NIS2 is Here
On 17 October 2024, the EU entered a new era of cybersecurity. The NIS2 Directive — the enhanced Network and Information Security legislation — became mandatory across all Member States. For organizations within scope, this means new obligations, stricter requirements, and potentially significant sanctions.
But this isn’t just about avoiding fines. When properly implemented, NIS2 becomes a catalyst for genuinely strengthening your organization’s digital resilience.
Important to understand: NIS2 is not a one-time project. It’s a continuous process that requires security to become an integrated part of operations — from the boardroom to the server room.
The Five Most Important Changes
Here are the five areas that will affect most organizations:
The number of sectors covered has more than doubled — from 7 to 18. Manufacturing, food, waste management, and research organizations are just some of the new sectors. If you previously avoided regulation, things may be different now.
Cybersecurity is no longer just the IT department's responsibility. Boards and management must approve security policies, ensure resources, and undergo training. This responsibility cannot be delegated away.
For significant security incidents, an early warning must be sent within 24 hours — not 72 as previously. This requires prepared processes and incident response plans that work even at three in the morning.
Maximum fines have increased dramatically. Essential entities risk up to €10 million or 2% of global turnover. These are levels previously only seen with GDPR.
5. Entire supply chain scrutinized
NIS2 places explicit requirements on supply chain security. This means organizations must:
- Assess security risks with suppliers
- Set security requirements in contracts
- Monitor and verify compliance
- Have contingency plans for incidents at sub-suppliers
Consequence: Even if you’re not directly covered by NIS2, you may be affected indirectly through requirements from your customers.
Who is Covered?
Size Criteria
Generally, organizations that meet at least one of the following are covered:
- At least 50 employees
- At least €10 million in annual turnover
Essential Entities (strictest requirements)
- Energy (electricity, oil, gas, district heating, hydrogen)
- Transport (aviation, rail, road, maritime)
- Banking and financial market infrastructure
- Healthcare
- Drinking water and wastewater
- Digital infrastructure (DNS, data centers, cloud)
- ICT service management (B2B)
- Public administration (central level)
- Space (ground-based infrastructure)
Important Entities
- Postal and courier services
- Waste management
- Chemicals
- Food
- Manufacturing (medical devices, electronics, automotive, machinery)
- Digital services (marketplaces, search engines, social platforms)
- Research
Unsure if you’re covered? Try our NIS2 classification tool to get an answer in minutes.
What Do the New Requirements Mean in Practice?
- Risk management Implement systematic risk management for network and information systems. This includes risk assessments, security policies, and technical measures tailored to the risks.
- Incident handling Establish processes to detect, handle, and report security incidents. Have clear roles, contact paths, and escalation procedures documented and practiced.
- Business continuity Ensure operations can continue during disruptions. This covers backup, disaster recovery, and crisis plans that are tested regularly.
- Supplier security Assess and manage security risks in the supply chain. Set requirements for suppliers and follow up to ensure requirements are met.
- Training and awareness Ensure staff have the knowledge needed. This particularly applies to management, who must undergo specific cybersecurity training.
Timeline: What Applies Now?
| Date | Event |
|---|---|
| 17 Oct 2024 | NIS2 Directive came into force |
| Various | Member State implementation deadlines |
| Ongoing | Supervision and controls commence |
| Upon incident | 24 hours for early warning |
Common Mistakes to Avoid
The directive is already in force. Waiting risks both sanctions and security incidents. Start now — even small steps in the right direction are valuable.
Cybersecurity is a business issue, not a technology issue. Without management engagement and whole organization participation, efforts will be half-hearted.
There are no shortcuts. Tools help, but they don't replace processes, culture, and competence. Choose tools that support your way of working.
Your security is no stronger than the weakest link in the chain. Map your critical suppliers and begin dialogue about security requirements.
For a deeper review of the NIS2 Directive’s structure and all requirement areas, see our complete NIS2 framework overview.
How Securapilot Can Help
Securapilot is built to support organizations through the entire NIS2 compliance journey:
- GAP analysis — Map where you stand today against requirements
- Risk management — ISO 27005-based risk assessment and treatment
- Incident handling — Documentation and report generation within time requirements
- Supplier management — Assessment and monitoring of suppliers
- Management dashboard — Overview for board and management
Book a demo and see how we can help your organization.
Frequently asked questions
When did the NIS2 Directive come into force?
The NIS2 Directive came into force on 17 October 2024. Organizations covered by the directive should have already begun their compliance work.
What is the difference between NIS2 and national implementations?
NIS2 is the EU directive that sets minimum requirements. Each Member State implements the directive through national legislation. In practice, the requirements are very similar, but national laws may adapt certain aspects to local conditions.
Which authorities oversee NIS2 compliance?
ENISA provides oversight at the EU level, but each Member State has designated national competent authorities for supervision within their respective sectors, such as financial regulators for the banking sector.
Can board members be held personally liable?
Yes, NIS2 explicitly requires management accountability. In cases of serious breaches, management personnel can be held liable and in extreme cases may be prohibited from holding management roles.
