Network and Information Security Directive 2
Because NIS1 was apparently not enough to stop the ransomware wave
NIS2 is the EU's upgraded cybersecurity directive, replacing the original NIS Directive. It dramatically expands the scope of organisations that must take cybersecurity seriously — from energy and transport to healthcare, digital infrastructure, and even food production. If your organisation is essential or important to society, NIS2 has something to say to you.
Medium and large entities in 18 critical sectors (Annexes I and II). Member States may also include smaller entities if they're deemed critical. The directive uses two categories: essential entities (stricter oversight) and important entities (lighter touch, but still mandatory).
EU-wide directive — each Member State transposes it into national law, so exact implementation varies. But the core obligations are consistent across the EU.
18 October 2024 (Member State transposition deadline: 17 October 2024)
To achieve a high common level of cybersecurity across the EU. The original NIS Directive was patchy — different countries implemented it differently, creating a cybersecurity patchwork quilt. NIS2 aims to make that quilt more of a uniform blanket.
Essential Entity
You operate in a sector of high criticality (Annex I): energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, or space. Your organisation likely has 250+ employees or €50M+ annual turnover. If your services stop, people notice immediately.
Your obligations
- Implement cybersecurity risk management measures across at least 10 domains (Art. 21) — from incident handling to supply chain security
- Report significant incidents to your national CSIRT/competent authority: early warning within 24 hours, full notification within 72 hours, final report within 1 month (Art. 23)
- Ensure management body members receive cybersecurity training and approve risk management measures (Art. 20) — yes, the board needs to understand this
- Implement supply chain security measures, including assessing your critical suppliers (Art. 21.2d)
- Use encryption, multi-factor authentication, and secure communication where appropriate (Art. 21.2h–j)
- Maintain business continuity plans, including backup and disaster recovery (Art. 21.2c)
- Conduct regular security assessments and audits (Art. 21.2f)
- Register with your national competent authority (Art. 3)
Key articles
The 24-hour early warning deadline is no joke. Have a pre-drafted incident template and a designated reporter who knows the process. Practise the reporting flow before you need it — when you're in the middle of a ransomware attack at 3 AM is not the time to figure out the CSIRT's portal.
Important Entity
You operate in a critical sector (Annex II): postal services, waste management, manufacturing, chemicals, food, research, or digital providers (marketplaces, search engines, social platforms). Your organisation has 50+ employees or €10M+ annual turnover. You may not make headlines when you go down, but society would notice the gap.
Your obligations
- Implement the same cybersecurity risk management measures as essential entities (Art. 21) — the 10 domains apply equally
- Follow the same incident reporting timeline: 24h early warning, 72h notification, 1-month final report (Art. 23)
- Ensure management body training and approval of measures (Art. 20)
- Conduct supply chain due diligence (Art. 21.2d)
- Maintain business continuity and crisis management plans (Art. 21.2c)
- Register with your national competent authority (Art. 3)
Key articles
Don't let 'important' fool you into thinking the requirements are less serious. The obligations are identical to essential entities — the difference is in supervision intensity and penalties. Still plenty of reasons to take this seriously.
Cybersecurity / Information Security Manager
You're the person responsible for implementing NIS2 requirements in practice. Whether your title is CISO, IT Security Manager, or 'the person who draws the short straw', you're the one translating the directive's requirements into actual security measures, policies, and incident response procedures.
Your obligations
- Develop and maintain the cybersecurity risk management framework aligned with Art. 21's 10 domains
- Establish incident detection, response, and reporting procedures that meet the 24h/72h/30d deadlines
- Coordinate supply chain security assessments for critical third-party providers
- Prepare and deliver cybersecurity training for management and staff
- Conduct regular risk assessments, vulnerability scans, and penetration tests
- Maintain and test business continuity and disaster recovery plans
- Ensure technical measures: encryption, MFA, network segmentation, access control
- Document everything — NIS2 supervision is evidence-based
Key articles
Build a compliance matrix mapping each Art. 21 domain to your existing controls. You'll probably find you're already doing 60–70% of what NIS2 requires — the challenge is documenting it, filling gaps, and formalising what's currently 'we sort of do this'.
How Euregas can help
Available tools
- Incident management — track incidents with automated 24h/72h/30-day deadline reminders
- Risk management measures (Art. 21) — structured assessment across all 10 required domains
- Supplier assessment — 8-domain scoring system for evaluating third-party cybersecurity posture
AI-assisted features
- Consultation wizard (nis2_scope) — 5-step guided assessment to determine if you're an essential or important entity
- Semantic search across NIS2 articles and recitals
Incident management and supplier assessment are manual structured workflows. AI assistance is available through the consultation wizard for scope determination.
All examples are fictional and for illustrative purposes only.