The NIS2 Directive is a landmark piece of European cybersecurity legislation that strengthens and expands upon the original NIS Directive (Network and Information Systems Directive). It aims to enhance the resilience of critical infrastructure across the EU by establishing baseline cybersecurity requirements for a broader range of sectors and organizations.
Below, we break down the most pressing questions surrounding NIS2 and what it means for your business.
Table of Contents:
- What is the NIS2 Directive?
- What is NIS2 Compliance?
- Who Does NIS2 Apply To?
- When Does NIS2 Become Mandatory?
- How Does NIS2 Address Supply Chain Security?
What is the NIS2 Directive?
The NIS2 Directive, officially known as Directive (EU) 2022/2555, is the European Union’s updated framework for cybersecurity risk management and reporting. It replaces the original NIS Directive and introduces stricter obligations for incident reporting, risk management, governance, and oversight. NIS2 significantly increases the scope of covered entities, enforces supply chain security measures, and enhances EU-wide collaboration.
The directive reflects growing concerns over ransomware, supply chain attacks, and digital infrastructure dependencies, mandating a more proactive, risk-based approach to cyber resilience.
What is NIS2 Compliance?
NIS2 compliance refers to meeting the technical, operational, and organizational requirements set by the directive. This includes:
-
Implementing robust cybersecurity risk management practices
-
Reporting incidents within tight timelines (24–72 hours)
-
Ensuring business continuity and crisis management
-
Establishing multi-level governance structures for oversight and accountability
-
Conducting regular vulnerability assessments and supply chain evaluations
Failure to comply with NIS2 can result in substantial penalties, reputational damage, and increased regulatory scrutiny.
Who Does NIS2 Apply To?
NIS2 applies to a wider range of sectors and companies than its predecessor. It classifies affected entities into two categories:
-
Essential Entities – organizations in sectors like energy, transport, banking, health, water, and digital infrastructure.
-
Important Entities – sectors such as manufacturing of critical products, postal services, and waste management.
The directive generally applies to medium and large organizations (typically over 50 employees and € 10 M+ turnover), including public and private sector entities operating critical or essential services. However, individual member states may extend the scope to smaller entities where justified.
When Does NIS2 Become Mandatory?
EU Member States must transpose the NIS2 Directive into national law by October 17, 2024. After that date, enforcement begins, and organizations falling under the directive’s scope must be fully compliant.
Businesses should act now to assess their readiness, remediate gaps, and implement necessary governance and security controls before the deadline.
How Does NIS2 Address Supply Chain Security?
NIS2 directly confronts the growing risk of supply chain attacks by requiring organizations to:
-
Assess supplier's cybersecurity posture
-
Embed security obligations in contracts with third parties
-
Monitor third-party risk exposure
-
Ensure continuous oversight of outsourced IT/OT systems
In short, NIS2 emphasizes that cybersecurity is no longer confined to internal systems—it must extend across the entire ecosystem. Organizations will need solutions that unify visibility across first-party and third-party risks and allow them to demonstrate due diligence in managing supply chain threats.
Return to Cybersecurity Frameworks and Standards Glossary
