NIS2

What is NIS2 and who does it concern?

Complete guide for 2025

10 min read

If you are an IT manager or owner of a medium-sized company, you have probably heard of NIS2. Maybe you received an email from a lawyer, or saw an article. But what is it and does it apply to your company?

What is NIS2?

NIS2 (Network and Information Security Directive 2) is a European directive on cybersecurity. It is essentially a 'NIS2 law' at the EU level that member states must transpose into national laws.

Simply put: The EU tells companies in critical sectors: "You must protect yourself from cyber attacks and if something happens, you must report it."

Why was it created?

Ransomware attacks increased by 300%

Average cost of a data breach reached €4.5 million

Supply chain attacks showed systemic risks

When did it take effect?

Directive adoptionJanuary 2023
Transposition deadlineOctober 17, 2024
Full effectFrom October 2024

From October 2024, regulatory bodies (NBÚ in Slovakia, NÚKIB in Czechia) can perform checks and impose fines.

Who does NIS2 concern?

NIS2 expands the scope to many more companies than the previous directive.

High Criticality Sectors

  • Energy (electricity, gas, oil, heat, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial markets
  • Healthcare
  • Drinking water and waste water
  • Digital infrastructure (DNS, cloud, data centers, CDN)
  • Public administration

Other Critical Sectors

  • Postal and courier services
  • Waste management
  • Chemical industry
  • Food industry
  • Manufacturing (medical devices, computers, electronics, machinery, vehicles)
  • Digital services (online marketplaces, search engines, social networks)
  • Research

Size Criterion

Being in a regulated sector is not enough. You must also meet size criteria:

Medium enterprise: 50-249 employees OR €10-50M turnover

Large enterprise: 250+ employees OR €50M+ turnover

Example: A manufacturing firm with 80 employees and €15M turnover falls under NIS2.

What does NIS2 require?

The directive defines minimum measures you must implement:

Risk Management

Identification and assessment of risks, implementation of appropriate measures

Incident Response

Incident response plan, detection mechanisms, recovery procedures

Business Continuity

Backup, disaster recovery, crisis management

Supply Chain Security

Supplier risk assessment, security requirements in contracts

Cyber Hygiene and Training

Security awareness, employee training

Cryptography and Access Control

Data encryption, multi-factor authentication

Incident Reporting

One of the most important duties is reporting security incidents:

24 hours

Early Warning

72 hours

Notification

1 month

Final Report

What happens if you don't comply?

Essential Entities: €10,000,000 or 2% of global turnover

Important Entities: €7,000,000 or 1.4% of global turnover

Personal Liability: Management members can be personally liable for non-compliance.

How to start?

1

Verify it

Check the criteria - sector and size.

2

Do an assessment

Evaluate the current state of your cybersecurity.

3

Prioritize

Start with the most critical areas - incident response, access control, backups.

4

Document

NIS2 requires documentation. Policies, procedures, records.

Want to find out where you stand?

5 minutes, no registration

This article is for informational purposes only and does not constitute legal advice.