The NIS2 directive is an EU act that significantly expands cybersecurity obligations. Compared with the first NIS directive, the scale changes: it covers more sectors, more companies and introduces personal responsibility for management. For many SME organisations this is the first time information security becomes a legal requirement rather than good practice. Below is a practical explanation of who it applies to and what it means.
Essential and important entities
NIS2 divides the organisations it covers into two categories: essential entities and important entities. The split is based on the sector of activity and the size of the company, measured by headcount, turnover and balance sheet total.
- Essential entities are organisations from sectors of the highest importance to the functioning of the state and the economy, usually of a larger scale.
- Important entities are a broad group of organisations from the other covered sectors, including many medium-sized companies.
The difference matters in practice. Both categories have similar substantive obligations, but the supervision regime differs. Essential entities are subject to proactive supervision, that is, inspections even without a signal of a problem. Important entities are supervised reactively, when a suspicion of a breach arises.
Sectors covered by the directive
The list of sectors is broad and it is exactly this that surprises the most companies. It includes, among others, energy, transport, banking, financial market infrastructure, healthcare, drinking water and wastewater, digital infrastructure, ICT service management, public administration and space. On top of this come sectors described as important: postal services, waste management, the manufacture and distribution of chemicals, food, the manufacture of goods including medical devices and electronics, and digital service providers.
In practice most companies go wrong in one place: they assume that since they are not a bank or a power plant, the directive does not apply to them. Meanwhile a goods manufacturer, a logistics company or a digital service provider very often falls under it.
To assess your own situation, you have to combine two questions: do I operate in a covered sector, and do I exceed the size thresholds. Generally the directive targets medium and larger companies, but there are exceptions where it also covers smaller entities because of their critical role.
The supply chain, or the indirect effect
Even if you are formally neither an essential nor an important entity, NIS2 can reach you indirectly. Covered companies are obliged to manage the security of their supply chain. In practice this means they will require an appropriate level of security from their suppliers, including contractually.
If you serve a customer covered by the directive, expect questions about your safeguards, backups and incident response procedures. Compliance then becomes a condition for keeping the contract, not just a legal obligation.
The obligations the directive imposes
NIS2 requires the implementation of risk management measures appropriate to the scale of threats. This is a risk-based approach, not a closed list of products to buy. The key areas include:
- Policies for risk analysis and information system security.
- Incident handling, including detection, response and documentation.
- Business continuity, backup management and disaster recovery.
- Supply chain security and supplier relationships.
- Security in the acquisition, development and maintenance of systems.
- Policies for assessing the effectiveness of the measures applied.
- Basic cyber hygiene and training.
- Cryptography and encryption where appropriate.
- Access control, identity management and multi-factor authentication.
A separate, hard obligation is incident reporting. A company must be able to detect a serious incident, assess it and report it to the competent authority within set deadlines, with an early warning counted in hours and a fuller report in the following days. This requires not only tools but also a decision on who triggers the report and on what basis.
Management responsibility
The most important philosophical change in NIS2 concerns management. The directive imposes on management bodies the obligation to approve risk management measures and oversee their implementation. Management must also undergo training in order to understand the risks they decide on.
Crucially, responsibility cannot be fully delegated to the IT department or an external provider. Security becomes a board-level topic, just like finance or legal compliance. This is a deliberate choice by the legislator to shift management’s attention to real action, rather than a signature under a document.
Penalties for non-compliance
NIS2 provides for severe financial sanctions, deliberately high, so that compliance pays off more than the risk. Different upper limits of administrative fines have been set for essential and important entities, counted as an amount or as a percentage of annual turnover, whichever is higher.
Beyond financial penalties, supervisory authorities have other measures: they can order specific corrective actions and, in extreme cases, temporarily restrict the ability of people in management positions to perform their functions. This further underlines the personal dimension of responsibility.
Where to start
The first step is always the same: establish whether and in which category the directive covers you, and then do an honest gap analysis between the current state and the requirements. Only on this basis does an implementation plan make sense, ranked by risk rather than by what is easiest to buy.
If you want to assess your situation reliably, a good starting point is a risk analysis combined with an audit of the current state. On this basis we run a NIS2 implementation so that compliance raises the company’s security rather than being just paper for the drawer. Start with a diagnosis before you start spending the budget.