Understanding the NIS2 Directive: What It Means for Business

Posted on August 21, 2025
Understanding the NIS2 Directive: What It Means for Business

What is the NIS2 Directive?

The NIS2 (Network and Information Security 2) Directive is the European Union’s updated, overarching cybersecurity legislation governing cybersecurity in 18 critical sectors.

NIS2 requires each EU Member State to adopt a national cybersecurity strategy, ensure the proper critical entities comply, and include risk management measures such as:

  • Supply chain cybersecurity

  • Vulnerability management

  • Cybersecurity education and awareness

  • Incident reporting 

  • Access control

And more (see the FAQ section below), including mandatory provisions for information sharing.

The EU-wide cybersecurity law was created to combat increasing cyberattacks against critical infrastructure within Member States. In 2024, ENISA (European Union Agency for Cybersecurity) published a report listing some of these; ransomware, malware, social engineering, threats against data, denial of service, and more. 

The original NIS Directive was released in 2016, and the current version came into effect in 2023, with the implementation deadline October 17, 2024.

Who Does NIS2 Apply To?

NIS2 applies to “essential and important” entities within 18 critical sectors. These include:

  • Large Entities (over 250 employees or over $50M revenue)

  • Medium Entities (50 to 249 employees or over $10M revenue)

  • And some Small and Micro Entities, where applicable.

The “essential” Sectors of High Criticality include:

  1. Energy

  1. Transport

  1. Banking

  1. Financial Market Infrastructure

  1. Health

  1. Drinking Water

  1. Waste Water

  1. Digital Infrastructure

  1. ICT (Information and Communications Technology)-Service Management (B2B)

  1. Public Administration Entities

  1. Space

Other “important” critical sectors include:

  1. Postal and Courrier Services

  1. Waste Management

  1. Chemicals

  1. Food

  1. Manufacturing

  1. Digital Providers

  1. Research

And lastly, “entities providing domain name registration services” are held accountable under NIS2, but only to Article 3(3) and Article 28.

Key requirements of NIS2

Under NIS2, Member States in the EU are required to ensure that their essential and important entities adhere to the following core mandates: 

Article 21: Cybersecurity Risk Management| Put risk management measures in place proportional to the danger posed to network and information systems. These should include policies on:

  • Risk analysis and information system security

  • Incident handling, business continuity, crisis management

  • Supply chain security and vulnerability disclosure

  • MFA, encryption, basic cyber hygiene practices and cybersecurity training

  • And more

Article 23: Reporting Obligations | Entities must notify their CSIRT or competent authority “without undue delay” of any cybersecurity incidents having a significant impact on essential or important services. 

  • This includes providing a 24-hour “early warning” that indicates whether the incident is suspected of having a cross-border impact. It also mandates a 72-hour check-in with an initial assessment of the incident at that time.

  • They also must notify those that can be impacted by the service disruptions “without undue delay” of any mitigating measures, and if possible, of the nature of the incident.

Article 20: Governance | The management bodies of essential and important entities must approve the cybersecurity risk management measures required in Article 21 and oversee their implementation. They can be held liability for violations.

  • Additionally, management bodies must follow training to ensure they can accurately “identify risks and assess cybersecurity risk-management practices and their impact on the services provided by the entity.”

  • Not required, but encouraged, is for employees to submit to the same training. 

Article 29: Information Sharing | Member States (and other entities as specified) must be able to exchange information on cyber threats, near misses, vulnerabilities, indicators of compromise, techniques and procedures, and more. 

  • Member States must facilitate these cybersecurity information-sharing arrangements, and ENISA will provide assistance in the form of best practices and guidance.

Consequences of Non-Compliance

Failure to comply with The NIS2 Directive can result in penalties, fines, and consequences of several varieties. These include:

Administrative Fines

  • Essential Entities | Up to 10 million Euros or 2% of global annual revenue.

  • Important Entities | Up to 7 million Euros or 1.4% of global annual revenue.

Criminal Sanctions for Management

C-level management executives can be held directly responsible for “gross negligence” following a violation, with the following consequences imposed:

  • An order for the organization to make the compliance violation public.

  • A requirement to issue a public statement identifying the person(s) accountable for the breach of compliance, and in what way.

  • For essential entities only, executives can be temporarily barred from their management positions.

Non-monetary Remedies

These include compliance orders, security audit implementation orders, and threat notification letters to the affected customers of the entity (a reputational penalty in itself).

How to Prepare for NIS2 Compliance

As of October 17, 2024, all EU Member States are required to make The NIS2 Directive part of national law and enforce its statues. As critical sector entities find themselves accountable for NIS2 compliance, here are some steps they can take to fully adopt mandatory requirements.

Step 1: Determine applicability and scope | After determining if your entity is within scope (are you a large or mid-sized entity within one of the 18 critical sectors in the EU?), determine which business units will be responsible for carrying out core NIS2 demands. These include units attached to risk management, reporting, and governance, for starters. 

Step 2: Perform a NIS2 Gap Analysis | See what measures are already in place for key requirements, and which measures fall short. 

  • Are your cybersecurity risk management policies in place and sufficient?

  • Are your reporting chains of command well-established and able to communicate to the correct governing body within 24 hours of initial discovery? And then to provide a sufficient analysis within 72 hours?

  • Is management properly trained to identify cybersecurity risks, and are employees being encouraged to do the same?

Step 3: Lean on Industry-Standard Frameworks | Strong, industry-standard cybersecurity frameworks like ISO 27001:2022 and NIST CSF can provide a solid foundation for NIS2 compliance. With a host of crossovers that help entities comply with NIS2 objectives (risk management, incident response, access control, supply chain security, etc.), these standards are a great place to start. 

Step 4: Fill In Gaps with Compliance-Informed Solutions | Partner with a provider that understands international compliance requirements and has worked with critical industry partners before. NIS2 strikes at the intersection of government and industry cybersecurity, so having a vendor that understands both landscapes is key to deploying the right solutions. 

Partner with Fortra for NIS2 Compliance

Wherever you are on your NIS2 compliance journey, Fortra can help. From risk-based vulnerability management to automated compliance reporting, get the curated help you need to meet NIS2 Directive requirements and harden your critical sector against attacks.

 

Q&A Section: Core NIS2 Terms Explained

What is a "significant cyber incident" under NIS2?

A “significant cyber incident” under NIS2 is classified as one that:

  • Can cause, or has caused, severe operational disruption or financial damage to the entity in question.

  • Can cause, or has caused, material or non-material damage to natural or legal persons. 

Who are "essential entities" under NIS2?

“Essential entities” under NIS2 include large and medium-sized enterprises within energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT-service management (B2B), public administration entities, and space. 

What does "risk management measures" mean in the context of NIS2?

In the context of NIS2, risk management measures refer to:

  1. Registration as an essential or important entity.

  1. Governance, in which managing boards must approve cybersecurity risk management measures.

  1. Network and Information Security Policy

  1. Risk Management Policy

  1. Continuous Improvement to assess the effectiveness of cybersecurity risk management measures.

  1. Basic Cyber Hygiene Practices and Security Training

  1. Asset Management

  1. Human Resources Security

  1. Access Control

  1. Environmental and Physical Security

  1. Cryptography, Encryption, and Authentication

  1. Supply Chain Policy

  1. Security in Network and Information Systems Aquisition, Development, and Maintenance

  1. Incident Handling

  1. Incident Reporting

  1. Business Continuity and Crisis Management

What are the penalties for non-compliance?

Financial penalties for non-compliance with NIS2 include fines of up to 10 million Euros or 2% of global annual revenue for essential entities, and up to 7 million euros or 1.4% of global annual revenue for important entities. 

 

Compliance Is Not Security, But It's a Start

Mature beyond checkbox compliance. Fortra® helps organizations around the world follow regulatory compliance mandates and align with security frameworks to strengthen their security posture.

FIND YOUR FRAMEWORK
Related Solutions
Compliance
Related Content