Understanding NIS2: Everything You Need to Get Ready for the Directive

  1. Home
  2. Services
  3. IT Consulting
  4. Understanding NIS2: Everything You Need to Get Ready for the Directive

The NIS2 (Network and Information Security Directive) establishes a fundamental framework for cybersecurity across critical sectors. It builds on the original NIS1 Directive, adopted in 2016 as the first EU-wide effort to standardise cybersecurity within the legal systems of Member States. In December 2022, the EU Council and the European Parliament adopted NIS2, revising and strengthening cybersecurity requirements throughout the EU.

Since NIS2 is a directive and not a formal regulation, it is not directly applicable in Member States until it is transposed into national legislation. As a result, national legislators must update their information security laws to comply with the directive by the deadline set by the EU: 17 October 2024.

What is the purpose of the NIS2 Directive?

NIS2‘s primary aim is to strengthen cybersecurity requirements across the EU. It broadens its scope to cover more sectors and entities while introducing measures such as:

  • Risk analysis and information security policies
  • Incident response management
  • Supply chain security

Additionally, NIS2 seeks to streamline incident reporting obligations, making compliance more transparent and efficient.

What has changed with NIS2?

NIS2 replaces the original NIS Directive introduced in 2016, the EU’s first legislative act on cybersecurity. The updated directive significantly expands the original framework, introducing key changes, including:

  • Broader sectoral coverage – More industries are now within its scope.
  • Stricter supervision – National authorities are granted enhanced supervisory powers.
  • Supply chain focus – Greater emphasis on managing supply chain risks.
  • Stronger enforcement – More stringent compliance measures and tougher penalties for non-compliance.

Why is NIS2 important for your organisation?

NIS2 directly impacts companies across various sectors, including energy, transport, healthcare, and financial services. Complying with NIS2 requirements can offer the following key benefits:

  • Mitigate the risk of cyberattacks: Safeguard data and systems from cyber threats and malicious actors.
  • Boost customer trust: Demonstrate a strong commitment to security and data protection.
  • Avoid fines and penalties: Ensure regulatory compliance and avoid costly sanctions.
  • Enhance organisational reputation: Position your organisation as a secure and trustworthy partner.

Interested in learning more about NIS2? How it aligns with ISO 27001? Eurotux provides a detailed explanation. Explore our opinion piece on ITSecurity.

Read the full article

Who is subject to NIS2?

An organisation is subject to the NIS2 Directive if:

    • It provides services or carries out activities in any EU Member State.
    • With certain exceptions, it has at least 50 employees or an annual turnover or balance sheet total exceeding €10 million.
    • It operates in one of the 18 sectors listed in Annex I and Annex II of the NIS2 Directive.
  • Critical sectors*
  • Energy
  • Transport
  • Banking
  • Financial market infrastructure
  • Healthcare
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • IT service management (B2B)
  • Public administration
  • Space
  • Essential Sectors**
  • Postal services
  • Waste management
  • Chemicals
  • Food products
  • Manufacturing (Industry)
  • Digital services
  • Research & Development (R&D)
  •  
  •  
  •  
  •  

*Critical entities:

Critical entities are typically medium- or large-sized organisations considered essential to the economy and operating in a sector listed in the left-hand column of the sectoral scope.

**Essential entities:

Essential entities are typically medium- or large-sized organisations that, while important to the economy, are not classified as critical. They operate in a sector listed in the right-hand column of the sectoral scope.

Exceptions: Companies that are the sole providers of a given service in an EU Member State or whose service disruption could significantly impact may be classified as essential or critical entities, regardless of size.

Criteria for classification as a large organisation:

  • Number of employees;
  • Or annual turnover and total balance sheet

Note:  Specific thresholds for these criteria are still to be defined in Portuguese legislation.

Criteria for classification as a medium-sized organisation:

  • Number of employees;
  • Or annual turnover and total balance sheet

Note:  Specific thresholds for these criteria are still to be defined in Portuguese legislation.

Small and micro-enterprises are not automatically excluded from the scope of NIS2. Member States may extend NIS2 obligations to smaller entities if they meet specific criteria, such as playing a key role in society, the economy, or particular sectors or service types.

Don’t Miss Our NIS2 Webinar – Discover What’s Changed with the Directive [PT]

Ensure NIS2 Compliance with Eurotux

Contact Services - Page Detail
*
This site is protected by reCAPTCHA and the Google Privacy Policy and the Terms of Service apply.

Leave your IT concerns up to us!

and embrace the digital transformation with Eurotux.

808 247 112
Let's talk   
Switch The Language