New in the NIS2 Directive

Taking effect in October 2024, NIS2 aims to establish a higher level of cyber security and resilience within organizations of the European Union. The new Directive brings more sectors into scope and provides guidelines to ensure uniform ratification into law across EU member states. Organizations should start preparing by defining their compliance roadmap and optimizing their cyber security awareness. 


NIS2 in a Nutshell

The NIS2 Directive largely follows the same principles as NIS but with several important additions. NIS2 contains: 

  • More entities and sectors (industries) covered 
  • New methods of selection and registration 
  • New incident notification deadlines 
  • Greater accountability for management and personal responsibility 
  • Introduction of sanctions, like those included in GDPR 
  • Mandatory incident reports, also for so-called “near-misses” 
NIS2 Graphic
moving beyond nis

Extension of Scope

NIS2 divides entities into two categories: Essential and Important.

The difference between them lies not in which requirements they must meet, as these remain the same for both entities, but rather in which supervisory measures and penalties will apply. Essential entities will be required to meet supervisory requirements as of the introduction of NIS2 (proactive), while important entities will be subject to ex-post supervision, meaning that action is only taken if and when authorities receive evidence of non-compliance (reactive). 

NIS2 has simplified the scoping exercise that competent authorities have to go through to decide which organizations fall under the NIS2 umbrella. The National Cyber Security Centre (NCSC) defined a list of sectors and established a base rule that any large or medium entity from those sectors will be directly included in the scope. This does not necessarily exclude small or micro-organizations; member states can extend these requirements if an entity fulfills specific criteria as a key player in society, the economy, particular sectors or types of service. 


Essential entities

These entities are subject to immediate supervision (proactive).


Important entities

These entities are subject to ex-post supervision (reactive).


Large entity

The NCSC defines large entities as those with a headcount of over 250 or more than €50 million in revenue.


Medium entity

The NCSC defines medium entities as those with a headcount of over 50 or more than €10 million in revenue.

identify yourself

Registration of Essential & Important Entities

EU member states must identify the sectors in scope by April 17, 2025. Entities will then have to determine if their services fall within the scope of NIS2, identify the list of member states where they provide “in-scope” services, and register before the deadline in each member state. The registration will, at minimum, require entities to provide the following: 

  • Name, address and registration number 
  • NIS2 sector or sub-sector 
  • Updated contact details 
  • EU member states in which they operate 
  • The list of their assigned IP addresses 

The final registration process and list of information required will be defined as part of ratification of the Directive into law. 

Man on laptop with virtual identity cards displayed
Two male hands shaking in foreground with people in background
sharing knowledge across borders

Improved Cooperation

Another important element of the new Directive is improving cooperation among EU member states regarding cyber incidents and threats. The European Union Agency for Cybersecurity (ENISA) will be mandated to establish a European vulnerability disclosure database to facilitate knowledge sharing among member states. 

time is of importance

Incident Reporting

As already established for NIS, every member state will have a central point of contact for compliance with the Directive as well as a coordinating Computer Security Incident Response Team (CSIRT) or other competent authority for incident reporting. In Belgium, for example, this will be the role of the Centre for Cyber Security Belgium (CCB). 

The Directive encourages member states to simplify the incident reporting process by implementing a single entry point for incidents to reduce the administrative burden, including for cross-member state incidents. 

The CSIRT or competent authority must report such incidents to ENISA every three months using anonymized information. With this data, ENISA will then report on EU incidents every six months. This reporting process will help organizations and EU member states to learn from such incidents and is a crucial change in the new NIS2 Directive.

24 Hours

Within 24 hours of a significant incident, essential and important entities must issue an early warning and initial presumptions about the threat to their respective compliance authority or CSIRT.


72 Hours

After 72 hours, these entities must submit a full notification report containing an assessment of the incident, including its severity and impact and indicators of compromise.


1 Month

After 1 month, they must provide a final report.


More Than 1 Million Affected Through the Supply Chain

Recent incidents worldwide have proven the importance of continuity within critical supply chains, which is why NIS2 has introduced it as one of the key focus points. Entities will be responsible for addressing cyber security risks in their own supply chains as well as within supplier relationships. 

This requirement might indirectly influence many suppliers who do not fall directly under the scope of the new NIS2 Directive but might deliver services or products to an in-scope NIS2 entity. Hence, their customer might impose a minimal cyber security maturity on the supplier. The national authorities will not supervise the supplier regarding NIS2, but by their customer. So, even if your organization is not in scope, it might still have an impact depending on the services and sector. 

Woman with tablet in warehouse aisle
Man explaining something in a management meeting
Management Involvement

Management Accountability

Management accountability is yet another cornerstone of NIS2, as the new Directive will obligate management to take ownership of their organizations’ cyber security maturity level. This will include conducting risk assessments and approving risk treatment plans, meaning management must partake in cyber security training. The Directive also mandates organizations train their employees on cyber security risk and response.

Failure by management to comply with NIS2 requirements could result in serious consequences, including liability, temporary bans, and administrative fines as provided for in the implementing national legislation. 

Management bodies of essential and important entities must: 

  • Approve the adequacy of the cyber security risk management measures taken by the entity 
  • Supervise the implementation of risk management measures 
  • Follow training to gain sufficient knowledge and skills to identify risks and assess cyber security risk management practices and their impact on the services provided by the entity 
  • Offer similar training to their employees on a regular basis 
  • Be accountable for non-compliance 
cross-border compliance

Jurisdictional Complexity

Under the NIS2 Directive, essential and important entities fall under the jurisdiction of the EU member state where they provide their services. 

If the entity provides services in more than one member state, each of these member states have jurisdiction. For entities where the service is provided or is dependent on operations outside the EU, they should ensure that they can continue operating within the EU should their non-EU operations stop. 

People figurines over different EU countries on a map
avoid unnecessary costs

Stricter Penalties

NIS set down penalties for non-compliance by Operators of Essential Services (OES) and Digital Service Providers (DSPs), while NIS2 introduces stricter penalties for non-compliance by essential and important entities, including fines of up to 10% of an entity's annual turnover.

    • Essential entities

      Administrative fines of up to €10,000,000 or 2% of the total annual worldwide turnover in the previous fiscal year of the company to which the essential entity belongs, whichever amount is higher. 
  • Important entities

    Administrative fines of up to €7,000,000 or 1.4% of the total annual worldwide turnover in the previous fiscal year of the company to which the important entity belongs, whichever amount is higher. 


Don't Wait Until It's Too Late. We'll Help You Comply with NIS2 Regulations.

Start your compliance journey now.