Askeal Logo

NIS2 Directive

The NIS2 Directive is the European Union’s updated cybersecurity legislation that strengthens and expands the original NIS Directive of 2016. It came into effect in January 2023 and must be transposed by EU member states by October 2024.

What is NIS2?Scope and applicabilityKey requirementsImpact on SecOpsFurther reading

What is NIS2?

The original Network and Information Systems Directive (NIS) was the EU’s first major cybersecurity law. While it laid the foundation for protecting critical infrastructure, it was criticized for inconsistent application across member states and limited sector coverage. NIS2 was introduced to address these gaps. It strengthens security requirements, broadens the sectors covered, enforces stricter supervision, and introduces tougher penalties for non-compliance. Its goal is to create a higher common level of cybersecurity across the EU.

NIS2 Directive

The NIS2 Directive is the European Union’s updated cybersecurity legislation that strengthens and expands the original NIS Directive of 2016. It came into effect in January 2023 and must be transposed by EU member states by October 2024.

Table of Contents

What is NIS2?

The original Network and Information Systems Directive (NIS) was the EU’s first major cybersecurity law. While it laid the foundation for protecting critical infrastructure, it was criticized for inconsistent application across member states and limited sector coverage.

NIS2 was introduced to address these gaps. It strengthens security requirements, broadens the sectors covered, enforces stricter supervision, and introduces tougher penalties for non-compliance. Its goal is to create a higher common level of cybersecurity across the EU.

Scope and applicability

NIS2 significantly broadens the scope compared to its predecessor:

  • Sectors covered: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space, and providers of essential digital services.
  • Entities included: applies to medium and large entities (typically 50+ employees or €10M+ annual turnover) in the listed sectors.
  • Supply chain security: organizations are also responsible for assessing risks in their supply chain and service providers.
  • Cross-border applicability: non-EU providers offering services in the EU may also fall under its scope, similar to GDPR’s extraterritorial reach.

This expansion ensures that a much larger portion of the European economy is covered by cybersecurity requirements.

Key requirements

  • Risk management measures: entities must adopt technical, operational, and organizational measures proportionate to the risks they face. This includes incident prevention, detection, and response.
  • Incident reporting: organizations must notify authorities of significant incidents within 24 hours, provide a detailed report within 72 hours, and submit a final assessment within one month.
  • Governance: management bodies are directly accountable for compliance. Executives can be held personally liable for failing to implement adequate measures.
  • Business continuity: entities must ensure resilience, including disaster recovery and crisis management planning.
  • Supply chain security: mandatory assessment and monitoring of suppliers and service providers, particularly cloud and ICT services.
  • Supervision and enforcement: national authorities have stronger oversight powers, including audits, on-site inspections, and binding instructions.
  • Enforcement and penalties: fines can reach up to €10 million or 2% of global annual turnover, with potential temporary bans on managers for severe cases of non-compliance.

Impact on SecOps

For SecOps teams, NIS2 raises the bar on operational security requirements:

  • Continuous monitoring: stronger emphasis on proactive detection and monitoring of threats, including advanced logging and anomaly detection.
  • Incident response integration: SOCs must adapt workflows to meet the 24-hour reporting deadline, requiring tighter coordination with legal and compliance teams.
  • Board-level accountability: SecOps leaders will need to provide direct reporting and evidence of measures to executive management and regulators.
  • Supply chain risk management: monitoring must extend beyond internal systems to third-party services, meaning more focus on vendor assessments and threat intelligence.
  • Documentation and audits: evidence of risk management practices, incident handling, and recovery planning must be kept up to date to satisfy supervisory authorities.

In practice, NIS2 forces organizations to adopt more mature SecOps practices, aligning with frameworks such as NIST CSF and ISO 27001. It also highlights the need for automation in monitoring and reporting, as manual processes are unlikely to meet the regulation’s strict timelines.

Further reading

Related topics

GDPRDORAISO 27001NIST Cybersecurity Framework