The NIS2 Directive: Enhancing

Cybersecurity Across the European

Union
I. The NIS2 Directive: A New Era for EU Cybersecurity
A. Introduction to Directive (EU) 2022/2555 (NIS2 Directive)

The European Union has significantly advanced its cybersecurity framework with the
introduction of Directive (EU) 2022/2555, commonly known as the NIS2 Directive.1 This
legislation, which formally entered into force in January 2023, repeals and replaces the EU's
first cybersecurity directive, the Network and Information Systems Directive (NIS1).1 NIS2
represents a comprehensive overhaul designed to establish a unified legal framework and
elevate the common level of cybersecurity across all Member States. Its core aim is to
respond to the escalating cyber threats by imposing a wider scope, clearer rules, and more
robust supervision tools.1 The directive's overarching goals are to increase the cyber
resilience of critical entities, streamline cybersecurity practices, and improve the EU's overall
preparedness to prevent, detect, respond to, and recover from cyberattacks.5
The evolution from NIS1 to NIS2 signifies a maturation in the EU's approach to cybersecurity.
While NIS1 was a landmark as the "first comprehensive EU legislation" in this domain 1, laying
essential groundwork for harmonisation, its implementation revealed certain limitations in the
face of a rapidly evolving and increasingly hostile digital landscape. The enhanced provisions
within NIS2, particularly its broader scope and more stringent requirements, reflect lessons
learned from the operational realities of NIS1. The explicit objective to "raise the EU common
level of ambition on cyber-security" 1 suggests a recognition that the outcomes under the
previous directive were no longer sufficient to meet current and anticipated future challenges.
Furthermore, the introduction of NIS2 can be interpreted as more than a mere technical or
legal update; it is indicative of a strategic imperative by the EU to bolster its digital sovereignty
and safeguard the integrity of its single market. The directive's focus on upholding
cybersecurity in 18 critical sectors 1 and protecting "vital services for the EU's economy and
society" 1 underscores a fundamental concern for the stability, security, and competitiveness
of the Union. By mandating higher common security standards and fostering deeper
cross-border cooperation, the EU aims to diminish its vulnerability to sophisticated cyber
threats, including state-sponsored attacks and large-scale cybercrime, which could otherwise
disrupt essential services and undermine economic and social cohesion. The explicit inclusion
of supply chain security requirements 1 further reinforces this strategic posture, addressing a
critical vector through which the EU's critical infrastructure and digital economy can be
targeted.
II. From NIS1 to NIS2: Addressing Evolving Cyber
Threats and NIS1's Limitations
A. Rationale for Replacing NIS1

The decision to replace the original NIS Directive (NIS1) stemmed from a recognition of its
inherent limitations and the rapidly evolving cybersecurity landscape. The implementation of
NIS1 across Member States faced considerable challenges, leading to "inconsistent efforts
across the Union" 3 and varying levels of cyber resilience. The European Commission initiated
the revision process in December 2020, driven by the "increased exposure of Europe to cyber
threats" 1 and the need for a more harmonized and effective response.
Several key deficiencies in NIS1 were identified, which NIS2 aims to rectify. These included
"insufficient cyber resilience of EU businesses," "inconsistent resilience across Member States
and sectors," a "lack of common understanding of threats," and a "lack of joint crisis
response".7 A significant factor contributing to this fragmentation was the considerable
flexibility afforded to Member States under NIS1 in defining which entities constituted
"operators of essential services".8 This discretion resulted in divergent applications of the
rules, hindering the establishment of a consistently high level of security across the EU.
The transition from NIS1 to NIS2 therefore signals a deliberate policy shift away from a
framework characterized by significant national discretion towards one that promotes greater
harmonisation and a more centrally guided EU-wide cybersecurity posture. The
inconsistencies fostered by NIS1's flexible approach 8, which led to "inconsistent efforts" 3, are
directly addressed by NIS2's introduction of "uniform criteria for classifying organizations" 9,
"clearer rules" 1, and the establishment of a "unified legal framework".1 These changes are
fundamental to achieving the directive's objective of a "high common level of cybersecurity
across the Union".2
B. Key Enhancements and Expanded Ambitions in NIS2

NIS2 introduces a series of significant enhancements designed to create a more robust and
resilient cybersecurity environment within the EU. Compared to its predecessor, NIS2 features
a considerably wider scope, encompassing more sectors and types of entities. It mandates
stricter security and incident reporting obligations, provides clearer rules for compliance,
strengthens supervisory tools available to national authorities, improves mechanisms for
cross-border collaboration, and introduces more stringent and harmonized enforcement
measures, including substantial financial penalties.1
Specific improvements brought by NIS2 include:
●​ Broader Scope: The directive significantly expands the range of sectors and entities
falling under its purview. This includes not only sectors traditionally considered critical
but also extends to new areas and explicitly covers many medium-sized businesses,
which were often outside the scope of NIS1.1
 ●​ Stricter Requirements: Organizations are now subject to more advanced and detailed
cybersecurity risk management measures and more precise, time-bound incident
reporting guidelines.3
●​ Supply Chain Security: A crucial addition in NIS2 is the explicit requirement for
covered entities to address cybersecurity risks in their supply chains. This is a first for
EU-wide cybersecurity legislation of this nature and reflects the growing understanding
of supply chain vulnerabilities as major attack vectors.1
●​ Harmonized Sanctions: The directive introduces significantly stricter financial
penalties for non-compliance and aims for greater consistency in their application
across Member States.3
●​ Management Accountability: NIS2 places direct responsibility on the management
bodies of covered entities for approving and overseeing cybersecurity risk management
measures. Crucially, it introduces provisions for holding management liable for
non-compliance.1
The explicit incorporation of supply chain security and management liability within NIS2 marks
a fundamental evolution in how cybersecurity is framed and governed. Previously, the focus
was predominantly on the direct security measures implemented by individual operators.
NIS2, by mandating attention to "supply chain security" 1, acknowledges the interconnected
nature of the digital ecosystem, where an organization’s security is intrinsically linked to that
of its partners and suppliers. This addresses a well-documented trend of attackers exploiting
vulnerabilities in third-party vendors to compromise larger targets. Simultaneously, holding
"management bodies...liable for failing to do so" 10 with respect to cybersecurity obligations
elevates the issue from a purely technical concern to a strategic, board-level responsibility.
This shift compels senior leadership to engage deeply with cybersecurity risk, ensuring it is
integrated into overall business strategy and governance, rather than being siloed within IT
departments. Such a top-down approach recognizes that effective cybersecurity relies not
only on technical controls but also on robust governance, accountability, and a
security-conscious culture throughout the organization and its extended value chain.
III. Who is Affected by NIS2? Scope and Applicability
A. Categorization: Essential Entities (EE) and Important Entities (IE)

A key change introduced by NIS2 is the move away from NIS1's classifications of "Operators of
Essential Services" (OES) and "Digital Service Providers" (DSP). Instead, NIS2 categorizes
covered entities as either "Essential Entities" (EE) or "Important Entities" (IE).7 This new
classification system aims to provide greater clarity and uniformity across Member States.
Essential Entities are typically those operating in the most critical sectors and are subject to
stricter cybersecurity requirements and proactive supervision by national competent
authorities. Important Entities, while still critical, are generally subject to less rigorous
oversight, often involving ex-post supervision, meaning authorities will intervene primarily if
there are indications of an incident or non-compliance.6 The specific obligations and the
intensity of supervision vary depending on whether an entity is classified as Essential or
Important.
The table below provides an overview of the sectors covered by NIS2, differentiating between
those generally considered to host Essential Entities and those hosting Important Entities.
This categorization is crucial for organizations to quickly determine their potential obligations
under the new directive. Knowing whether an entity falls into an "Essential" or "Important"
category will directly influence the urgency and depth of compliance efforts, resource
allocation for cybersecurity measures, and the nature of interaction with supervisory
authorities. This structured approach aims to offer more precision than was sometimes the
case under NIS1.6
Essential Sectors Important Sectors
Energy (electricity, district heating and Postal and Courier Services
cooling, oil, gas, hydrogen)
Transport (air, rail, water, road) Waste Management
Banking Chemicals (manufacturing and distribution)
Financial Market Infrastructures Food (production, processing, and
distribution)
Health (e.g., healthcare providers, EU Manufacturing (e.g., medical devices;
reference laboratories, entities conducting computers, electronic and optical products;
R&D of medicinal products, manufacturing of electrical equipment; machinery and
basic pharmaceutical products and equipment n.e.c.; motor vehicles, trailers and
preparations, critical medical devices) semi-trailers; other transport equipment)
Drinking Water Digital Providers (providers of online
marketplaces, online search engines, and
social networking service platforms)
Wastewater Research Organisations
Digital Infrastructure (e.g., Internet Exchange
Points (IXPs), DNS service providers (excluding
root name server operators), TLD name
registries, cloud computing service providers,
data centre service providers, content delivery
network providers, trust service providers)
ICT Service Management
(business-to-business managed service
providers and managed security service
providers)
Public Administration (central and regional
government entities; specific exclusions may
apply)
Space (operators of ground-based
infrastructure supporting space-based
services)
Sources: 5
B. Size Thresholds for Inclusion

As a general principle, the NIS2 Directive applies to medium-sized and large entities operating
within the sectors listed above.1 The directive establishes specific size thresholds to determine
applicability:
●​ Medium-sized entities are defined as those employing 50 or more persons AND
having an annual turnover or annual balance sheet total of at least EUR 10 million.2
●​ Large entities are defined as those employing 250 or more persons AND having an
annual turnover of at least EUR 50 million or an annual balance sheet total of at least
EUR 43 million.2
This "size-cap rule" means that most small and micro-enterprises are, by default, excluded
from the direct scope of NIS2. However, the directive includes provisions for Member States to
identify smaller entities that may still be covered if their services are critical for societal
functions or if disruption to their services could have significant cross-border impacts.10
While these size thresholds exempt many Small and Medium-sized Enterprises (SMEs) from
direct compliance with the full suite of NIS2 obligations, those SMEs that form part of the
supply chains of covered Essential or Important Entities will likely experience the indirect
effects of the directive. Essential and Important Entities are explicitly mandated to manage
cybersecurity risks within their supply chains.1 This will inevitably lead them to assess the
security practices of their suppliers and potentially impose specific cybersecurity
requirements on them, irrespective of whether these suppliers independently meet the size
criteria for direct NIS2 applicability. This creates a cascading effect, where the heightened
security standards of NIS2 permeate through the broader economic ecosystem.
The differentiation between Essential and Important Entities, coupled with the general
exclusion of most small businesses, introduces a nuanced risk landscape. While Essential
Entities will face more stringent and proactive supervision, Important Entities with "less
rigorous oversight" 8 and SMEs (which often have fewer resources dedicated to cybersecurity)
could potentially represent more accessible targets for malicious actors. Given the highly
interconnected nature of modern digital systems, a security breach in a seemingly less critical
"Important Entity" or an out-of-scope SME within a critical supply chain could serve as an
entry point for an attack targeting a more heavily defended "Essential Entity." This
underscores the critical importance of the supply chain security measures embedded within
NIS2 and highlights an ongoing need for broader cybersecurity capacity-building initiatives
that extend beyond the entities directly regulated by the directive. Attackers frequently seek
the path of least resistance, and the security of the entire ecosystem is often determined by
its weakest link.
IV. Core Cybersecurity Obligations under NIS2
A. Mandatory Cybersecurity Risk Management Measures

A cornerstone of the NIS2 Directive is the obligation for covered entities to implement
comprehensive cybersecurity risk management measures. Article 21 of the directive stipulates
that Essential and Important Entities must take "appropriate and proportionate technical,
operational and organisational measures to manage the risks posed to the security of network
and information systems" which they use for their operations or service provision.13 These
measures must be based on an "all-hazards approach," meaning they should aim to protect
network and information systems and their physical environment from all types of incidents,
including cyberattacks, human error, natural disasters, or system failures.13
NIS2 outlines a minimum set of security measures that entities must address.4 These include:
●​ Policies on risk analysis and information system security.
●​ Incident handling procedures (covering prevention, detection, response, and recovery).
●​ Business continuity and crisis management plans, such as backup management and
disaster recovery strategies.
●​ Supply chain security, including security-related aspects concerning the relationships
between each entity and its direct suppliers or service providers.
●​ Security in the acquisition, development, and maintenance of network and information
systems, including vulnerability handling and disclosure.
●​ Policies and procedures to assess the effectiveness of cybersecurity risk-management
measures.
●​ Basic cyber hygiene practices and cybersecurity training for employees.
●​ Policies and procedures regarding the use of cryptography and, where appropriate,
encryption.
●​ Human resources security, access control policies, and asset management.
●​ The use of multi-factor authentication (MFA) or continuous authentication solutions,
secured voice, video, and text communications, and secured emergency communication
systems within the entity, where appropriate.
The requirement for an "all-hazards approach," combined with this baseline list of measures,
signals a shift towards a more holistic and adaptable cybersecurity posture. Rather than
prescribing specific technologies, NIS2 emphasizes rigorous risk assessment and continuous
improvement. The "all-hazards" principle 13 compels organizations to consider a wide
spectrum of potential threats, extending beyond malicious cyber activities to include
accidental incidents and environmental factors that could impact their cyber-physical
systems. While Article 21 provides a foundational list of security domains to be addressed 13,
the overarching principle of "appropriate and proportionate" means that entities must tailor
these measures to their specific risk profile, their size and complexity, and the potential
societal and economic impact of an incident. This necessitates a departure from a
one-size-fits-all checklist approach. Furthermore, the mandate for "policies and procedures
to assess the effectiveness of cybersecurity risk-management measures" 13 embeds a
requirement for an ongoing cycle of review, testing, and adaptation, ensuring that security
controls remain effective in the face of evolving threats and changing business environments.
B. Strict Incident Reporting Framework

NIS2 establishes a more stringent and harmonized framework for reporting significant
cybersecurity incidents to national competent authorities or Computer Security Incident
Response Teams (CSIRTs).5 Timely and structured reporting is deemed crucial for enabling
national authorities to effectively manage incidents, identify emerging threat patterns, issue
warnings to other potentially affected entities, and coordinate response efforts.
The directive mandates a multi-stage reporting process for incidents deemed "significant"
(the criteria for which will be further defined by Member States, but generally relates to
incidents causing or capable of causing substantial operational disruption or financial
damage):
●​ Early Warning: Entities must submit an early warning to their designated CSIRT or
competent authority "without undue delay and in any event within 24 hours of becoming
aware" of a significant incident.5 This initial report should indicate, if possible, whether
the incident is suspected of being caused by unlawful or malicious acts or could have a
cross-border impact.
●​ Incident Notification: Following the early warning, entities must submit an incident
notification "without undue delay and in any event within 72 hours of becoming aware"
of the significant incident.5 This notification should update the information from the
early warning and provide an initial assessment of the incident, including its severity,
impact, and, where available, indicators of compromise.
●​ Final Report: Entities are required to submit a final report "not later than one month
after the submission of the incident notification".5 If the incident is ongoing at the time
the final report is due, entities should provide a progress report and then a final report
within one month of the incident's resolution. The final report should include a detailed
description of the incident, its root cause, the mitigation measures applied, and lessons
learned.
These tight reporting deadlines, particularly the 24-hour window for the initial early warning,
will necessitate that organizations have well-defined and rehearsed incident response plans
and clear internal communication protocols. The process of discovering, validating, assessing
the significance of, and then formally reporting even preliminary details of a major
cybersecurity incident within such a short timeframe can be highly demanding. Organizations
not accustomed to such rapid formal reporting requirements may find their resources
significantly strained. This implies a substantial need for preparatory work, including clearly
defining what constitutes a "significant incident" within their specific operational context,
unambiguously assigning responsibilities for incident management and reporting, and
potentially having pre-approved reporting templates and communication channels. The
potential for variations in the specific details and thresholds for reporting as Member States
transpose the directive into national law 15 could also introduce an additional layer of
complexity for organizations operating across multiple EU jurisdictions.
C. Enhanced Corporate Accountability for Cybersecurity
A significant development under NIS2 is the increased emphasis on corporate accountability
for cybersecurity, extending to the highest levels of management. The directive mandates that
the management bodies of Essential and Important Entities must approve the cybersecurity
risk-management measures taken by those entities and oversee their implementation.1 This
provision effectively elevates cybersecurity from a purely operational or IT department
concern to a strategic, board-level responsibility.
Crucially, these management bodies can be held liable for infringements of the cybersecurity
risk management and reporting obligations.8 The implications of this are substantial, as
national laws transposing the directive may provide for personal sanctions against members
of management in cases of gross negligence or repeated failures to comply. Such sanctions
could include fines or even temporary bans from exercising managerial functions in similar
entities.8
This direct accountability provision for senior leadership is anticipated to be a powerful
catalyst for increased investment in, and prioritization of, cybersecurity within organizations.
The prospect of personal liability, coupled with the potential for significant reputational
damage to both the organization and its leaders, compels a deeper engagement with and
understanding of cyber risks at the executive and board levels. It encourages the allocation of
adequate financial and human resources, the implementation of comprehensive training
programs, and the integration of cybersecurity considerations into overall strategic planning,
rather than treating it as a discretionary operational cost or a purely technical matter.
D. Business Continuity and Crisis Management

NIS2 places a strong emphasis on ensuring the resilience of essential and important services.
As such, robust business continuity and crisis management capabilities are mandated as key
components of an entity's overall cybersecurity risk management framework.2 Covered
entities must take measures to ensure that they can maintain or, if disrupted, restore their
essential functions both during and after a cybersecurity incident.
This obligation focuses on the ability of organizations to withstand and recover effectively
from cyberattacks or other disruptive events, thereby minimizing the impact on their services
and the wider economy or society. Key elements that entities must address include
developing and maintaining backup management systems, comprehensive disaster recovery
plans, and clear crisis management procedures.13
The directive's focus on business continuity and crisis management underscores a pragmatic
understanding that not all cybersecurity incidents can be prevented. While preventative
measures are critical, NIS2 acknowledges that organizations must also be prepared to
respond to and recover from incidents when they inevitably occur. This requires organizations
to think beyond defensive controls and to invest in robust recovery capabilities. Implicit in this
is the need to regularly test these plans, for example through "tabletop exercises" 12 or more
comprehensive simulations, as part of the broader requirement to "assess the effectiveness
of cybersecurity risk-management measures".13 This reflects a mature approach to
cybersecurity that prioritizes overall operational resilience rather than focusing solely on
prevention.
V. Implementation Timeline and Enforcement
A. Key Dates for Compliance

The NIS2 Directive officially entered into force on January 16, 2023.3 Following this, EU
Member States are required to transpose the provisions of the directive into their national
laws by October 17, 2024.1 From October 18, 2024, the NIS2 Directive will repeal and replace
the original NIS1 Directive.1
Organizations falling within the scope of NIS2 must actively prepare for compliance as these
national laws come into effect. It is important to note that achieving full compliance with the
comprehensive requirements of NIS2 can be a significant undertaking. Experience suggests
that a typical compliance journey, including conducting security assessments, gap analyses,
implementing necessary technical and organizational measures, and staff training, can take
approximately 12 months.3
The relatively condensed timeframe for transposition—less than two years from the directive's
entry into force—places considerable pressure on both Member States to finalize and enact
their national legislation and on organizations to adapt to these new, more stringent
requirements. For Member States, the transposition process involves complex legal and
administrative procedures. For organizations, understanding the nuances of the new national
laws, performing thorough gap analyses against NIS2's demands, implementing the required
changes to policies, processes, and technologies, and ensuring staff are adequately trained
all demand substantial time, resources, and strategic planning. The indicative 12-month
compliance journey 3 implies that entities should have initiated their preparatory activities well
in advance of the October 2024 transposition deadline to ensure they are compliant when the
national laws become enforceable.
B. Supervisory Powers and Enforcement

NIS2 significantly strengthens the supervisory powers of national competent authorities to

oversee compliance. These authorities will be equipped with a range of tools to monitor and
enforce the directive's provisions, including the power to conduct regular and targeted audits,
perform on-site and off-site checks (inspections), request information and access to data,
documents, or any evidence deemed necessary for their supervisory tasks.7 This proactive
approach to supervision is intended to ensure ongoing compliance and to identify and
address weaknesses before they can be exploited, rather than solely reacting after a breach
has occurred.
The directive also establishes a differentiated supervisory regime. Essential Entities will
generally be subject to more intensive, proactive supervision, reflecting their critical
importance. Important Entities, on the other hand, will typically face ex-post supervision,
meaning that supervisory actions will primarily be triggered by evidence or notification of an
incident or a failure to comply with the directive's requirements.6
C. Penalties for Non-Compliance

To ensure the effectiveness of the new rules, NIS2 introduces a consistent framework for
sanctions across the Union, including the possibility of substantial financial penalties for
non-compliance.3 The maximum levels of these administrative fines are harmonized and are
designed to be effective, proportionate, and dissuasive:
●​ For Essential Entities, the maximum fines can be at least EUR 10 million or 2% of the
entity’s total worldwide annual turnover in the preceding financial year, whichever
amount is higher.7
●​ For Important Entities, the maximum fines can be at least EUR 7 million or 1.4% of the
entity’s total worldwide annual turnover in the preceding financial year, whichever
amount is higher.5
These penalties are considerably more severe than those generally available under NIS1 and
are intended to serve as a strong deterrent against neglecting cybersecurity obligations. The
combination of potential management liability for failures in cybersecurity oversight and the
prospect of these severe financial penalties creates a compelling "push" factor for
organizations to invest in and prioritize compliance with NIS2. However, while the fear of fines
and personal accountability 7 will undoubtedly be a primary driver for many organizations, it is
also important to recognize the "pull" factors. Organizations that approach NIS2 strategically,
rather than as a mere compliance burden to be minimally addressed, can achieve significant
benefits. The robust risk management practices, business continuity planning, and supply
chain security measures mandated by the directive inherently lead to improved operational
stability, enhanced customer trust, and can even offer a competitive advantage. Embracing
these requirements as an opportunity to build genuine cyber resilience can transform
cybersecurity from a perceived cost center into a business enabler, fostering long-term
security maturity that goes beyond baseline compliance.
VI. EU-Level Cooperation and Support
A. Key Cooperation Bodies

Recognizing that cybersecurity threats are often cross-border in nature and require
coordinated responses, NIS2 strengthens the mechanisms for cooperation among Member
States and EU bodies. Several key groups and agencies play vital roles in facilitating this
collaboration:
●​ CSIRTs Network: This network brings together national Computer Security Incident
Response Teams from all Member States. It facilitates operational cooperation on
specific cybersecurity incidents, promotes the sharing of information about threats and
vulnerabilities, and provides mutual assistance in responding to incidents.1
●​ EU-CyCLONe (European Cyber Crisis Liaison Organisation Network): Established
by NIS2, EU-CyCLONe supports the coordinated management of large-scale
cybersecurity incidents and crises at an operational level. It ensures regular information
exchange among Member States and EU institutions, facilitating a common situational
 awareness and coordinated response when major incidents occur.1
●​ NIS Cooperation Group: This strategic body, originally established under NIS1 and
continued under NIS2, is composed of representatives from Member States, the
European Commission, and the EU Agency for Cybersecurity (ENISA). It facilitates
strategic cooperation, the exchange of information and best practices, and publishes
non-binding guidelines and recommendations to support the consistent implementation
of the NIS Directive across the EU.1
●​ ENISA (European Union Agency for Cybersecurity): ENISA plays a significantly
enhanced role under NIS2. It is tasked with actively supporting Member States and EU
institutions in the implementation of the directive, developing technical guidelines and
recommendations, organizing cybersecurity exercises, raising awareness through
campaigns, and maintaining important resources such as the European Vulnerability
Database.1
The reinforcement and formalization of these EU-level cooperation bodies signal a clear
intention to move towards more centralized coordination and capability building in the
cybersecurity domain. Effective response to large-scale incidents, such as those
EU-CyCLONe is designed to manage 1, and the proactive sharing of actionable threat
intelligence, a key function of the CSIRTs Network 1, cannot be optimally achieved by Member
States acting in isolation. ENISA's expanded mandate to provide practical guidelines, tools,
and resources 17 is aimed at fostering consistent implementation of NIS2 across all Member
States and building cybersecurity capacity, particularly for entities that may lack extensive
in-house expertise or resources. This collective, coordinated approach is vital given the
deeply interconnected nature of the EU's digital single market and the transnational character
of most significant cyber threats.
VII. Key Implications and Preparing for NIS2
A. Summary of Actions for Organizations

The NIS2 Directive presents a comprehensive set of new cybersecurity obligations.

Organizations potentially affected need to undertake a series of actions to prepare for and
achieve compliance. Based on the directive's requirements, key preparatory steps include 5:
●​ Scope Assessment: The first crucial step is to determine if and how the directive
applies to the organization. This involves identifying whether the organization operates
in one of the covered sectors, meets the size thresholds, and whether it would be
classified as an Essential or Important Entity.
●​ Risk Assessment & Gap Analysis: Once applicability is confirmed, organizations must
conduct a thorough cybersecurity risk assessment and a gap analysis to evaluate their
current security posture against the specific requirements of NIS2.
●​ Implement/Update Security Measures: Based on the gap analysis, entities need to
implement new or update existing security measures to address any identified
deficiencies. This includes reviewing and enhancing policies, procedures, and technical
controls related to areas such as incident handling, business continuity, supply chain
 security, access control, encryption, and multi-factor authentication.
●​ Supply Chain Review: A critical new element is the requirement to assess and manage
cybersecurity risks originating from direct suppliers and service providers. This will
involve reviewing the cybersecurity practices of key partners in the supply chain.
●​ Incident Response Planning: Organizations must ensure they have robust incident
response plans in place that enable them to meet the strict incident reporting timelines
mandated by NIS2, particularly the 24-hour early warning and 72-hour notification
requirements.
●​ Management Engagement & Training: Securing leadership buy-in and active
oversight from management bodies is essential, given their direct accountability under
NIS2. Furthermore, comprehensive cybersecurity awareness training for all staff is a
fundamental requirement.
It is important for organizations to view NIS2 compliance not as a one-off project but as an
ongoing process of cyber risk management that needs to be deeply embedded into the
organization's culture, governance structures, and operational workflows. The directive's
emphasis on "policies and procedures to assess the effectiveness of cybersecurity
risk-management measures" 13, combined with the dynamic and ever-evolving nature of cyber
threats, means that compliance is a continuous cycle. This cycle involves regular assessment
of risks, implementation and refinement of controls, testing of security measures and
response plans, and adaptation based on new threats, vulnerabilities, and business changes.
Achieving and maintaining NIS2 compliance necessitates a cultural shift towards proactive
cybersecurity awareness and shared responsibility at all levels of the organization.
The broad scope and stringent requirements of NIS2, particularly concerning supply chain
security and the explicit accountability of management, are poised to create a significant
ripple effect across the European digital economy. As covered Essential and Important Entities
begin to enforce stricter cybersecurity requirements on their suppliers and partners 13, many
SMEs and other organizations not directly within the scope of NIS2 will find themselves
needing to elevate their own security practices to maintain business relationships and
participate in critical value chains. Concurrently, the heightened focus on management
accountability 10 is likely to drive a more robust top-down approach to cybersecurity
governance, which can permeate organizational culture and lead to more strategic
investments in security. This collective uplift in cybersecurity standards, driven by the
regulatory impetus of NIS2, has the potential to significantly enhance the overall cybersecurity
posture of the EU, making its digital ecosystem a harder target for malicious actors and more
resilient to systemic shocks.
VIII. Conclusion
The NIS2 Directive represents a landmark evolution in the European Union's approach to
cybersecurity, establishing a more demanding and harmonized framework to protect critical
infrastructure and essential services. By significantly expanding the scope of covered sectors
and entities, imposing stricter risk management and incident reporting obligations,
introducing direct accountability for management, and mandating robust supply chain
security measures, NIS2 aims to foster a higher common level of cyber resilience across all
Member States.
The directive acknowledges the lessons learned from its predecessor, NIS1, and responds to
the escalating complexity and severity of the cyber threat landscape. Key changes, such as
the clear distinction between Essential and Important Entities, the introduction of substantial
penalties for non-compliance, and the strengthening of EU-level cooperation mechanisms like
ENISA, the CSIRTs Network, and EU-CyCLONe, are all designed to create a more effective and
cohesive cybersecurity posture for the Union.
For organizations falling within its scope, NIS2 compliance will require a concerted and
ongoing effort. This involves not only implementing specific technical and organizational
measures but also embedding cybersecurity into corporate governance and risk management
frameworks. The timeline for transposition by Member States by October 17, 2024,
underscores the urgency for affected entities to assess their obligations and initiate their
compliance journeys.
While the directive presents significant challenges, it also offers an opportunity for
organizations to enhance their operational resilience, build greater trust with customers and
partners, and contribute to a safer and more secure digital single market. Ultimately, the
success of NIS2 will depend on the commitment of both public and private sector entities to
embrace its principles and work collaboratively towards a more cyber-resilient Europe.
Proactive adaptation and a strategic approach to cybersecurity will be paramount for
navigating the new landscape defined by this pivotal legislation.

Works cited

1.​ NIS2 Directive: new rules on cybersecurity of network and information systems,
accessed May 13, 2025,
[Link]
2.​ A Step-by-Step Guide for EU's NIS2 Directive - DataGuard, accessed May 13,
2025, [Link]
3.​ What is NIS2? - The NIS2 Directive, accessed May 13, 2025,
[Link]
4.​ What Is NIS2? | Compliance and Policies - Akamai, accessed May 13, 2025,
[Link]
5.​ Staying compliant with NIS2 regulation: Key insights - Moody's, accessed May 13,
2025,
[Link]
[Link]
6.​ NIS2: Compliance Requirements, Deadline & Instructions for the New NIS2
Directive, accessed May 13, 2025, [Link]
7.​ NIS2 FAQ - The NIS2 Directive, accessed May 13, 2025,
[Link]
8.​ NIS2 vs. NIS1: Key Differences and New Challenges, accessed May 13, 2025,
[Link]
9.​ 5 Key Changes from NIS1 to NIS2 - heyData, accessed May 13, 2025,
 [Link]
10.​NIS 2 Directive: How Will It Affect Cybersecurity In The EU? - Blaze Information
Security, accessed May 13, 2025,
[Link]
11.​ NIS1 vs. NIS2: what are the key differences? - negg Blog, accessed May 13, 2025,
[Link]
12.​NIS2 requirements: A complete guide to compliance & implementation -
DataGuard, accessed May 13, 2025,
[Link]
13.​Article 21, Cybersecurity risk-management measures - The NIS 2 Directive,
accessed May 13, 2025,
[Link]
14.​NIS2 Essential and Important Entities You Should Know - Cyphere, accessed May
13, 2025, [Link]
15.​NIS2 Directive Transposition Tracker - ECSO - European Cyber Security
Organisation, accessed May 13, 2025,
[Link]
16.​NIS2 release date - The NIS2 Directive, accessed May 13, 2025,
[Link]
17.​Network and Information Systems Directive 2 (NIS2) - ENISA - European Union,
accessed May 13, 2025,
[Link]
ns/network-and-information-systems-directive-2-nis2