: backup management, disaster recovery, crisis management
4. Supply chain security: assessment and management of risks related to suppliers
5. Security in the acquisition, development, and maintenance of network and information systems
6. Assessment of the effectiveness of risk management measures (audits, testing)
7. Basic cyber hygiene practices and cybersecurity training
8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption
9. Human resources security, access control policies, and asset management
10. Multi-factor authentication or continuous authentication solutions, secured communications

Article 23 — Incident Notification Obligations

The directive imposes a multi-stage incident notification process to the national CSIRT or competent authority:

• Early warning: within 24 hours of becoming aware of a significant incident, the entity must submit an initial notification indicating whether the incident is suspected to have been caused by a malicious act and whether it may have cross-border impact
• Incident notification: within 72 hours, a more detailed notification including an initial assessment of the incident, its severity, impact, and, where applicable, indicators of compromise
• Final report: within one month after the incident notification, a comprehensive report including a detailed description of the incident, the type of threat, mitigation measures applied, and any cross-border impact

An incident is considered significant if it has caused or is capable of causing severe operational disruption of services or financial losses for the entity, or if it has affected or is capable of affecting other natural or legal persons by causing considerable material, physical, or moral damage.

Timeline and Transposition

The NIS2 implementation timeline is as follows:

• January 16, 2023: the directive enters into force
• October 17, 2024: deadline for Member States to transpose into national law
• April 17, 2025: Member States must establish the list of essential and important entities
• October 17, 2027: first review of the directive by the European Commission

Each EU Member State is responsible for transposing NIS2 into its national legal framework. Organizations operating across multiple Member States should monitor transposition progress in each relevant jurisdiction.

Penalties for Non-Compliance

NIS2 introduces a harmonized and significantly strengthened penalty regime:

• Essential entities: fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher
• Important entities: fines of up to EUR 7 million or 1.4% of global annual turnover
• Management liability: management bodies can be held personally liable for non-compliance, with the possibility of temporary bans from exercising management functions

These penalties are comparable to those under the GDPR and demonstrate the European legislator’s intention to make cybersecurity an absolute priority for organizations.

How to Prepare for NIS2

Achieving NIS2 compliance is a structured undertaking that requires a methodical approach:

1. Assess your eligibility: determine whether your organization falls within the directive’s scope and whether you are classified as an essential or important entity
2. Conduct a baseline assessment: perform an audit of your current cybersecurity posture against the requirements of Article 21
3. Identify gaps: compare your current situation with NIS2 obligations to identify priority areas for improvement
4. Develop a roadmap: define a structured action plan with clear milestones and assigned responsibilities
5. Engage leadership: ensure that management bodies understand their responsibilities and allocate the necessary resources
6. Establish notification processes: prepare your incident detection and notification procedures within the prescribed timeframes
7. Train your teams: raise awareness among all employees and provide technical training to relevant staff

How ConformITly Can Help

ConformITly is a SaaS platform designed to simplify and accelerate your NIS2 compliance journey. Our solution enables you to:

• Automatically qualify your organization according to NIS2 criteria (essential or important entity)
• Perform your gap analysis through a structured questionnaire covering all Article 21 requirements
• Generate a prioritized action plan with concrete recommendations tailored to your context
• Track your progress in real time with dashboards and compliance indicators
• Manage your incidents with an integrated workflow that respects Article 23 notification deadlines
• Document your compliance for audits and inspections by competent authorities

Whether you are just starting your compliance journey or looking to structure an existing program, ConformITly provides the tools you need to approach NIS2 with confidence.

Request a demo and discover how ConformITly can transform your approach to NIS2 compliance.