NIS2 | An Introduction

In this article, we will take a look at NIS2, an EU directive aimed at strengthening cybersecurity in organizations deemed critical infrastructure.

NIS2 | An Introduction

The NIS2 Directive is set to have a significant impact on how both public and private organizations manage and protect their networks, systems, and data against cyberattacks and other security breaches.

In many ways, it is an evolution of the previous NIS Directive. However, in practice, it means that more organizations will now be subject to new requirements, which include extensive security measures, substantial fines, and increased management involvement.

In this article, you will learn more about the main requirements of NIS2, how it may affect your business, and how you can leverage the work you have already done with your GDPR compliance and potentially ISO27001 to successfully comply with NIS2.

Who Is Covered by NIS2?

A key difference from the previous directive is that more organizations now fall under NIS2. Annex I of the directive outlines the sectors where organizations are classified as essential entities, while Annex II covers important entities.

If you are unsure whether your organization is subject to NIS2 or how it is categorized, either as an essential or important entity, it may be necessary to review the annexes of the directive to check if your sector is listed or if your company meets the size criteria for medium-sized enterprises. Some sectors, such as transport and energy, are explicitly mentioned in the Annex, while other businesses may be designated as critical by the relevant national authorities.

Essential vs. Important Entities

The distinction between essential and important entities affects the level of oversight and penalties a company may face.

Essential entities are subject to continuous and proactive supervision by authorities.

Important entities are generally only scrutinized if there is evidence suggesting non-compliance.

Additionally, the penalties for non-compliance are more severe for essential entities.

NIS2 defines which sectors fall under the directive and establishes criteria for categorizing organizations as either essential or important. As a general rule, organizations should assess their status based on both their sector (as listed in the annexes of NIS2) and whether they meet the size thresholds for medium-sized enterprises.

Entities performing critical tasks or functions for society may be classified as essential entities, regardless of their size. Each EU member state ultimately determines which organizations are covered by the directive within their jurisdiction.

Minimum Requirements

Unlike the GDPR, NIS2 introduces more specific requirements for security measures applicable to both essential and important entities.

The directive mandates that both essential and important entities implement appropriate measures to enhance networks and systems security. Additionally, these measures must, at a minimum, include or take into account the following:

Policies on risk analysis and information system security
Incident handling
Business continuity, such as backup management and disaster recovery, and crisis management
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
Basic cyber hygiene practices and cybersecurity training
Policies and procedures regarding the use of cryptography and, where appropriate, encryption
Human resources security, access control policies and asset management
The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.

NIS2 requires organizations to take IT security seriously. It is not enough to focus solely on internal IT security, companies must also ensure that suppliers, partners, and service providers maintain an adequate level of security.

In addition, serious security incidents must be reported to the relevant authorities and the CSIRT (Computer Security Incident Response Team), providing the necessary information to assess the incident's scope.

Management Requirements

IT security often ends up as a responsibility solely handled by the IT department within the existing budget.

According to Proofpoint’s Voice of the CISO survey, many CISOs have reported that their boards have not been aligned with them on cybersecurity threats. However, this is beginning to change, possibly due to the increasing number of digital regulations such as GDPR, NIS2, and the AI Act.

Cybersecurity is a complex and interdisciplinary field that can be difficult for non-technical leadership to grasp. At the same time, effective security measures require resources, making budgeting a crucial factor. This imbalance in cybersecurity efforts can lead to significant consequences if an organization suffers a security breach.

This is precisely why NIS2 places direct responsibility for cybersecurity on senior management and the board. Leadership must not only approve the security measures implemented within the company but also ensure they are continuously effective in practice. Additionally, they are required to receive relevant cybersecurity training and should encourage all employees to undergo similar training.

NIS2 vs. GDPR vs. ISO27001

If your organization is already familiar with GDPR and has worked with ISO27001 or other information security standards, you’ll find that many of the same requirements apply under NIS2. This means you can leverage much of your existing work to achieve compliance.

This is especially true for ongoing risk assessments, clear role definitions, established procedures for handling data breaches and security incidents, and strong executive involvement. The core principles of understanding your data, protecting it effectively, and responding quickly to threats or anomalies are universal. As a result, organizations with a existing compliance setup will have a strong foundation for meeting NIS2 requirements.

The table below highlights key areas where NIS2 overlaps with GDPR and ISO27001. While not exhaustive, it clearly illustrates how businesses that already prioritize cybersecurity and compliance can reuse existing knowledge, documentation, and processes.

Topic	NIS2	GDPR	ISO27001
Security Measures	NIS2 includes a list of security measures that all entities must comply with	Requires appropriate technical and organizational measures to protect personal data.	Implementation of security controls (e.g., access control, encryption) to protect information.
Management	Senior management must approve and oversee security measures and participate in training.	GDPR does not impose specific leadership requirements, but data controllers and processors have a clear responsibility to protect personal data under the law.	Requires strong top-level management involvement and continuous review of the information security policy.
Risk Management & Documentation	Organizations must have written policies for risk analysis, security procedures, and incident response.	Compliance must be documented, and the implementation of appropriate measures requires a risk assessment, which should also be documented.	Risk management and documentation are integral parts of the standard.
Security Breaches	The official CSIRT must be notified without undue delay in the event of major incidents.	Personal data breaches must be reported to the data protection authority within 72 hours.	Requires a defined process for detecting, reporting, and assessing security incidents.
Training & Continuous Awareness	Management and employees should receive cybersecurity training.	There is no direct legal requirement for training, but it is strongly recommended as an organizational measure to ensure employees understand their data protection obligations.	The standard requires organizations to ensure employees have appropriate security competencies.
Supply Chain Security	Entities must ensure security throughout the entire supply chain.	Requires data processing agreements that comply with the data controller’s security requirements.	Evaluation and management of security risks among external parties.
Business Continuity Planning	Requires the establishment of business continuity and recovery plans.	Confidentiality, availability, and integrity of personal data must be ensured at all times.	Development of business continuity and contingency plans as part of the ISMS.
Fines & Sanctions	Fines can reach up to 2% of global annual turnover or €10 million.	Fines can reach up to 4% of global annual turnover or €20 million.	Compliance is voluntary, so no fines apply. However, non-compliance may lead to contractual and trust issues with partners.

Supervision

For essential entities, authorities have broad supervisory powers, including the ability to conduct on-site inspections without a court order, demand access to data, and perform security audits. In some cases, authorities may even require the organization to undergo an independent security audit, with the results made available to regulators.

For important entities, similar rules apply, but oversight is generally reactive, authorities will only intervene if there is specific evidence of non-compliance.

The law contains detailed provisions on how these supervisory measures may be applied in practice, but the key takeaway is that authorities have the power to enforce compliance with NIS2 regulations.

Penalties & Fines

Failure to comply with NIS2 can result in enforcement actions by supervisory authorities, including orders, prohibitions, and fines. In some cases, authorities may even require the temporary removal of executives from their positions.

Fines for non-compliance can reach up to 2% of the organization's global annual turnover or €10 million, whichever is higher.

Compliance Software

The requirements of the NIS2 add complexity for affected organizations, as they must comply not only with NIS2 but also with GDPR and, in some cases, voluntary standards such as ISO27001. On top of that, they may face audits from partners and additional regulatory obligations in their sectors.

This creates the need to review internal systems and processes to ensure ongoing compliance. With so many requirements and tasks, maintaining oversight can be challenging. And it makes it even more difficult to collaborate with colleagues who lack the oversight of the compliance officer, therefore making collaboration less accessible.

A solution to this is to apply compliance software, which consolidates processes, documents, policies, reports, and tasks in one place. This helps organizations:

Track the latest risk assessments,

Assign responsibility for policy updates,

Manage security incidents effectively,

Engage senior management by automating compliance reporting and ensuring accountability.

By systematizing and centralizing compliance efforts, organizations can often reuse documentation and workflows across multiple regulatory requirements. For instance, an incident response procedure developed for GDPR can be adapted for NIS2 compliance.

Similarly, organizations that are ISO27001-certified and already work systematically with vulnerability scanning and supplier management will have a strong foundation that aligns with many of NIS2’s core requirements.

Momentum

Achieving compliance with yet another regulation can be expensive, time-consuming, and overwhelming.

However, it also presents an opportunity to leverage the momentum created by the legislation to update existing security processes and ensure that both management and employees share a common focus on protecting the organization’s data and systems.

Many organizations tend to view cybersecurity primarily as a matter of purchasing new technical solutions. However, NIS2 goes beyond technology as it requires organizations to implement risk management, actively involve and educate leadership, and promote cybersecurity training for all employees.

NIS2 plan

To get started with NIS2, begin with a maturity assessment to identify risks and evaluate the effectiveness of your current security measures. Since most organizations are already GDPR compliant, many of those elements can be repurposed.

Your assessment should cover both technical solutions and the overall awareness of security risks among leadership and employees. From there, develop a plan to close any gaps and assign clear responsibilities for its execution. Once in place, regular audits and checkpoints will help ensure that security measures are more than just policies on paper.

Managing multiple regulatory frameworks can be complex, but many organizations can leverage the synergies between GDPR, ISO27001, and NIS2. With the right compliance tools, businesses can simplify the process, reduce the administrative burden, and free up time for other priorities to make compliance more efficient and less frustrating for everyone involved.