Understanding the NIS2 Directive to Ensure Compliance

NIS2 Directive: office towers with an overlay of digital locks.

The NIS2 directive introduces new security requirements for organizations operating within the European Union. For businesses, it is therefore essential to determine whether you are affected and, if so, how you can comply effectively.

Our cybersecurity experts explain everything you need to know about this directive and how to prepare for compliance.

Get support for your compliance

Quick Overview of the NIS2 Directive

Réponses aux questions fréquentes sur la loi Dora en cybersécurité.

What Is the NIS2 Directive?

The NIS2 Directive, adopted on December 27, 2022, is a major overhaul of the 2016 original NIS directive concerning European cybersecurity standards. This updated regulation extends the scope of NIS and aims to strengthen the security of networks and information systems while improving organizational resilience against cyber threats.

« The requirements laid down by the European directive encourage many entities to build a solid roadmap for deploying and strengthening their cyber defense resources, with the objectives of safer structural operation, greater confidence vis-à-vis their stakeholders and improved competitiveness for businesses. »

Vincent Strubel, Director General of the French National Agency for Information Systems Security (ANSSI)

Does the NIS2 Directive Apply to Your Business?

+1 000 entities targeted

+18 business sectors concerned

 

The directive applies to two categories of organizations: Essential Entities (EE) and Important Entities (EI). 

Businesses exceeding critical thresholds in terms of sales (10 million euros), headcount (more than 50 employees), or significant economic impact are the primary focus.

Refer to the table below to check if your organization needs to comply with NIS2 regulations. 

Effective Date of the NIS2 Directive

NIS2 came into force on January 16, 2023. EU member states had to transpose its directions into their respective national legislation by October 17, 2024. This is therefore a critical time for organizations to align their security measures with the new obligations.

Mandatory compliance for essential and important entities

Essential Entities (EE)

Important Entities (EI)

Public administration Public administration chemical manufacturing  Chemical manufacturing
drinking water Drinking water digital services providers Digital services providers
waste waterWastewater waste management  Waste management
energy Energy sector manufacturing industry Manufacturing industry
Aerospace Aerospace industry food production  Food production, processing and distribution
IT and communication services  IT and communications services research   Research
financial markets Financial market infrastructure postal and shipping  Postal and shipping services
digital infrastructure  Digital infrastructure
healthcare Healthcare
banking sector   Banking sector
transportation Transportation

 

 

Discover Our Dedicated Cybersecurity Offer for the Healthcare Sector

Explore our offer

Ensure Compliance with EU Cybersecurity Directives with Victrix

With our Scalable Security Operations Center we help organizations meet the highest cybersecurity standards (GDPR, DORA, NIS2, ISO 27001:2022)
Discover SEvOC

4 Key Obligations of NIS2 for Essential and Important Entities

1

Governance

Take direct responsibility for cybersecurity strategies and integrate them into the organization’s overall governance framework.
2

Cybersecurity Risk Management

Establish regular assessments to identify, analyze, and mitigate vulnerabilities.
3

Obligation to Inform

Report any significant cybersecurity incident within a maximum period of 24 to 72 hours.
4

Supply Chain Security

Ensure suppliers comply with equivalent cybersecurity standards.

Risks of Non-Compliance with NIS2

  • Fines up to 2% of global annual turnover
  • Implementation of mandatory corrective measures enforced by authorities
  • Suspension of critical activities until compliance is achieved
  • Reputational damage, leading to loss of customer and partner confidence

light bulb did you knowDid You Know?

10 Million Euros. This is the maximum fine you can face for non-compliance under NIS2.

Is Your Business NIS2 Compliant?

SEvOC: Your Partner in NIS2 Compliance

Victrix guides and supports essential and important entities in achieving NIS2 compliance. With a rigorous approach and certified GRC consultants, we guarantee customized compliance tailored to your business reality.

Compliance Audit

We identify your gaps concerning NIS2 requirements and propose customized recommendations based on the specific standards of your business sector.

Action Plan Development

Following the compliance audit, we work with your teams to define the necessary steps and accelerate the compliance process.

Implementation of Compliance Measures

  • End-to-end encryption (E2EE) for optimal data security
  • Action traceability to meet audit requirements
  • Strengthening resilience to improve incident and downtime management
  • Integration of reliable technological solutions for critical systems

Monitoring and Continuous Improvement

Implement regular monitoring and evaluation processes.

Start  your project with Victrix

 

Additional Information About NIS2

5 Main Goals of the NIS2 Directive

  1. Strengthen cybersecurity for critical networks
  2. Harmonize security standards across the EU
  3. Enhance cross-border cooperation and information sharing
  4. Address digital threats in businesses more effectively
  5. Increase digital trust and protect fundamental rights

 

6 Key Differences Between NIS (2016) and NIS2 (2022)

  1. Extended Coverage: Includes sectors related to Important Entities (EI).
  2. Stronger Obligations: Stricter security measures at all levels—technical, operational and organizational.
  3. Improved Collaboration: Increased emphasis on information sharing between Member States and competent authorities.
  4. Incident Reporting: shorter deadlines and more detailed information required.
  5. Stricter Enforcement: Stricter compliance mechanisms and higher fines for non-compliance.
  6. *NEW* Supply Chains Security: Entities must verify the level of cybersecurity of their suppliers.