What is the EU NIS 2 Directive and Who Does it Apply to?

On 18 October 2024, the EU NIS 2 Directive officially came into force, marking a pivotal moment in the European Union’s efforts to improve cybersecurity across its member states. The directive aims to enhance the security of essential services by setting more stringent requirements and expanding the scope of cybersecurity obligations.

The directive’s rollout has faced delays in some member states, as national legislation must be implemented to ensure compliance. As organisations across the EU adjust to these new standards, understanding what the NIS 2 means and its key obligations is crucial.

This article explains this new directive, who it applies to, its main provisions, and top tips for compliance.

Who does it apply to?

The NIS 2 Directive applies to public and private sector organisations that provide critical services and operate within the EU. Its scope covers these essential services to safeguard against cybersecurity risks which pose a significant threat to the economy or public safety.

The following criteria categorise the organisations that fall under the directive:

• Sectors and services: The Directive classifies organisations in industries such as energy, transport, banking, healthcare, digital infrastructure, and public administration as ‘essential’ or ‘important’ entities. Annexes I and II outline specific criteria and service lists that organisations can refer to confirm whether the Directive applies to them.

• Size thresholds: Entities must typically qualify as medium-sized enterprises, which the EU defines as companies with up to 250 employees, an annual turnover of up to €50 million, and a balance sheet total of up to €43 million.

• ‘Essential’ and ‘important’ entities: Article 3 of NIS 2 classifies organisations as either “essential” or “important.” Essential entities include qualified trust service providers, top-level domain name registries, and providers of public electronic communications networks. Important entities encompass all relevant organisations that don’t qualify as essential entities.

This classification affects the degree of regulatory monitoring and enforcement measures organisations are subject to. Essential entities are subject to proactive and reactive supervision, while the Directive requires oversight of important entities only on a reactive basis.

The Directive requires all EU member states to develop a list of essential and important entities by 17 April 2025 and review it every two years.

Organisations not falling directly under NIS 2’s scope may also feel its impact. For example, suppliers to covered entities might face additional cybersecurity requirements as a knock-on effect of these companies securing their entire supply chain. Suppliers may also need to adapt their operations to meet specific certifications, such as ISO 27001, to align with NIS 2 standards.

What are the main provisions?

NIS 2 sets out several key provisions entities must follow. They can be broadly separated into four main categories:

Consequences of non-compliance

Failure to comply with the NIS 2 Directive can lead to significant financial and operational repercussions. The Directive leaves it to member states to determine the appropriate penalties but provides general guidelines they must follow:

• Fines must be effective, proportionate and dissuasive, considering the circumstances of each case.

• Where an essential entity infringes any provisions relating to cybersecurity risk management or reporting obligations, it faces a maximum fine of at least €10,000,000 or 2% of its global annual turnover, whichever is higher.

• Where an important entity fails to comply with the same provisions, it faces a maximum fine of at least €7,000,000 or 1.4% of its global annual turnover, whichever is higher.

Member states may impose additional sanctions, including public disclosure of non-compliance, suspension of relevant certifications, and temporary bans from directorships or managerial roles. The knock-on effects of non-compliance could also result in losing stakeholder trust and suffering reputational damage.

National cybersecurity authorities can conduct on-site inspections and gather evidence for enforcement, which may result in corrective actions, further penalties, or recommendations.

Tips for compliance

All organisations subject to the Directive should take proactive steps to ensure compliance. This will reduce the risk of penalties and minimise their exposure to cybersecurity threats.

Here are some recommended steps:

1. Assess applicability: Organisations must consider NIS 2’s criteria to determine if they fall within its scope. This includes reviewing the industry sector, service type, and size thresholds. Entities must also establish whether the Directive deems them an essential or important entity.

2. Conduct a cybersecurity gap analysis: Companies should evaluate their current cybersecurity measures against the requirements in NIS 2 and identify areas for improvement in network security, risk management, and incident response protocols. They can also use this analysis to assess stronger areas to develop and refine to ensure compliance.

3. Adopt recognised frameworks or certifications: Organisations should follow recommended cybersecurity frameworks to streamline compliance. Certifications such as ISO 27001 demonstrate a commitment to cybersecurity and can help prove alignment with the Directive.

4. Implement incident reporting protocols: Entities should develop comprehensive reporting procedures that align with NIS 2, incorporating the relevant timelines. They should also communicate such policies effectively and train employees on the appropriate procedures. Conducting false scenarios is a great way to prepare staff for real-life incidents.

5. Ensure senior management involvement: Companies should engage senior management early in the compliance process to facilitate faster approvals, effective resource allocation, and improved accountability for compliance.

Conclusion

The EU NIS 2 Directive represents a significant advancement in Europe’s approach to cybersecurity. By establishing robust requirements and extending its scope to cover a broader range of organisations, the directive aims to protect the EU’s critical services from cyber threats, which can disrupt economies, endanger public safety, and compromise sensitive data.

Organisations operating in essential sectors such as energy, healthcare, transportation, and public administration must prioritise compliance with NIS 2 and ensure they introduce measures for risk management, incident reporting, management oversight, and cooperation with authorities.

Understanding if and how the directive applies to your organisation is the first step toward compliance. Entities categorised as “essential” or “important” face different levels of regulatory oversight, so confirming an organisation’s classification under the Directive is critical. The directive specifies what actions entities must take and details the potential penalties for non-compliance. Substantial fines mean failure to comply could result in severe consequences, reputational damage, and loss of stakeholder trust. National authorities have the power to enforce compliance through inspections and corrective measures, emphasising the need for all relevant entities to prioritise cybersecurity.

Companies should adopt a proactive approach to cybersecurity to achieve and maintain compliance. Conducting a gap analysis, implementing recognised cybersecurity frameworks, and establishing comprehensive incident response protocols are essential. Moreover, securing top-level management’s active involvement and oversight is crucial, as accountability for compliance now extends to organisations’ leadership.

Compliance with NIS 2 not only ensures legal obligations are met but also offers long-term advantages. By reinforcing trust with stakeholders, enhancing resilience against cyber threats, and safeguarding operations, organisations will be better prepared to manage the complexities of an increasingly digital landscape.