Further information on the NIS 2 Directive

Reading time: 5 minutes - Difficulty: advanced

Directive (EU) 2022/2555 of December 14, 2022 amends Regulation (EU) 910/2014 and Directive (EU) 2018/1972, and repeals Directive (EU) 2016/1148. These measures aim to safeguard essential services and critical infrastructure across all EU Member States following the implementation of the NIS 2 Directive in October 2024.

NIS 2 Directive recap

Let’s summarize the key information regarding the changes introduced by the NIS Directive 2 in comparison to its initial version:

  • It includes small and medium-sized enterprises (SMEs) in certain sectors within its scope, tasking Member States with identifying smaller entities with a high-risk profile. To find out if your company falls into one of the categories subject to NIS Directive 2, read the article above.
  • It requires individual companies to manage cybersecurity risks within the supply chain.
  • It enhances cooperation between companies and institutional bodies (such as ENISA, CSIRT, and CAN in Italy) by establishing a vulnerability database managed by ENISA. This database aims to bolster large-scale cyber crisis management efforts.

Regarding incident reporting, it’s crucial to find the right balance between promptness (to prevent the potential spread of attacks) and precision, ensuring that comprehensive reporting can serve as a valuable lesson for the future.

Businesses are required to submit an early warning to the CSIRT or the relevant national authority within 24 hours, with official notification to be received within 72 hours following the cyber incident.

Discussion on dates, penalties, and reflections regarding the objectives of NIS 2 Directive

Now, let’s explore some practical considerations for complying with the NIS 2 Directive, which is effective as of October 2024.

Regarding dates:

  • By October 17, 2024, Member States must have transposed the NIS 2 Directive.
  • The European Commission, ENISA, CSIRT, and cybersecurity experts designated by Member States are slated to conduct the initial review on methodology and organizational aspects on January 17, 2025. This review aims to identify potential enhancements to current security policies.
  • Member states are required to have established a list of critical and significant entities by April 17, 2025, and update this list at least every two years thereafter.
  • By October 17, 2027 (and every 36 months thereafter), the European Commission reviews the effectiveness of the NIS 2 Directive.


On the subject of sanctions, we know that:

  • Non-compliance by critical entities is subject to administrative sanctions of up to 10,000,000 euro, or 2% of annual turnover, whichever is higher.
  • Penalties of up to 7,000,000 euro, or equivalent to 1.4% percent of annual turnover, whichever is higher, are provided for significant entities.


When grasping the essence of NIS 2 Directive, it’s crucial to remember that the countermeasures expected from critical and significant entities will differ based on the probability of cyber incidents and the potential social and economic consequences they might entail.

To understand how to manage cyber risk through measures in accordance with Article 21 paragraph 2 of NIS 2 Directive, we can use the international standard IEC 62443-2-1. For instance, in Italy it is the National Cyber Security and Data Protection Framework references IEC 62443 as one of the possible application standards.


Read the article:


NIS 2 Directive and examples for subject areas

As previously mentioned, the Directive seeks to guarantee the resilience of essential services and digital infrastructures, prioritizing a risk-based approach to uphold the integrity and confidentiality of sensitive information.

While offering numerous benefits, the implementation of NIS 2 can also present challenges for organizations. Certainly, one of the main challenges is the complexity of compliance requirements, which can vary depending on the size, industry and characteristics of companies.

The costs and skills required for proper cybersecurity management could also be an obstacle, and this may be especially evident for SMEs. However, it is precisely the lack of protection that makes companies more vulnerable to cyber attacks, resulting in recovery costs that far exceed those for prevention.


A brief word on a few areas and the reason why NIS 2 considers them to be critical:

  • Cloud service providers

Cloud service providers encounter distinctive cybersecurity challenges, such as data breaches and unauthorized access to sensitive information. For this reason, the NIS 2 directive imposes an obligation to improve the resilience of such services.

  • The healthcare sector

The healthcare sector stores and processes large amounts of sensitive and confidential information, making this sector a prime target for cyber threats and attacks. Cybersecurity breaches in the health sector can have serious consequences, including compromising patient data, disrupting medical services and damaging the country’s reputation.

  • The energy sector

The energy sector is fundamental to the functioning of both society and the economy; and through appropriate security measures, regular risk assessments, and cooperation with stakeholders, the companies involved can safeguard the continuity of the energy supply.


Further information:


  • Industrial control systems

The fundamental role in the management and control of critical infrastructures and industrial processes means that the NIS 2 Directive imposes specific requirements and compliance obligations on organizations using industrial control systems to ensure their security and reliability.

  • IoT Devices

The primary risks associated with IoT devices include weak authentication, insecure communication protocols, and the absence of firmware updates. These factors serve as the foundation for enhancing cybersecurity in alignment with the NIS 2 Directive.


NIS 2 Directive, Governance and Training

Establishing effective governance is crucial for defining clear roles, responsibilities, and processes to manage cybersecurity risks within organizations.

NIS 2 Directive thus promotes the adoption of robust frameworks to uphold accountability, transparency, and compliance with standards. This entails developing cybersecurity policies, procedures, and controls that align with organizational objectives and regulatory mandates.

The Directive also advises companies to provide training for employees to ensure they grasp their roles and responsibilities in safeguarding against cyber threats.

An effective training program covers such aspects as phishing awareness, password security, and incident reporting procedures. The aim is for employees to actively engage in implementing cybersecurity practices, with the authority to effectively mitigate the risks associated with human error or negligence.


Do you need more information to prepare for the NIS 2 Directive?


Contact us

Do you want to help our page grow? Follow us on Linkedin


Conclusions on the expected effects of NIS 2 Directive

In general, NIS 2 marks a substantial advancement in enhancing governance throughout the EU, particularly as it fosters cooperation among Member States and advocates for coordinated incident response mechanisms.

It’s undeniable that accurately measuring the level of cybersecurity empowers organizations to track key performance indicators (KPIs) such as vulnerability resolution rates or training completion rates. This, in turn, contributes to a more secure digital future for everyone.


To get active in NIS 2, and achieve your compliance goalsrequest a consultation.


Any questions or comments?


Share us your feedback

Do you want to help our page grow? Follow us on Linkedin


Go back to the blog
Send this to a friend