At Secure Privacy, businesses often approach us asking if we can help them comply with the EU NIS2 Directive. Our typical response? It probably doesn’t apply to them. In most cases, a brief discussion confirms that assumption.

NIS2 is fundamentally a cybersecurity directive. To date, no government anywhere has passed legislation mandating security standards for all private entities. No law mandates you to secure your physical property, leaving that responsibility to your judgment and common sense. So why would we expect a law to demand absolute protection of our digital assets?

Yet, the EU’s NIS and NIS2 Directives do just that, enforcing mandatory cybersecurity standards for certain entities—and with good reason.

What is the EU NIS2 Directive?

The NIS2 clearly distinguishes between entities considered essential or important for society's functioning and everyone else. Given the importance of this first group, the NIS2 places cybersecurity obligations on them.

This doesn’t mean all companies are required to secure their digital infrastructure. Instead, only those essential to markets and society are subject to these standards. The society requires these entities to implement strict cybersecurity measures, as they are considered too vital to decide on their own terms.

The European Parliament adopted the NIS2 Directive on November 10, 2022, and it came into force on January 16, 2023. Member states had until October 17, 2024, to transpose its provisions into national law.

Does NIS2 Apply to Your Business?

The NIS2 Directive applies to all government bodies, critical entities, and important entities as described in the annexes of the directive. It covers companies with at least 50 employees and a turnover of at least EUR 10 million.

As a result, it applies to:

• Government bodies: This includes all government entities performing any type of public function. The NIS2 scope includes all government bodies.
• Critical sectors: These include energy, transport, banking, financial markets, drinking water, wastewater, digital administration, space, and ICT business management (B2B).
• Important sectors: These include postal and courier services, waste management, manufacturing, the food industry, chemicals, research, and digital providers (limited to online marketplaces, search engines, and social networks).

There are also exceptions where the directive applies to all entities in a sector. These include:

• Critical entities as determined by a member state (each member state defines what constitutes a critical entity).
• Trust service providers (e.g., digital signatures, electronic identification).
• Domain registrars.
• Entities that are the sole providers of a critical service.
• Other cases as specified in the directive.

As you can see, NIS2 focuses on ensuring that society can function during cyber incidents. It does not impose obligations on companies to protect consumers or personal data. Instead, it prioritizes national security, defense, and smooth market operations above all else.

For comparison:

• The Cyber Resilience Act focuses on protecting consumers using IoT products (you can read more about it here).
• The GDPR focuses on protecting personal data.
• The NIS directives, however, are solely about ensuring society continues to function during and after cyberattacks.

Does the NIS2 apply to your business? The answer lies in the descriptions above. If your business fits any of these categories, compliance is mandatory, and there is likely national legislation in your country already enforcing this.

If you run a SaaS business, an e-commerce platform, or provide services online, this directive and its associated laws do not apply to you.

NIS2 Requirements for Businesses

NIS2 primarily outlines what governments must do, but since that’s not your focus, we’ll set it aside. Here, we’ll concentrate on the requirements for businesses.

Remember that NIS2 is a directive, requiring each member state to incorporate it into national law.

Companies covered by the legislation must:

• Implement appropriate technical and organizational measures to prevent incidents and minimize the impact of those that inevitably occur.
• Notify the relevant CSIRT (Cyber Security Incident Response Team) without undue delay in the event of an incident, as well as inform consumers who may be affected. The CSIRT is typically part of a government body and handles cybersecurity incidents.
• On a voluntary basis, share cybersecurity information and best practices with other covered or non-covered entities.

The following technical and organizational measures are required:

• Taking steps to prevent, detect, and handle incidents effectively.
• Drafting policies and creating appropriate documentation for the technical and organizational measures.
• Appointing a person responsible for cybersecurity and training personnel on cybersecurity practices.
• Assessing third-party vendors to ensure they meet cybersecurity standards.
• Conducting regular audits and tests, along with any other measures relevant to your specific circumstances.
• Keeping records to demonstrate compliance, among other responsibilities.

Enforcement and Penalties

The penalties for non-compliance with the NIS2 Directive are significant, reaching up to EUR 10 million or 2% of the global annual turnover, whichever amount is higher. 

As previously mentioned, each EU member state must first transform NIS2 into national legislation, as it is a directive. The national level will determine the specific details of enforcement, including the responsible authorities and procedural frameworks, once transposed.

In most cases, the designated cybersecurity supervisory authority in each country will be responsible for monitoring compliance and issuing penalties where violations occur. These authorities possess the authority to guarantee adherence to the requirements, including the implementation of technical and organizational measures, the reporting of incidents, and the maintenance of sufficient documentation.

Businesses operating across multiple EU countries must be aware of variations in the implementation and enforcement of the directive, ensuring compliance with the specific national laws in all relevant jurisdictions.