NIS2 Directive: Cybersecurity Requirements Your Organization Needs to Know

What is the NIS2 Directive?

The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated framework for cybersecurity. It replaces the original NIS Directive from 2016 and significantly expands both the scope of organizations covered and the obligations they must meet.

NIS2 entered into force on January 16, 2023, and EU Member States were required to transpose it into national law by October 17, 2024. Organizations in scope must now comply with the national implementations.

Who must comply?

NIS2 dramatically expands the scope of covered entities compared to the original directive. It applies to two categories:

Essential entities

Large organizations (250+ employees or EUR 50M+ turnover) in sectors including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.

Important entities

Medium organizations (50+ employees or EUR 10M+ turnover) in the above sectors, plus organizations in postal services, waste management, chemicals, food, manufacturing of medical devices, computers, electronics, machinery, motor vehicles, and digital providers (online marketplaces, search engines, social networking).

Key requirements

Risk management measures (Article 21)

Organizations must implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. These must include at minimum:

• Policies on risk analysis and information system security
• Incident handling procedures
• Business continuity and crisis management
• Supply chain security, including security aspects of supplier relationships
• Security in network and information systems acquisition, development, and maintenance
• Policies and procedures for assessing the effectiveness of cybersecurity measures
• Basic cyber hygiene practices and cybersecurity training
• Policies on the use of cryptography and encryption
• Human resources security, access control, and asset management
• Use of multi-factor authentication and secured communication systems

Incident reporting (Article 23)

Organizations must report significant incidents to the relevant national authority:

• Early warning within 24 hours of becoming aware
• Incident notification within 72 hours with initial assessment
• Final report within one month with detailed description, root cause, and mitigation measures

Management accountability

NIS2 introduces personal accountability for management bodies. Senior management must approve cybersecurity risk management measures and can be held liable for non-compliance. They must also undergo cybersecurity training.

NIS2 and AI systems

AI systems are increasingly part of critical infrastructure and digital services. NIS2's cybersecurity requirements directly apply to AI systems deployed in covered sectors:

• AI system security — AI systems must be included in the organization's cybersecurity risk management framework
• Supply chain — Organizations must assess cybersecurity risks from AI providers and third-party AI services
• Incident reporting — AI-related security incidents (data poisoning, model extraction, adversarial attacks) must be reported under NIS2 timelines
• EU AI Act alignment — Article 15 of the AI Act requires high-risk AI systems to be resilient against cybersecurity threats, aligning with NIS2's broader requirements

Penalties

NIS2 introduces significant penalties for non-compliance:

• Essential entities: Up to EUR 10 million or 2% of global annual turnover, whichever is higher
• Important entities: Up to EUR 7 million or 1.4% of global annual turnover, whichever is higher

Member States can also impose personal liability on management, including temporary bans from exercising managerial functions.

How to prepare

1. Determine your classification. Are you an essential or important entity under NIS2? Check your sector, size, and national transposition rules.

2. Conduct a gap analysis. Compare your current cybersecurity posture against NIS2's Article 21 requirements.

3. Establish incident reporting procedures. Ensure you can detect, assess, and report incidents within the 24/72-hour timelines.

4. Engage management. Brief senior leadership on their personal accountability and training obligations.

5. Assess supply chain risks. Map your ICT suppliers and assess their cybersecurity practices.

6. Track compliance with complixo. complixo supports NIS2 alongside EU AI Act and GDPR, giving you a unified view of your compliance status across frameworks.