NIS2 Directive: The Evolution of Cyber Resilience in Europe 

he significant financial impact of cyber-attacks speaks for itself, with each incident causing substantial damage to European businesses. This fact underscores Europe’s urgent need for stronger cybersecurity defenses. 

The NIS2 Directive stands as Europe’s decisive answer to mounting cyber threats. This landmark regulation redefines cybersecurity standards across the EU, pushing far beyond its predecessor’s boundaries. But why the change, and what does this mean for organizations across the EU? 

A look back: From NIS to NIS2 

In 2016, the European Union implemented the NIS Directive (Network and Information Security) to set the foundation for a unified cybersecurity approach across member states. It was a pioneering effort to improve network and information system resilience for organizations operating critical infrastructure. 

However, with the digital landscape changing dramatically, the rise of ransomware, supply chain attacks, and the rapid adoption of cloud technologies have exposed gaps in cybersecurity preparedness. Additionally, the implementation of NIS across EU member states revealed inconsistencies, leaving certain sectors and organizations vulnerable. 

Fortunately, the European Commission recognized the urgent need for a stronger, more consistent framework—one that reflects modern threats, drives better preparedness, and includes a broader range of entities. Thus, in 2022, the NIS2 Directive was designed. 

Why did the European Commission introduce NIS2? 

NIS2 comes as a response to main three critical challenges: 

1. Increased cyber threats: Cyberattacks are no longer isolated incidents. They are sophisticated, cross-border operations that can disrupt entire economies. From ransomware targeting hospitals to attacks on supply chains, no sector is immune. 

2. Fragmented implementation of NIS: While the original NIS Directive laid a foundation, member states adopted its requirements differently, leading to uneven levels of cybersecurity across the EU. 

3. Digital transformation: The massive acceleration of digital services—cloud adoption, IoT proliferation, and remote work—has created new attack surfaces that the original NIS Directive did not address comprehensively. 

NIS2 is designed to close these gaps by harmonizing cybersecurity measures across the EU and extending its scope to cover new sectors and entities. Its introduction marks a decisive step toward safeguarding Europe’s digital infrastructure. 

What sets NIS2 apart? Key characteristics 

The NIS2 Directive builds on the foundation of its predecessor but brings significant changes to strengthen cybersecurity across the EU. Here are the standout features: 

1. Broader Scope 
   NIS2 significantly expands the range of organizations subject to compliance. It now applies to organizations which deliver critical business and public services. Depending of their sector, their turnover and their size, they are classified in: 

• Essential Entities: those ones which support more important stakes have stronger obligations and higher penalties in case of breach
• Important Entities: these organizations shall fully comply with NIS2 measures but controls and penalties will be lower. 

The main sectors that are now addressed by NIS and NIS 2 are: banking, financial market infrastructures, health, drinking water, digital infrastructure, B2B ICT service management, public administration, space, postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing, digital providers and research. 

The goal here is to ensure that all organizations critical to the functioning of society and the economy meet minimum cybersecurity standards. 

2. Stronger Incident Reporting Requirements 
   Organizations under NIS2 must adopt a clear incident reporting process toward the national cybersecurity authority. This includes: 

• Early notification (within 24 hours) of significant incidents. 

• Comprehensive reporting within 72 hours. 

• Post-incident analysis and lessons learned. 

1. Stricter Cybersecurity Measures 
   NIS2 outlines key measures that concerned organizations must implement, such as: 

• Risk Management Policies: Companies must adopt cybersecurity frameworks to identify, manage, and mitigate risks. 

• Access Control and Identity Management: Ensuring only authorized users can access sensitive systems. 

• Business Continuity Plans: Organizations must develop robust plans to ensure recovery and continuity following incidents. 

• Vulnerability Management: Regular patching and assessments to identify weaknesses in systems and software. 

3. Accountability and Governance 
   One of NIS2’s most significant shifts is the focus on accountability. Company leadership, including boards and executives, must take responsibility for cybersecurity practices. Non-compliance could result in fines of up to 2% of annual global turnover—a clear signal that cybersecurity is a boardroom issue, not just an IT concern. 

4. Supply Chain Security 
   Recognizing that supply chain attacks are increasingly common, NIS2 mandates that organizations assess and secure their entire supply chain. This includes third-party vendors, partners, and cloud service providers, ensuring that security weaknesses are addressed end-to-end. 

5. Unified EU Approach 
   NIS2 promotes consistency by requiring member states to harmonize cybersecurity rules and enforcement. National Cybersecurity Authorities (NCAs) will oversee compliance, perform audits, and enforce penalties for violations. 

The road ahead: NIS2 is here—what’s next? 

With the national NIS2 transposition now behind us, the directive is officially in effect across EU member states. Organizations that fall under its scope must ensure they are fully compliant to avoid penalties and, more importantly, mitigate cyber risks. 

If your organization hasn’t already acted, the time to catch up is now. Here are the key steps to solidify your compliance and enhance your cybersecurity posture: 

• Conduct a cybersecurity gap assessment to identify and address any areas of non-compliance. 

• Update incident response plans and perform real-world tests to ensure rapid detection and reporting of incidents. 

• Prioritize risk management by implementing robust frameworks like ISO 27001 or NIST standards. 

• Invest in tools and solutions that enhance visibility, threat management, and reporting capabilities. 

• Train leadership and staff on their cybersecurity roles and responsibilities to foster a security-first culture. 

NIS2 is not just a regulatory requirement—it’s an opportunity to strengthen your defenses, protect your operations, and build trust in an increasingly digital world. 

If you need assistance navigating the new requirements assessing your organization or implementing security solutions, do not hesitate to contact our experts and learn about all our cybersecurity services and solutions.