NIS2 Directive Explained: What Your Business Needs to Do Now

Most companies in Europe will need to follow NIS2 directive, whether they realize it yet or not.

This recently released EU directive (17 October 2024) expands cybersecurity rules to cover all companies with notable IT operations. That includes network and information systems of manufacturing companies, logistics firms, e-commerce businesses, retailers, and even public administrations.

If your systems touch the cloud, handle sensitive data, or support critical services, well, you’re likely in scope. Even if you’re not directly regulated, your partners or providers might be, which still affects you.

In this article, we’ll break down what NIS2 requires, who needs to act, and what steps you can take to prepare, without the fluff, legal jargon, or panic. Just what you need to know, clearly explained.

1. What is NIS2 directive and why should you care?

NIS 2 directive is the European Union’s new baseline for cybersecurity. It replaces the original NIS directive from 2016 and sets stricter rules for how companies manage cyber risks and report incidents.

What’s different this time for EU member states is the scope. 

NIS2 doesn’t just apply to cybersecurity firms or critical, digital infrastructure providers. A wide range of industries fall within the scope, including manufacturing, retail, transport, telecom, and healthcare. If you have sizable IT systems, rely on digital services, or manage customer or operational data, the odds are you’re affected.

For the sake of understanding, it makes sense to look at it like this: If a cyber incident in your company could disrupt essential services or impact other businesses or citizens, NIS2 wants you to be prepared.

So, it’s not a regulatory checkbox. It’s a shift in mindset toward shared responsibility for digital resilience, critical infrastructure, and high common level of cybersecurity across the European Union.

2. Who is affected by the NIS2 directive? Let’s find out

The directive since 2022, splits organizations into two categories: essential and important entities. 

Both are required to follow the same core rules – reporting obligations, risk management measures, information security, security of network and information, etc. Still, essential entities will face more active supervision from national law.

So, how do you know if your company is covered? 

The main trigger seems to be the size. If you’re a medium or large business operating in a listed sector, you’re likely in scope. This includes companies in energy, transport, finance, health, manufacturing, cloud services, data centers, and online platforms, among others.

Even if you’re not based in the EU, you still need to comply if you offer digital services within the EU. That means designating a representative in one of the member states where you operate, for example, as an online marketplace or cloud computing provider.

One thing to watch out for: you might not be the direct target of NIS2, but your suppliers or partners might be. If they’re affected, you will feel the ripple effect through new requirements in contracts, audits, or procurement processes.

This is the moment to find out where your business stands with the level of cybersecurity. Because the sooner you know, the better you can plan.

3. The core cybersecurity requirements, decoded

If your business falls under NIS2, there are a few things you’ll need to start doing differently, or, at the very least, start doing more deliberately.

The directive doesn’t expect perfection. But it does expect you to have real systems in place for managing cyber risks, responding to incidents, and protecting your digital operations. Here’s what that actually means in practice.

3.1 You need to manage risk, not just react to problems

NIS2 requires essential and important entities to take technical, operational, and organizational measures to reduce cybersecurity risks. That sounds formal, but the goal is simple: don’t wait for a breach to happen before putting safeguards in place.

This includes requirements for risk management like:

• Running risk assessments regularly
• Having clear, documented security policies
• Monitoring systems for unusual activity
• Backing up critical data
• Testing disaster recovery plans

For example, a company using cloud-based ERP software to manage production schedules is covered by NIS. They should regularly test its backup recovery in case a ransomware attack locks them out. If they don’t, and downtime halts delivery to customers, NIS2 considers that preventable.

3.2 Incident response should be fast — within 24 hours

Under NIS2, you’re required to notify authorities of any significant incident within 24 hours of becoming aware of it. Then follow up with a detailed report within 72 hours and a final one after one month. These are the minimum requirements for a security incident response.

A heads-up here for businesses affected by the nis2 directive.

This doesn’t mean one email. Authorities want to know what happened, how it affects your service, what you’ve done so far, and what else you plan to do. If you’re thinking, “We’d never get all that together in a day,” now’s a good time to create a reporting playbook.

Pro tip: Don’t wait until you’re in the middle of an attack to figure out who’s responsible for sending the report. Assign this role now, and test the process with a simulated scenario.

3.3 Supply chain security is now your responsibility, too

One of the most overlooked parts of NIS2 is the requirement to manage risks coming from your suppliers and service providers. This applies whether you’re outsourcing IT, using third-party hosting, or relying on AI models built by external vendors.

Example: If your cloud service provider has a breach, and it disrupts your operations, you are accountable for ensuring that you assessed the risk of using them and had contingency plans in place.

That’s why reviewing your critical supplier contracts and security practices is well-advised. You may need to introduce new vetting procedures, add cybersecurity clauses to SLAs, or ask for evidence of compliance from your critical vendors.

3.4 Your leadership is on the hook as well

Under Article 20 of the directive, C-level management is responsible for overseeing cybersecurity risk management. That’s not symbolic. Leadership must approve the risk strategy and can be held liable for serious failures.

Also, training is mandatory as well as encouragement of training practices across the company. Management is expected to be trained in cybersecurity basics, and organizations are encouraged to train employees regularly as well.

4. AI and NIS2: Double the responsibility in EU

If you’re building or using AI systems, NIS2 adds another layer of responsibility. The risks go beyond traditional hacking. We’re talking about things like data poisoning, model manipulation, or attackers exploiting your training data to influence outputs.

We imagine this being a gray area for a certain amount of time. Still, the AI Act and NIS2 now overlap in key areas like risk management, incident reporting, and governance. If your AI system makes decisions in a critical environment — healthcare, energy, logistics, finance — it’s common sense to treat it as part of your cybersecurity planning.

5. What happens if you don’t comply?

Yes, there are fines, and they can be significant. Once the laws come into force, the bigger risks might be operational disruption and reputational damage.

Let’s say, a cloud provider suffers a breach but waits three days to report it. Under NIS2, that delay could lead to an investigation, public scrutiny, and potential penalties, not to mention shaken customer trust.

6. How the NIS2 directive will be implemented across EU member states

As with most EU directives, the NIS2 directive isn’t applied automatically. Each member state must transpose the directive into national law. This process can create variation in how different countries interpret and enforce the rules, so businesses operating in multiple EU regions will need to pay attention to national implementations.

Implementation of NIS2 involves both technical and methodological requirements, including specific expectations around risk management, incident reporting, and cybersecurity measures. The directive mandates that each country designate a competent national NIS authority, which will oversee compliance and enforcement.

For example, the German NIS2 implementation has already started shaping up with additional national measures that go beyond the minimum directive standards. These might include local methodological requirements for assessing third-party risk or sector-specific guidelines for reporting incidents.

Some organizations are still figuring out whether they’re excluded from the scope or fall within a sector falling within the scope of the directive. The directive applies broadly, but there are nuances — such as how the directive treats micro-enterprises or whether certain NIS2 sectors like water supply, healthcare, or digital infrastructure have extra obligations.

To support alignment across the Union, the NIS Cooperation Group plays a key role in ensuring that implementation remains consistent and avoids fragmented interpretation. The directive aims to create a high common level of cybersecurity across the EU, but the success of this depends heavily on how effectively the implementation of the measures is carried out at the national level.

Keep in mind that NIS-2 implementation and cybersecurity planning isn’t a one-off project. The directive establishes ongoing obligations such as regular audits, continuous risk assessments, and periodic training. And since the directive shall continue to apply beyond initial compliance, your cybersecurity operations need to evolve with changing threats.

The directive expands the original scope of the NIS directive to cover more sectors and a wider range of threats. While some companies may still be adjusting to this new directive, the time to act is now. Because once NIS2 will apply, enforcement begins — and infringement of this directive could mean not just financial penalties, but a major hit to your operational resilience.

So, what should you do next?

Start talking about cybersecurity risk management measures and NIS2 implementation inside your company.

That’s the most important first step. Understand what it is, what are the reporting requirements, what repealing directive could lead to, who NIS2 applies to, and why it matters. Share the network and information security directive with your leadership, tech teams, and anyone involved in IT operations or risk management.

We’ve noticed, through our own network of partners and clients, that NIS2 is quietly slipping under the radar. Many organizations are either unaware they’re in scope or assume it won’t affect them. But the cybersecurity requirements and consequences of ignoring it are real.

This isn’t just about avoiding fines. It’s about being prepared for disruptions that are becoming more common, more complex, and more costly. Cyber resilience is no longer optional.

Our next piece will focus on what compliance actually looks like and how to take the first practical steps. For now, treat this as a wake-up call — and an opportunity to get ahead while others are still catching up.