Supporting the NIS2 Directive compliance
Europe’s most extensive cybersecurity directive to date, the Network and Information Systems Directive (NIS2 Directive), is now in effect, introducing tighter compliance requirements for risk management, incident reporting, and broadening its reach to encompass more industries.
Estimated companies affected by NIS2
Or 2% of annual turnover—max fine for non-compliance
Number of sectors covered by NIS2 Directive
NIS2 came into effect
OVERVIEW
What is the NIS2 Directive?
The Network and Information Systems Directive (NIS2 Directive)—Directive (EU) 2022/2555—is an EU-wide legislation establishing common cybersecurity standards across member states. It was introduced to address gaps in the original NIS Directive, expanding its scope to cover additional sectors and entities. NIS2 aims to harmonize cybersecurity requirements, strengthen resilience against evolving threats, and impose stricter penalties for non-compliance.
The directive adopts a risk-based approach, requiring organizations to implement security measures proportionate to potential threats. It also promotes cross-border collaboration by encouraging information sharing among stakeholders and mandates comprehensive incident reporting to support effective threat detection and response.

Main goals & objectives of the NIS2
Implement effective risk management
Ensure corporate accountability for cybersecurity
Establish efficient reporting obligations for security incidents
Develop robust business continuity plans for cyber incidents
Platform-driven compliance
Don’t get caught out by compliance
The toggle-ready NordLayer platform brings access controls, logs, and policies into one platform - helping you stay aligned and catch issues before they become problems.
Sectors affected by NIS2 compliance requirements
NIS2 divides organizations into two categories: Essential Entities (EE) and Important Entities (IE). In most cases, public or private organizations with more than 50 employees and an annual turnover above €10 million must determine their category and comply with the corresponding rules. However, some organizations are subject to NIS2 regardless of size — for example, sole providers of essential services, operators of critical infrastructure, or entities in designated sectors such as public administration, healthcare, or critical digital infrastructure.
Free guide: how the NIS2 Directive changes cybersecurity rules for businesses
CRITERIA
The core pillars of the NIS2 cybersecurity regulation
Incident management system
Create a comprehensive incident management system for timely detection, analysis, and response to cybersecurity events. Features should include automated alerts, classification of incidents, and detailed response strategies.
Supply chain security
Enhance supply chain security by regularly auditing and assessing third-party vendors. Ensure these vendors adhere to security standards and establish secure communication protocols.
Network security upgrades
Improve network security with advanced firewall technologies, intrusion detection and prevention systems, and continuous monitoring features to identify and mitigate unauthorized access or suspicious activities.
Access control mechanisms
Strengthen access control with multi-factor authentication, role-based access control, and enhanced privilege management to safeguard critical systems and data.
Data encryption
Implement comprehensive end-to-end encryption for sensitive data to ensure its confidentiality and integrity.
Cybersecurity oversight committee
Form an executive-level committee to oversee cybersecurity measures, develop policies, and manage cybersecurity budgets.
Risk reporting & mitigation
Develop a structured mechanism for management to regularly report on cybersecurity risks, vulnerabilities, and mitigation strategies.
Penalties & incentives
Establish a framework of penalties for non-compliance and incentives for proactive cybersecurity risk management.
Cybersecurity compliance audits
Regularly conduct audits to evaluate management's adherence to cybersecurity policies and identify areas for enhancement.
Management training program
Introduce mandatory cybersecurity training for corporate management to increase awareness of cyber risks, best practices, and organizational cybersecurity policies.
Incident reporting platform
Utilize systems enabling suppliers, vendors, and customers to efficiently report all kinds of cybersecurity incidents.
Automated incident notifications
Set up an automated system for escalating alerts and notifications to relevant stakeholders, including regulatory bodies, within prescribed timeframes.
Incident response teams
Form specialized teams equipped with the necessary tools and expertise for prompt handling and containment of cybersecurity incidents.
Incident documentation & reporting process
Establish a detailed process for documenting incident details, responses, and post-incident analysis to enhance organizational learning and response improvement.
Incident classification guidelines
Develop clear guidelines for categorizing incidents based on severity and impact to ensure consistent reporting and effective response protocols.
Redundancy & backup
Implement data redundancy and backup strategies to maintain data availability and system resilience during and post-cyber incidents.
Business impact assessment
Conduct thorough assessments to identify key systems and processes critical for operations during cyber incidents.
Cyber incident response plan
Develop a comprehensive plan detailing step-by-step procedures for cyber incident management, including communication strategies, recovery tactics, and roles of crisis response teams.
Cybersecurity awareness training
Provide organization-wide training on the business continuity plan and employee roles in minimizing disruptions during cyber incidents.
Regular plan testing & drills
Periodically test and conduct simulated drills of the business continuity plan to identify gaps, enhance response efficiency, and ensure the plan’s ongoing effectiveness.
GUIDELINES
Minimum cybersecurity measures for NIS2 compliance
Risk management policies
Establish policies on risk analysis and information system security to effectively manage cybersecurity threats.
Incident handling plan
Implement a comprehensive plan for handling and responding to security incidents swiftly.
Business continuity
Ensure up-to-date backups, disaster recovery strategies, and crisis management for uninterrupted operations.
Supply chain security
Prioritize security in relationships with direct suppliers, assessing vulnerabilities and ensuring product cybersecurity.
System security lifecycle
Maintain robust security during network and system acquisition, development, maintenance, and vulnerability disclosure.
Effectiveness assessment
Incorporate policies and procedures to routinely evaluate the efficacy of cybersecurity risk-management measures.
Cyber hygiene training
Foster basic cyber hygiene practices through continuous employee cybersecurity training and awareness programs.
Cryptographic measures
Utilize policies on cryptography, ensuring appropriate use of encryption where relevant.
Access control & asset oversight
Define security procedures for employees accessing sensitive data, and maintain a comprehensive asset management strategy.
Advanced authentication
Implement multi-factor or continuous authentication solutions, secured communications, and encrypted emergency channels.
Network security
Protect networks and systems by securing architecture, dividing them into secure zones, restricting unauthorized access, and managing remote connections.
Ready for NIS2? Be prepared, don't be taken by surprise.
Every business can have a smooth NIS2 journey. Let NordLayer guide the way.
CONSEQUENCES
What if a company is not compliant with NIS2?
Companies failing to comply with the NIS2 Directive could face severe penalties ranging from non-monetary sanctions to substantial administrative fines. Additionally, top management personnel can be held personally accountable for non-compliance, emphasizing the significance of cybersecurity responsibility at an organizational level.
To shift the responsibility of cybersecurity from solely resting on IT departments, NIS2 introduces measures to hold top management personally accountable. In cases of non-compliance, authorities can make violations public, identify responsible personnel, hold management liable for breach of their duties, and, for essential entities, temporarily ban individuals from holding managerial positions after repeated infractions.
Under the NIS2, national supervisory authorities can enforce various non-monetary penalties. These could include compliance orders, binding instructions, orders for security audits, and mandates for threat notifications to an entity’s customers.
The NIS2 differentiates between essential and important entities concerning administrative fines. Essential entities could incur fines of either €10,000,000 or 2% of their global annual revenue, depending on which is higher. On the other hand, important entities face fines up to €7,000,000 or 1.4% of their global annual turnover, again depending on which amount is greater.
STEPS
Where to start your NIS2 compliance journey?
Embarking on the NIS2 compliance journey requires a structured approach. Here are five essential steps to guide your business to successful adherence.
Assess applicability & impact
Determine if NIS2 affects your organization. Understanding its relevance to your business ensures you focus on what truly matters. Highlight and prioritize your organization's critical services, processes, and assets for a targeted approach.
Elevate cybersecurity awareness
Secure top management support by raising awareness about NIS2 sanctions and fines. This includes dedicated training programs for leadership on cybersecurity risk management and the significance of a cyber-oriented culture.
Enhance security infrastructure
Implement a risk and information security management system (ISMS). Review and adapt the 10 mandated cybersecurity risk management measures of NIS2. This includes streamlining incident reporting, enhancing supply chain security, and establishing a robust business continuity plan.
Allocate resources effectively
Plan and budget accordingly, focusing on areas with the highest cyber risks. This involves allocating sufficient financial resources for cybersecurity endeavors, bearing in mind the stiffer penalties that NIS2 introduces for non-compliance.
Continuously monitor & adapt
Foster a culture of continuous improvement. Regularly assess and close security gaps, stay updated on expected security controls, and leverage expert guidance as needed. Ensure that your organization remains agile and adaptive in its compliance journey.
NordLayer: turning NIS2 challenges into achievements
In the era of expanding hybrid and remote work, adhering to regulatory standards at such a vast scale can seem daunting. As part of Nord Security, our primary mission is to deliver an expansive array of premium cybersecurity tools, empowering you to achieve, sustain, and surpass compliance standards.
NORDLAYER COMPLIANCE
Partnering with an industry standards leader
NordLayer is dedicated to regulatory compliance and protecting sensitive business data. Our systems boast ISO 27001 certification and pass the stringent SOC 2 Type 2 audit. We align with HIPAA Security Rules and utilize AES-256 encryption to ensure data security. Now, let us help you with your compliance.
Additional info
Frequently asked questions
The NIS2 Directive was transposed into EU member states as national laws by the deadline of October 17, 2024, marking its full effect across member states and ensuring consistent cybersecurity requirements EU-wide.
NIS2 applies to organizations in critical sectors, generally targeting those with over 50 employees and an annual turnover surpassing €10 million. It extends beyond the original NIS Directive, encompassing additional sectors like electronic communications, digital services, space, waste management, food, medicine production, postal services, and public administration. Some smaller but crucial entities in member states are also covered to safeguard against potential cyber threats. Importantly, certain entities are covered regardless of size if they provide critical services, are sole providers in a member state, or operate vital infrastructure essential to societal functions.
NIS2 builds on the original NIS Directive by expanding its scope to cover more sectors and entities, introducing stricter compliance requirements, mandating cybersecurity training for management, increasing supply chain security obligations, enforcing mandatory incident reporting, and applying tougher penalties similar to GDPR.
If your business is established outside the EU but serves the EU market, complying with the NIS2 Directive becomes mandatory when you meet the criteria for covered entities. Additionally, non-EU entities must appoint a representative within one of the EU Member States where they provide services. This representative will be your main contact for regulatory matters, and their location determines the jurisdiction for compliance issues. Without this representative, any EU state you serve may commence legal actions for non-compliance with the Directive.
*Disclaimer. This article is provided for informational purposes only and should not be construed as legal or any other professional advice. The content herein is intended to offer general insights into regulation requirements and potential solutions. It does not provide a comprehensive overview of the law, nor does it address specific legal scenarios.
While we strive to present accurate and up-to-date information, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to the information, our products, our services, or related graphics contained in this article for any purpose. Any reliance you place on such information is, therefore, strictly at your own risk.
Our products may assist in compliance with certain cybersecurity regulations; however, their effectiveness can vary based on a multitude of factors, including but not limited to your specific circumstances, changes in law, and technological advancements. We recommend consulting with a qualified legal professional to understand how the regulations apply to your particular situation and how our products can aid in your compliance efforts.
In no event will we be liable for any loss or damage, including without limitation, indirect or consequential loss or damage, or any loss or damage whatsoever arising from loss of data or profits arising out of, or in connection with, the use of this article.
This article does not establish a client-professional relationship between Nord Security Inc. and the reader.