Understanding the NIS2 Directive: what it is and why it matters

The NIS2 Directive (Network and Information Security 2) is a European Union regulation designed to strengthen cybersecurity across member states. Created to replace NIS1 (2016), NIS2 introduces stricter rules to protect critical infrastructures and ensure a high level of digital resilience in strategic sectors. 

Since its enforcement on January 16, 2023, NIS2 has played a fundamental role in mitigating cybersecurity risks and standardizing digital security practices across EU countries. 

Why is NIS2 essential? 

• The increased frequency and sophistication of cyberattacks worldwide, impacting key sectors such as energy, transportation, and financial services. 

• Limitations of NIS1, which left gaps in cybersecurity and inconsistencies in rule enforcement across member states. 

• Mandatory adoption: EU countries had until October 17, 2024, to transpose the directive into national legislation. As of October 18, 2024, NIS1 was officially repealed. 

NIS2 is not just about compliance; it also provides strategic benefits for organizations, such as better protection against cyber threats, increased market trust, and reduced operational risks. 

In the following sections, we will explore the evolution from NIS1 to NIS2, the affected sectors, and the mandatory requirements that companies must follow to avoid severe fines and penalties. Check it out! 

The evolution from NIS1 to NIS2: what has changed? 

Cybersecurity has been a growing concern for European countries, particularly with the rise in cyberattacks targeting critical infrastructures. In response, the NIS1 Directive, adopted in 2016, was the EU’s first step toward establishing a minimum level of protection for essential sectors. 

However, as cyber threats evolved and digital dependence increased, NIS1 proved to have significant limitations, requiring a more comprehensive revision. As a result, the NIS2 Directive was proposed in 2020, approved in 2022, and officially came into force on January 16, 2023, replacing the previous version. 

Key issues with NIS1 

• Lack of standardization across member states: Implementation varied widely among countries, creating inconsistencies in EU cybersecurity. 

• Limited scope: Only a few industries were included in NIS1, leaving out essential sectors that are vital to the economy and society. 

• Weak security measures: The original directive did not establish clear standards for risk governance. 

• Ineffective incident response mechanisms: Incident notification requirements were too flexible, reducing the speed and efficiency of response efforts. 

What has NIS2 changed? 

NIS2 was designed to address the weaknesses of NIS1 and ensure a higher level of digital security across the European Union. The key changes include: 

• Expanded coverage: More sectors are now included, covering a broader range of the economy and critical infrastructure. 

• Stronger security standards: Organizations must adopt robust governance and cybersecurity risk management practices. 

• Enhanced incident notification requirements: Affected organizations must report serious incidents within 24 hours and provide a detailed report within 72 hours. 

• Stricter penalties: Companies failing to comply with NIS2 may face fines of up to 2% of their global annual revenue. 

• Increased executive responsibility: CEOs and directors are now directly accountable for implementing cybersecurity measures. 

NIS2 not only expands the scope of protection but also creates a more uniform and structured environment for digital security across Europe. 

Key objectives of NIS2 

As mentioned earlier, NIS2 was developed to fix the shortcomings of NIS1 and ensure a higher level of cybersecurity resilience across the EU. Its primary goal is to reduce the impact of cyberattacks on essential sectors while establishing more stringent regulatory requirements. 

To achieve this, the directive introduces strict security standards, broadens the scope of regulated companies, and standardizes cybersecurity practices among member states. The key objectives of NIS2 include: 

Strengthening cybersecurity requirements 

NIS2 mandates that regulated organizations adopt advanced security measures, including: 

• Cyber risk management and mitigation. 

• Continuous threat monitoring and incident response. 

• Strong authentication processes and access controls. 

• Encryption policies and protection of sensitive data. 

Additionally, the directive requires regular audits to ensure organizations comply with its guidelines. 

Expanding the scope of regulated sectors 

NIS1 covered only a limited number of critical sectors, while NIS2 expands regulations to include a wider range of strategic industries. The directive differentiates between “Essential Entities” (EE) and “Important Entities” (IE), covering both critical infrastructure and large companies providing vital services. 

This change ensures that more organizations are required to adopt best cybersecurity practices, strengthening the overall resilience of the European market. 

Enhancing cooperation among member states 

The lack of standardization in NIS1 made it difficult to coordinate responses to large-scale cyber incidents. NIS2 addresses this issue by establishing clearer guidelines for cross-border collaboration, including: 

• Increased information sharing on threats and incidents among EU member states. 

• Coordination among European regulatory authorities to ensure more uniform enforcement of the directive. 

By improving cooperation, NIS2 strengthens Europe’s collective response to emerging cyber threats and enhances the protection of critical infrastructures. 

The implementation of these objectives makes NIS2 an essential instrument for increasing cybersecurity maturity in Europe. 

Sectors and entities Covered by NIS2 

One of the most significant changes introduced by NIS2, compared to NIS1, is the expansion of the scope of businesses and sectors that must comply with cybersecurity requirements. While NIS1 applied only to a limited group of critical sectors, the new directive includes a broader range of organizations that are essential to the European Union’s economy and infrastructure. 

NIS2 classifies affected companies into two categories: Essential Entities (EE) and Important Entities (IE). 

Essential Entities (EE) 

Entities classified as essential perform critical functions for society and the economy. Therefore, NIS2 requires these organizations to comply with stricter security regulations and undergo more rigorous inspections. 

Covered sectors: 

• Energy (electricity, gas, oil, hydrogen) 

• Transport (air, rail, road, maritime, inland waterways) 

• Banking and financial market infrastructure 

• Healthcare (hospitals, laboratories, and medical supply providers) 

• Digital infrastructure (DNS providers, data centers, telecommunications) 

• Public administration 

• Space (satellite and space communication infrastructures) 

Essential Entities must meet higher compliance obligations, including frequent audits and continuous monitoring of their cybersecurity defenses. 

Important Entities (IE) 

Important Entities must also comply with NIS2 requirements, but they are subject to less regulatory oversight. Unlike Essential Entities, they are only required to demonstrate compliance after an incident or investigation. 

Covered sectors: 

• Waste management and drinking water supply 

• Food production, processing, and distribution 

• Postal and courier services 

• Chemical and pharmaceutical industry 

• Manufacturing of medical devices, electronics, and automotive equipment 

• Digital services and IT providers 

• Scientific research and innovation 

Although Important Entities face less preventive supervision, they are still required to implement robust cybersecurity policies and ensure their networks and data are protected from threats. 

Criteria for inclusion under NIS2 

In addition to classification by sector, NIS2 defines specific criteria for a company to be subject to the directive: 

• Number of employees: Generally, companies with more than 50 employees must comply with the regulation. 

• Revenue threshold: Organizations with annual revenue exceeding €10 million are subject to NIS2 compliance. 

• Economic and social impact: Even smaller companies may be classified as Essential or Important if they play a strategic role in the infrastructure or economy of an EU member state. 

By expanding the scope of regulated sectors, NIS2 makes cybersecurity a priority for a broader range of organizations, ensuring that both critical infrastructures and essential services adopt strong security practices against cyber threats. 

Security requirements and obligations for entities 

With NIS2 now in effect, companies classified as Essential and Important Entities had to comply with new regulatory requirements to ensure a high level of cybersecurity. The directive established detailed guidelines on risk management, preventive measures, incident response, and regulatory supervision, creating a more resilient digital environment across the European Union. 

Organizations covered by NIS2 must implement a set of mandatory requirements, which include: 

Risk management and cybersecurity measures 

NIS2 requires companies to adopt a risk-based approach by implementing strict controls to reduce vulnerabilities and mitigate cyber threats. These measures include: 

• Continuous monitoring and incident response to detect and neutralize cyberattacks in real time. 

• Access management policies and strong authentication to reduce unauthorized access risks. 

• Encryption and protection of sensitive data, ensuring that critical information remains secure. 

• Network and system segmentation, making it more difficult for attackers to move laterally within corporate environments. 

Additionally, organizations covered by NIS2 had to conduct periodic audits and security tests to assess the effectiveness of their defenses. 

Incident notification procedures 

NIS2 introduced strict deadlines for reporting cybersecurity incidents, ensuring a faster and more transparent response to attacks. The required reporting process consists of three phases: 

• Initial notification: Organizations affected by a major incident must report it to the relevant authorities within 24 hours of detection, providing a preliminary impact assessment. 

• Detailed report: Within 72 hours, a comprehensive analysis of the incident must be submitted, including its cause, impact, and mitigation measures taken. 

• Final report: Within one month, organizations must provide a final explanation of the incident, detailing the lessons learned and the corrective actions implemented. 

Additionally, the directive also allows for: 

• Interim reports: If an incident remains ongoing when the final report is due, organizations must submit an interim report. A new final report must be submitted within one month after the incident is resolved. 

The requirement for fast and detailed notification aims to minimize the impact of cyberattacks and ensure that authorities can coordinate effective responses to prevent threats from spreading. 

Senior management responsibilities 

Unlike NIS1, NIS2 introduced direct responsibilities for executives and board members in regulated companies. This means that CEOs and directors can be held accountable if their organizations fail to implement adequate cybersecurity measures. 

Senior management obligations under NIS2 include: 

• Ensuring that cybersecurity policies are properly implemented and supervised. 

• Participating in training programs to understand cybersecurity risks and their implications. 

• Allocating sufficient investments to strengthen the organization’s security posture. 

If a company fails to meet NIS2 requirements, executives may face not only financial penalties but also administrative sanctions. 

How iT.eam can help ensure NIS2 compliance 

Given NIS2’s strict requirements, companies need reliable and experienced partners to ensure their cybersecurity strategy meets the new regulatory standards. iT.eam offers a comprehensive range of specialized solutions and services to help organizations implement NIS2 guidelines. 

Risk assessment and mapping 

iT.eam assists businesses in identifying and mitigating vulnerabilities through detailed evaluations of: 

• Regulatory compliance with NIS2. 

• Incident response capabilities. 

• The effectiveness of cybersecurity controls. 

Specialized cybersecurity consulting 

Our team of experts provides guidance on best cybersecurity governance practices, ensuring that executives and decision-makers understand their responsibilities and implement the required measures. 

Among our consulting services: 

• Development of security policies aligned with NIS2. 

• Training programs for executives and technical teams. 

• Support in adapting internal processes for regulatory compliance. 

Continuous monitoring and incident response 

iT.eam provides advanced detection and response solutions, allowing businesses to identify and respond to cyber threats in real time. Our services include: 

• Next-Generation SOC (Security Operations Center), with continuous threat monitoring. 

• SIEM and SOAR platforms for automated and efficient incident response. 

• Breach and Attack Simulations (BAS) and penetration testing (Pentest) to assess cybersecurity defenses. 

Industry certifications and market recognition 

iT.eam stands out as a trusted cybersecurity partner, with certifications that validate the quality and compliance of its services: 

• SOC-CMM Risk Driven: The first SOC in the world to achieve the highest level of this certification. 

• ISO 27001 and ISO 27701: Information security and data privacy certifications. 

With this expertise, iT.eam is fully prepared to support businesses in implementing NIS2, ensuring regulatory compliance and strengthening cyber defenses. 

Given this landscape, partnering with a strategic cybersecurity expert like iT.eam is crucial to ensure compliance and enhance cybersecurity resilience. If your company is looking for complete support to meet NIS2 requirements, contact the iT.eam team today to learn how we can help.