European cybersecurity risk management and reporting obligations have received a substantial facelift. The Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the EU (“NIS 2”) became effective as of October 17, 2024, replacing the “NIS 1” Directive (2016/1148). NIS 2 affects a wide variety of organizations across multiple sectors, subjecting them to strict cybersecurity risk management requirements and imposing supervisory and enforcement measures.
Among other things, NIS 2 sets the baseline for cybersecurity risk management measures and reporting obligations across all covered sectors, which includes energy, transport, chemical manufacturing, production and distribution, postal and courier services, healthcare, and digital infrastructure.
NIS 2 is one component in a suite of initiatives that form the EU’s Digital Decade strategy. This includes legislation such as the Digital Operations Resilience Act (DORA – see our previous alerts DORA Demystified: Dispelling 5 Myths for ICT Service Providers and DORA Decoded: Understanding Cybersecurity for the Financial Services Sector), Cyber Resilience Act (CRA – see our previous alert), and Cyber Solidarity Act, as well as high-level strategy documents. All of these seek to protect critical national infrastructure from cybersecurity threats, enhance operational resilience, and strengthen digital supply chains.
NIS 2 is a Directive, which means that it needs to be transposed in each EU Member State’s national law(s). Currently, not all Member States have completed their implementation (see our implementation tracker).
Broad scope
NIS 2 covers a number of regulated sectors and significantly expands the types of organizations that fall within these sectors by classifying relevant entities according to activity and size.
In terms of assessing scope of applicability, organizations should first look at their activities and assess whether they fall within the scope of covered activities. These include companies in the energy, transport, or banking sector, financial market infrastructures, health, manufacturers of certain critical products (for example, pharmaceuticals, medical devices, and chemicals), postal and courier services, food production and processing, and digital services (for example, social networking platforms, managed service providers, cloud computing, and data center services).
When engaged in a covered activity, entities will want to assess whether they meet the size and turnover thresholds for NIS 2 applicability. NIS 2 provides that entities that are of “medium size” and above (i.e., over 50 employees, and have annual turnover and/or an annual balance sheet of €10 million or more) will be subject to its requirements. Reference is made to the European Commission SME Recommendation (2003/361/EC), which means that the size/turnover in case of a group structure could potentially be assessed at group level. Member States can “opt-out” from this application, in which case the independence of an individual entity in relation to its affiliates can be considered. Certain entities are relevant regardless of size, such as those who offer services that would significantly impact public safety, security, or health if disrupted.
Relevant entities are further subdivided as “essential” and “important” according to criticality. This is measured by reference to activity and size, with large entities (i.e., those with 250 or more employees, or €50 million or more in turnover, or an annual balance sheet total not exceeding €43 million) involved with Annex I (highly critical) activities generally being deemed “essential” for the purposes of NIS 2. The distinction is, however, of limited importance as both essential and important entities are subject to the same cybersecurity management and reporting requirements, with the main difference being the supervisory and penalty regimes that apply to each (see more below).
Stricter cybersecurity risk management
NIS 2 strengthens cybersecurity requirements imposed on organizations by:
- Providing a minimum list of technical and organizational measures (Art. 21(1)(2)). For example, organizations are required to implement policies regarding risk analysis and information system security, incident handling, and the use of cryptography and, where appropriate, encryption. NIS 2 provides that the measures imposed on important entities may be less stringent than those imposed on essential entities;
- Requiring organizations to address cybersecurity risks in supply chains and supplier relationships (Art. 21(3)). For example, organizations are expected to identify any specific supplier vulnerabilities or issues with suppliers’ products; and
- Introducing governance and accountability obligations on organizations’ management bodies (which in many cases will be an organization’s board). Management bodies are required to gain a level of knowledge and skill that allow them to assess cybersecurity risks in the same manner as other company risks (e.g., financial risk, commercial risk). They must also be able to assess the implementation of cybersecurity risk measures. Non-compliance with this provision will result in personal liability for those responsible for organizational management.
Generally, the cybersecurity risk measurement requirements provided for by NIS 2 are formulated at a high-level, which means companies are afforded flexibility when addressing them. This makes it possible to leverage existing cybersecurity frameworks (such as ISO/IEC or NIST CSF) to map against potential gaps. Entities deemed “digital providers” (which includes search engines, online marketplaces, and social networks) are the exception, as the commission implementing regulations are more specific as to how these organizations are expected to satisfy the cybersecurity requirements.
Reporting obligations
NIS 2 provides a streamlined reporting plan with a tiered obligation system. Incidents that have a significant impact on services (i.e., they have caused/could cause severe operational disruption or financial loss, or have affected/could affect natural or legal persons by causing considerable damage) must be reported to the relevant Computer Security Incident Response Team (CSIRT)/supervisory authorities in the following order:
- an early warning, which indicates if it is caused by unlawful behavior and if it could have a cross-border impact, without undue delay or within 24 hours of becoming aware of the significant incident,
- an incident notification, without undue delay or within 72 hours,
- an intermediate request, upon request of a CSIRT, and
- a final report, not later than one month after the submission of the incident notification
In addition, “where appropriate,” relevant entities must notify recipients of their services of any incidents likely to adversely affect the provision of the relevant service.
It should be noted that the NIS 2 reporting obligations can arise prior to disruption to an entity’s capabilities as the reporting obligations focus on the continuity of covered services. Whilst not every cyber incident will automatically lead to reporting obligations, incidents will generally need to be reported if the continuity of the covered services has been, or could be, materially compromised. Here too, the thresholds have been quantified in greater detail for digital service providers than for other covered entities.
Supervision and enforcement
NIS 2 develops the supervisory powers held by authorities, introducing high fines (set at the EU level) for pertinent breaches and providing significant avenues of scrutiny.
Different penalty regimes apply to important and essential entities. Essential entities are subject to a maximum fine of at least €10 million or 2% of global annual turnover, whichever is higher, for breaching cybersecurity risk-management measures or reporting obligations. Important entities are subject to a maximum fine of at least €7 million or 1.4% of global annual turnover, whichever is higher, for similar infringements.
With important entities, supervisory authorities can only assess compliance after there is evidence or indication of non-compliance. In contrast, supervisory authorities can assess an essential entity’s compliance through certain measures at any time, including by conducting inspections and making information requests. We note that so far, the general approach adopted by supervisory authorities has been to focus on raising the collective cybersecurity bar, rather than rushing to immediately prioritize enforcement and scrutiny against relevant entities.
What’s next?
Member states were given until October 17, 2024, to transpose NIS 2 into law. However, implementation has been slow: only four member states met the 2024 deadline and over ten are yet to transpose as of June 2025. This divergence has caused uncertainty for entities operating in countries where NIS 2 is yet to come into effect.
As more national laws are implemented, further deviations may be inevitable and thus leave many questions about NIS 2 implementation without immediate or straightforward answers. We have assessed the practical implications of some questions in our client alert. Despite this uncertainty, it is clear that NIS 2 will act as the main lever through which the collective bar of cybersecurity and cyber resilience is raised across the EU.
[View source.]
