What is NIS2?
The NIS2 Directive (EU 2022/2555) is the EU’s new cybersecurity law strengthening protection for critical and digital services.
It expands the original NIS scope, introduces stricter security and reporting rules, and holds management accountable for compliance.
Effective from April 17, 2025, NIS2 ensures a uniform cybersecurity standard across all EU Member States.
More Affected Sectors
NIS2 expands its scope from 7 to 15 critical sectors, covering a wider range of essential and digital services.
Stricter Requirements
The directive introduces tighter cybersecurity and reporting obligations ensuring stronger protection and accountability
Stronger Enforcement
Non-compliance may result in significant fines and legal liability for senior management.
Are you impacted by NIS2?
The NIS2 Directive introduces tougher cybersecurity rules for companies in critical sectors.
By April 17, 2025, EU countries must identify all essential and important entities, with updates
every two years.
NPS Consult Group helps businesses assess compliance, strengthen cyber resilience, and
avoid penalties.
The new NIS2 Directive is now applying to 11 Essential Sectors and 7 Important Sectors
across the EU.
Does NIS2 Apply to Your Organization?
You fall under the NIS2 Directive if:
Exceptions
Small organizations may still be classified as Essential or Important if they are sole providers
of a vital service or if disruption would have a major societal or economic impact.
Category | Employees | Anual Turnover |
Medium Entity | ≥ 50 | ≥ €10 million |
Large Entity | ≥ 250 | ≥ €50 million |
Essential Entities
Transport
Digital infrastructure
Banking
Public domain
Health sector
Space
Drinking Water
Wastewater
Energy
Financial market infrastructure
IT service management
Important Entities
Food
Chemicals
Postal and courier
Digital providers
Waste Management
Research organizations
Manufacturing of medical devices
Penalties for NIS2 non-compliance
Essential entities
Administrative fines of up to €10,000,000 or 2% of the total annual global turnover, whichever is higher.
Important entities
Administrative fines of up to €7,000,000 or 1.4% of the total annual global turnover, whichever is higher.
Jurisdictional Complexities
Under NIS2, entities fall under the jurisdiction of each EU Member State where they provide services. Organizations operating in multiple countries are supervised by all relevant authorities. Entities dependent on non-EU operations must ensure their EU activities remain functional if those external services are disrupted.
Cybersecurity risk management measures
The NIS2 Directive requires all essential and important entities to implement proportionate technical, operational, and organizational measures to manage cybersecurity risks and ensure service continuity.
These measures must cover the entire lifecycle of digital systems and focus on preventing and mitigating incidents that could disrupt operations or compromise data and must be proportionate to the entity’s risk exposure and are outlined in Article 21 (2a) & (2f).
Such measures must include at least:
Risk analysis & information system security
Incident handling
Business continuity measure (backups, disaster recovery, crisis management)
Supply chain security
Security in system aquisition, development & maintenance
Policies & procedure to assess the efficacy of cybersecurity risks management measures
Basic computer hygiene & training
Policies on the appropriate use of cryptography & encryption
Human resources security, access control policies & asset management
Use of MFA, secured voice / text / video communication & secured emergency communication
Your Path to NIS2 Compliance
Get the right level of support to assess, improve, and secure your organisation. Choose the tier that matches your needs and maturity.
Basic
Foundational security and minimal compliance
-
Asset inventory and management
-
Basic policies and compliance
-
Core protection
Important
Enhanced coverage and continuous process
-
Monitoring and detection
-
Structured governance
-
Risk management
-
Secured supply chain
-
Strengthened awareness
Essential
Total protection and proactive risk management
-
Continuous improvement
-
Advanced automation and detection
-
Incident response and recovery
-
Proactive security
-
Comprehensive governance
-
Organizational resilience