NIS2 is the EU’s updated cybersecurity law applying to medium and large companies in critical sectors

Your local deadline to ensure NIS2 compliance will depend on your country’s specific national law

Organizations must implement risk management measures and incident reporting practices

Secomea qualifies as a technical measure you can implement to achieve compliance with NIS2 requirements

What is NIS2?

It’s a Directive from the EU that provides the new legislation on cybersecurity.

It is commonly known as the NIS 2 Directive because it repeals the previous legislation on the matter, another EU Directive from 2016 “concerning measures for a high common level of security on Network and Information Systems (NIS)”.

If you are based outside the EU, NIS2 may not directly affect you. But it’s quickly becoming your customers’ standard. In some cases, being NIS2-aligned is the difference between winning or losing a deal.

You can learn more in ​​​this article.

NIS2 directive

Why was NIS2 introduced?

The NIS Directive adopted in 2016 was the first-ever cybersecurity law in the European Union. While it raised the bar for EU cybersecurity, its implementation was fragmented and inconsistent, and it revealed limitations in addressing new cyber threats.

NIS2 addresses those gaps by:

  • Expanding the scope to more OT-heavy sectors (e.g., manufacturing, food production, energy, transport, etc.).

  • Imposing stricter requirements on risk management and incident handling.

  • Introducing accountability for management and stronger enforcement.

When did NIS2 take effect?

The EU NIS2 Directive entered into force on 16 January 2023, giving Member States until 17 October 2024 to transpose its measures into national law.

However, implementation progress has varied significantly across the EU and EEA. 

Learn more

What’s your compliance deadline?

Your local deadline for ensuring compliance will depend on your country’s specific national laws.

Find out which local legislation has been implemented in your country in our whitepaper.

Download the whitepaper

Who must comply with NIS2?

NIS2 applies to companies that have more than 50 employees or over €10 million in annual turnover and operate in one of the sectors listed by Annex I & II, such as:

  • Energy
  • Transport
  • Pharmaceutical manufacturing
  • Chemicals manufacturing
  • Industrial production, processing, and distribution of food
  • Manufacturing of medical devices, computers, electronics and electrical equipment, machinery, motor vehicles, and other transport equipment
  • Digital infrastructure
  • Drinking water and waste water
  • and more. 

Based on how critical they are to society, organizations are categorized as:

  • Essential entities – subject to proactive and regular supervision

  • Important entities – only supervised after incidents

All organizations must meet the same core requirements, but the intensity of oversight differs, as well as the penalties. 

Fines for non-compliance can be as high as

  • €10M or 2% of global turnover for essential entities;
  • €7M or 1,4% for important entities.
Learn more about the NIS2 scope

What are the key requirements under NIS2?

Learn more about your obligations under NIS2 and how to address them

1. Implement risk management measures

The technical, operational, and organizational measures must be appropriate and proportionate to your company’s risk level and include, at least the 10 items listed in Article 21 (e.g., MFA, access controls, business continuity planning).

2. Ensure management accountability

Senior leadership is responsible for compliance and can be held liable for failures.

3. Fulfill reporting obligations

Significant cyber incidents must be reported within strict timelines (e.g., initial report within 24 hours).

How can you ensure NIS2 compliance?

To support you in your compliance journey, we prepared a 10-step implementation program that includes the following phases:

  • Are you impacted by the NIS2 legislation?
  • If so, are you an essential or important entity?
Learn more about NIS2 scope and find our if your organization is impacted
  • What resources do you use to provide critical services?
  • What systems are employed?
  • Where are they located?
  • Who has access to them?
  • How are they protected?
  • What risks are you subject to?
  • Which operations would hackers be after if they decide to attack you?
  • What would they steal?
  • Where would hackers try to infiltrate your network?
  • What are their potential cyber-attacks likely to be (malware, phishing, etc.)?
  • What are the most serious vulnerabilities you should prioritize (based on their likelihood of occurring and impact severity)?
  • How can you prevent them?
  • How do your suppliers ensure security?
  • What cybersecurity processes and practices do they have in place to protect the products and services they provide?
  • How do they manage security vulnerabilities?
  • Do they hold third-party security certifications?
  • Can you qualify them as NIS2-compliant vendors?
  • Have you setup MFA as an identity verification method to access your IT and OT assets?
  • Do you have policies on risk analysis and information system security?
  • Do you have a plan for handling potential incidents?
  • Do you have a business continuity plan (such as backup management, disaster recovery, and crisis management)?
  • Have you addressed your supply chain due diligence duties?
  • Have you set up processes to handle vulnerabilities and disclose them, if necessary?
  • Do you regularly test the effectiveness of your cybersecurity risk-management measures?
  • Do you provide your employees with cybersecurity training?
  • Do you use cryptography and encryption to protect your data?
  • Have you set up access control policies?
  • Which operations are mission-critical or time-sensitive, and which resources (both technology and people) support those mission-critical areas?
  • What impact could a potential cyber incident have on those operations?
  • In the event of an incident, who will take charge?
  • Which operations should be re-established first?
  • Which departments will be involved?
  • What will the chain of command look like?
  • How will you minimize the time from when a disaster hits until the recovery process begins?
  • How will you minimize the impact of a cybersecurity incident?
  • How will you keep potential damage to a minimum?
  • How will you recover the affected operations to ensure business continuity?
  • Do you have a process in place to fulfill your reporting obligations promptly?
  • Does the process enable you to notify the authorities within 24 hours, follow up with an update within 72 hours, and prepare final report within one month?

  • Are your employees able to identify risks, detect threats, and respond to incidents? 

  • Are they aware of their responsibilities and the actions they should perform in the event of a cyber incident?

  • Do they know where to find the answers they need?

  • Have you tested roles and priorities to ensure that your employees know what they are supposed to do?

  • Have you tested that the measures you implemented work as intended?

  • Have you conducted simulated disaster exercises to ensure the effectiveness of the plan and the employees’ readiness?

  • Have you taken into account multiple possible incident scenarios?

  • Have you considered how potential changes in your resources (both technology and people) will affect the effectiveness of your crisis management plan?

  • Does your response plan need to be updated to address these changes?

  • Have you documented all of your security measures, controls, and processes within policies?

  • Have you created plans for incident response, business continuity, backup management, crisis management, and disaster recovery?

  • How do you ensure their appropriate storage so that they are accessible in time of need?

  • Have you created any backups?

Download your NIS2 compliance checklist as a PDF
Learn more in our blog post: 10 steps to ensure NIS2 compliance

How should you prepare for a NIS2 compliance audit?

There are a few activities you can perform to get ready for a compliance audit and support its positive outcome:

1.

Before the audit

  • Inform management early.
  • Form a team of subject matter experts that will be participating.
  • Look for potential deficiencies in your documentation and start addressing them.

2.

During the audit

  • Be prepared to explain your security setup and the reasons behind your risk-based decisions. Below is a template you can use.
  • Ensure you have all the compliance documentation at hand.
  • If your gap analysis revealed deficiencies, provide documentation about how you plan to address them.
Download the template

3.

After the audit

  • If deficiencies are found, authorities will usually guide you on improvements and set a deadline instead of issuing a fine. Ensure all measures are implemented by the deadline to avoid penalties.

Need help preparing?

Learn more in our blog post

Can Secomea help you achieve NIS2 compliance?

Secomea’s Secure Remote Access solution qualifies as a technical measure under Article 21 of the NIS2 Directive. Below are concrete examples of how Secomea’s features can help you fulfill specific NIS2 requirements.

Learn more in our blog post: How Secomea can help you achieve NIS2 compliance

NIS2 requirement
With Secomea, you can
Secomea features
Policies on risk analysis and information system security (access control and asset management)
• Control access on an individual level

• Handle role-based user permissions

• Provide access to users after they’ve requested it, for a defined timespan

• Scan all files transferred to and from an engineering station for viruses or malware before they are accessible to the user
→ Granular access control

→ Privileged access management

→ JIT access

→ Request for access

→ Secure file transfer

→ Vulnerability hub
A plan for preventing, detecting, and handling potential incidents
• Monitor and manage access in real time (as well as terminate an ongoing remote access session if suspicious activity is detected)

• Restrict access to your network for affected machines to prevent viruses or malware from infecting other machines

• Set up alerts, events, SMS/email alarms, and automated actions to get notifications of specific events related to your machines’ status

• Restrict connections down to each specific device’s IP address and port, both remotely and on-site with I/O ports for physical control

• Integrate with your SIEM (Syslog, Splunk, etc.)
→ Real-time session monitoring

→ Alerts and automated actions

→ Remote and physical control

→ SIEM system integration
Business continuity, such as backup management, disaster recovery, and crisis management
• Segment your network to prevent lateral movement

• Isolate threats using containment features such as air gap or island mode configurations

• Review audit logs to check who accessed the affected device, when, and for how long

• Review session recordings to identify the cause of the incident and mitigate it
→ Network segmentation

→ Audit logs

→ Session recordings
Supply chain security
• Have a guarantee you’re relying on a secure supplier: our secure-by-design solution is IEC 62443-certified and built on a Zero Trust architecture

• Guarantee the security of the other suppliers you rely on those who use Secomea (saving you time rating their risk level)

• Secure third-party remote access: Secomea lets you precisely adjust access permissions, authenticate user identities securely, and monitor their activities – all without hindering the speed and effectiveness of third-party service
→ IEC 62443
Security in network and information systems acquisition, development, and maintenance – including vulnerability handling and disclosure
• Access the Vulnerability Hub to assess the risks associated with outdated firmware on SiteManagers and identify the necessary actions to prevent downtime.

• Rely on an official CVE Numbering Authority (CNA) – the first and, until recently, the only one in Denmark.
→ Vulnerability Hub 

→ Cybersecurity advisory process (as a CNA)
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
• Connect your assets via AES 256bit encrypted tunnels based on TLS.
→ AES 256bit encryption

→ TLS tunnels

→ x.509 certificates
The use of multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems within the entity, where appropriate
• Verify users’ identities via MFA with SMS authentication Single Sign-On (SSO) 

• Secure users’ authentication via Single Sign-On (SSO) with Azure AD or Okta 

• Each Secomea’s Access Management server has a unique TLS certificate/key to which a Secomea’s gateway binds the first time they connect (a.k.a, “Trust-on-first-use” – ToFu) and against which any subsequent connections are verified. 
→ MFA via SMS

→ SSO via Azure AD or Okta

→ Trust-on-first-use (ToFu)

Want to talk to an expert today?

Would you like to hear how Secomea can support you in achieving NIS2 compliance?
Let's schedule a short discovery call – no strings attached.

Frequently asked questions

What is the NIS2 Directive?

The NIS2 Directive is an EU-wide cybersecurity law that requires essential and important organizations to improve their cyber resilience. It replaces the original NIS Directive from 2016 and expands the scope of cybersecurity requirements across more sectors.

Who does the NIS2 Directive apply to?

NIS2 applies to medium and large companies (more than 50 employees or €10 million turnover) operating in critical sectors such as manufacturing, energy, healthcare, digital infrastructure, and transport. Organizations are categorized as either essential or important entities, depending on their criticality.

Is my company based outside of the EU/EEA impacted by NIS2?

If you are based outside the EU, NIS2 may not directly affect you. But it’s quickly becoming your customers’ standard. In some cases, being NIS2-aligned is the difference between winning or losing a deal.

In our Secomea Connect newsletter on LinkedIn, we explore why non-EU companies are under pressure from NIS2 and how supply chain security is reshaping vendor expectations. ​​​

Read the article.

What are the main requirements of the NIS2 Directive?

NIS2 requires companies to ensure executive accountability, implement technical and organizational cybersecurity measures, and report incidents that significantly impact their services. These include access controls, incident response, business continuity, and supply chain risk management.

When is the NIS2 compliance deadline?

Your local deadline to register as a NIS2-impacted entity and ensure compliance will depend on your country’s specific national law. Find out which local legislation has been implemented in your country in our whitepaper.

What happens if an organization fails to comply with NIS2?

Non-compliance can lead to audits, enforcement actions, and administrative fines. The severity depends on factors like the nature of the violation, the organization’s response, and whether negligence was involved.

What are the fines under NIS2?

Up to €10M or 2% of global turnover for essential entities; up to €7M or 1.4% for important entities.

How can Secomea help with NIS2 compliance?

Secomea provides a secure remote access solution that fulfills multiple NIS2 requirements under Article 21. It helps manage access, enforce MFA, log activity, respond to incidents, and assess supply chain risk – making it easier to meet compliance obligations.

Want to dive deep into NIS2?

Secomea whitepaper: Mastering NIS2 Compliance
Download the whitepaper
Secomea Whitepaper - NIS2 implementation across Europe
Download the datasheet

Explore our NIS2 blog series
for in-depth insights

NIS2 implementation progress

NIS2 compliance in Europe: Country-by-country updates for manufacturers and critical infrastructure (2025-2026)

Learn why secure remote access is a cornerstone of Zero Trust for OT and how to move beyond risky VPN dependencies.

Read the article
NIS2 scope: Are you an essential or important entity?

NIS2 scope: Does your organization qualify as an essential or important entity?

Explore why traditional perimeter-based security leaves OT networks exposed to modern threats and why Zero Trust is a better approach.

Read the article

NIS2 Requirements: 3 areas you should focus your compliance efforts on

Understand Zero Trust security, its core principles, and why industrial organizations must adopt it to stay resilient against modern cyber threats.

Read the article
How to prepare for NIS2 compliance audits

How to prepare for NIS2 compliance audits

Discover how Zero Trust security differs between IT and OT environments, and why industrial networks need a tailored approach.

Read the article
How Secomea can help you achieve NIS2 compliance

How Secomea can help you achieve NIS2 compliance

Follow this step-by-step guide to successfully implement Zero Trust in your OT environment without disrupting operations.

Read the article
10 steps to ensure NIS2 compliance

10 steps to ensure NIS2 compliance

See how Zero Trust works in OT through a real-world example of secure remote access done right – without flat networks or shared VPNs.

Read the article