What is the NIS2 Directive?
NIS2 (Network and Information Security Directive 2) is the EU’s updated framework for cybersecurity that replaces the original NIS Directive from 2016. The directive must be transposed into national law by 17 October 2024 across all EU Member States.
The purpose is to create a higher and more uniform level of cybersecurity across the EU — not by creating bureaucracy, but by strengthening organizations’ actual resilience against cyber threats.
Important to understand: NIS2 isn’t just about compliance. It’s an opportunity to strengthen your organization’s security and credibility, both internally and externally. Organizations that view it as a cultural transformation rather than a one-time project will succeed best.
Is your organization covered?
Size criteria
Generally, organizations that meet at least one of the following criteria are covered:
- At least 50 employees
- At least €50 million in annual turnover
High criticality sectors (essential entities)
These are subject to the strictest requirements and harshest sanctions:
- Energy — electricity, oil, gas, district heating, hydrogen
- Transport — aviation, rail, road transport, maritime
- Banking and financial market infrastructure
- Health — hospitals, laboratories, pharmaceuticals
- Drinking water and wastewater
- Digital infrastructure — DNS, data centers, cloud services
- ICT service management (B2B managed services)
- Public administration at central level
- Space — ground-based infrastructure
Other critical sectors (important entities)
- Postal and courier services
- Waste management
- Chemicals
- Food production and distribution
- Manufacturing (medical devices, electronics, automotive)
- Digital providers (marketplaces, search engines)
Note: Certain critical services — such as DNS providers, qualified trust services, and TLD registries — are covered regardless of size. Suppliers may also be indirectly affected through customer requirements.
Unsure if you’re covered? Use our NIS2 classification tool to quickly get answers based on your business and size.
Common pitfalls to avoid
Many organizations make the same mistakes when approaching NIS2. Here are the most common pitfalls:
Security is treated as a pure IT issue instead of an organization-wide priority. NIS2 requires the entire business to be involved.
Without active support from board and leadership, there's no mandate or resources. NIS2 places explicit requirements on management responsibility.
Security is seen as a support function instead of core business. This leads to insufficient investment and half-hearted efforts.
Over-reliance on individual key persons creates vulnerability. Knowledge and processes must be documented and distributed.
Core problem: Security becomes a one-time project instead of a long-term cultural and organizational transformation.
Getting started — step by step
Preparing for NIS2 doesn’t have to be overwhelming. Here’s a pragmatic five-step model:
- GAP analysis Map current state against NIS2 requirements. Identify gaps in technology, processes, documentation, and responsibility allocation. This provides a clear picture of what needs to be done.
- Knowledge building Educate leadership, board, and key functions about the directive's requirements and consequences. Without understanding at the right level, it becomes difficult to get mandate and resources.
- Strategic planning Create a structured annual plan with documented follow-up. Break down the work into manageable parts with clear milestones and responsible parties.
- Cross-functional work Involve the entire organization — IT, legal, HR, operations. Appoint a responsible person but avoid centralizing everything with one person or department.
- Risk-based prioritization Start with the highest risks. Implement continuous improvements based on regular risk assessments. Perfect is the enemy of good enough.
“The journey is the goal” — Most important is to start where you are and take small steps in the right direction. NIS2 compliance is not an end goal but a continuous improvement process.
Incident reporting — the new time requirements
NIS2 introduces significantly stricter deadlines for reporting significant security incidents:
| Deadline | Report | Content |
|---|---|---|
| 24 hours | Early warning | Initial notification that incident occurred, preliminary assessment of cross-border effects |
| 72 hours | Incident notification | Update with severity assessment, impact and any indicators of compromise |
| 1 month | Final report | Complete analysis with root cause, actions taken and lessons learned |
An incident counts as “significant” if it has caused or could cause serious operational disruption, economic loss, or affected others through material or immaterial damage.
Sanctions and consequences
NIS2 introduces significantly stricter sanctions:
Essential entities: Up to €10 million or 2% of global annual turnover
Important entities: Up to €7 million or 1.4% of global annual turnover
Depending on whichever amount is higher
Beyond fines, supervisory authorities can:
- Require public disclosure of breaches
- Issue public statements identifying those responsible
- In serious cases, issue temporary bans from management roles
Want to dive deeper? Read more about NIS2 Directive structure and requirements on our frameworks page.
How Securapilot can help
Securapilot offers a complete platform for NIS2 compliance that makes the journey manageable:
- Automated GAP analysis — map current state against NIS2 requirements
- Risk management module — ISO 27005-based risk assessment
- Incident management — automatic report generation within time requirements
- Supplier management — security across the entire supply chain
- Management dashboard — overview for board and leadership
Book a demo to see how we can help your organization on the journey to NIS2 compliance.
Frequently asked questions
When does NIS2 come into force in England?
NIS2 must be implemented by 17 October 2024 across EU Member States. Organizations that fall within scope should have already begun their compliance efforts, working with their national competent authorities.
Which companies are covered by NIS2?
Generally, organizations with at least 50 employees or €50 million turnover within the 18 defined sectors are covered. Certain critical services are covered regardless of size. Suppliers may also be indirectly affected through customer requirements.
What happens if you don't comply with NIS2?
Essential entities face fines up to €10 million or 2% of global annual turnover. Important entities face up to €7 million or 1.4%. Management can also be held personally liable.
How long does it take to become NIS2-compliant?
It varies depending on current maturity level, but expect 6-18 months for full implementation. Most important is to start where you are and take small steps in the right direction — the journey is the goal.
Are we affected as a supplier?
Yes, indirectly. NIS2 places requirements on supply chain security, meaning organizations in scope will place security requirements on their suppliers. Even if not directly covered, you may need to meet requirements to retain customers.
