NIS 2 

What is NIS2? 

NIS2 is an EU-wide set of rules designed to strengthen the cyber resilience of key sectors. It sets minimum cyber security standards, requires faster incident reporting, and makes senior leadership directly accountable for managing cyber risk.

Who it applies to

NIS2 applies to medium and large organisations in critical sectors such as: Energy, Transport, Healthcare, Drinking and waste water, Banking and financial infrastructure, Public administration, Digital infrastructure and ICT services, Manufacturing, food, chemicals, postal services, digital services, research, and more.

It splits organisations into two categories:

• Essential entities – face stricter supervision

• Important entities – still regulated, but with lighter oversight

By April 2025, EU Member States must create official lists of all essential and important entities, as well as organisations that provide domain name registration services.

To be included on these lists, organisations will be required to give their national authorities at least the following information:

• The organisation’s name

• Its address and up-to-date contact details, including email addresses, IP ranges, and phone numbers

If any of this information changes, the organisation must report the update within two weeks.

Organisations must put in place appropriate security measures to protect their network and information systems — including their physical environment. ‘Appropriate’ means the measures must match the level of risk the organisation faces.

The directive requires organisations to have, at minimum:

• Risk analysis and a security policy for their information systems

• Effective incident-handling processes

• Business continuity plans, including backups, contingency plans, and crisis-management procedures

• Supply-chain security measures and controls for the full lifecycle of their systems, including how they handle and disclose vulnerabilities

• Policies and procedures to assess whether their security measures actually work

• Basic cyber-hygiene practices and regular cybersecurity training

NIS2 refers to recognised European and international standards when designing these measures, specifically mentioning the ISO 27000 series. Additional practical guidance on cyber security and cyber hygiene can be found on national and governmental websites, such as the Centre for Cyber Security Belgium, the National Cyber Security Centre, and the Rijksinspectie Digitale Infrastructuur in the Netherlands.

Supervisory authorities will have the power to carry out on-site inspections, off-site checks, audits, security scans, and to request documentation or information whenever needed.

Essential entities can face administrative fines of up to €10 million or 2% of global annual turnover. Important entities can be fined up to €7 million or 1.4% of global annual turnover.

NIS2 and the GDPR partly overlap: both require strong security measures and mandatory incident reporting to the relevant authorities.

Where sector-specific laws impose stricter cyber security rules, those requirements take priority. For example, the Digital Operational Resilience Act (DORA) sets stronger rules for the financial sector.