The NIS2 (Network and Information Security 2) directive has been in force since October 2024 across most EU Member States. If your company operates in a critical sector, you're likely affected — and penalties can reach €10 million or 2% of global annual turnover.
Who Is Affected by NIS2?
NIS2 distinguishes between two categories of entities:
Essential entities (critical sectors): energy, transport, banking, healthcare, water, digital infrastructure, public administrations. These entities are subject to active and proactive supervision.
Important entities: postal services, waste management, chemicals, food production, manufacturing, digital service providers. Reactive supervision in the event of an incident.
Small businesses are generally exempt if they have fewer than 50 employees and less than €10M in turnover — except if they operate in a critical sector or are key service providers for NIS2 entities.
The 10 Mandatory Measures (Article 21)
1. Information Security Policies
Document your security policy, define roles and responsibilities, update annually.
2. Incident Management
Procedures for detecting, analyzing, and responding to incidents. Mandatory notification within 24 hours for significant incidents, full report within 72 hours.
3. Business Continuity and Crisis Management
Business continuity plan (BCP), regularly tested backups, documented crisis management procedures.
4. Supply Chain Security
Risk assessment of your suppliers and subcontractors. Mandatory security contractual clauses.
5. Network and Information System Security
Network segmentation, perimeter protection, traffic monitoring. WarDek automatically scans your network exposure.
6. Policies and Procedures for Assessment
Regular security testing (vulnerability scans, audits), continuous risk assessment.
7. Basic Cybersecurity Hygiene Practices
Regular updates, password management (MFA mandatory for critical access), principle of least privilege.
8. Cryptography and Encryption
Encryption of sensitive data in transit (TLS 1.2+ minimum) and at rest. Secure cryptographic key management.
9. Human Resources Security
Regular employee awareness and training. Background checks for positions with privileged access.
10. Multi-Factor Authentication
MFA mandatory for all access to critical systems, remote access, and administrative interfaces.
Penalties
For essential entities: up to €10 million or 2% of global annual turnover. For important entities: up to €7 million or 1.4% of global annual turnover.
National cybersecurity authorities (ANSSI in France, BSI in Germany, NCSC in the Netherlands) are responsible for supervision and enforcement.
Management is personally liable: Article 20 requires governing bodies to approve cybersecurity measures and undergo training. In cases of serious non-compliance, directors can be temporarily banned from exercising management functions.
Compliance Timeline
National transposition timelines vary, but the general schedule is:
- October 2024: Directive enters force across most Member States
- April 2025: Member States must publish the list of essential and important entities
- October 2025: First inspections and enforcement actions by national authorities
- 2026+: Regular audits and effective sanctions
Each Member State designates one or more national CSIRTs (Computer Security Incident Response Teams). In France, CERT-FR fulfills this role under ANSSI supervision. In Germany, the BSI operates the national CSIRT.
Key Differences Between NIS1 and NIS2
NIS2 significantly expands the scope of the original directive:
| Aspect | NIS1 (2016) | NIS2 (2022) | |--------|-------------|-------------| | Sectors covered | 7 sectors | 18 sectors | | Entities in scope | ~10,000 across EU | ~160,000 across EU | | Maximum penalties | Varied by country | Harmonized (€10M / 2% turnover) | | Incident notification | No precise deadline | 24h + 72h + 1 month | | Management liability | Not specified | Personal (Art. 20) | | Supply chain | Not covered | Explicit obligations |
Practical Example: 80-Employee Food Manufacturer
A food manufacturing company with 80 employees and €15M turnover falls within NIS2 scope as an important entity. Their concrete obligations:
- Appoint a cybersecurity officer (even part-time)
- Conduct an initial security audit of all systems
- Deploy MFA on all administrator accounts
- Document the security policy and obtain board approval
- Identify and assess critical IT suppliers
- Test backup and disaster recovery procedures
- Train employees on basic cybersecurity hygiene
Estimated compliance cost for an SME of this size: between €15,000 and €50,000, depending on existing maturity level. A modest investment compared to the potential penalties.
Where to Start
- Assess your exposure: Run a WarDek scan to identify immediate technical vulnerabilities (security headers, TLS, exposed ports).
- Map your assets: Complete inventory of critical systems, data, and suppliers.
- Prioritize actions: Fix critical vulnerabilities before addressing organizational processes.
- Document everything: NIS2 requires proof of implemented measures, not just their existence.
WarDek's NIS2 checklist guides you through all 10 mandatory measures with a real-time compliance score.
Frequently Asked Questions
Does NIS2 apply to non-EU companies? Yes, if you provide services within the EU. Any entity operating in a covered sector within EU territory falls under the directive, regardless of where it is headquartered.
Can I self-assess or do I need an external audit? NIS2 does not mandate external audits for all entities. However, competent authorities can require audits at any time. Maintaining documented evidence of your security measures is essential regardless.
What if my country hasn't transposed NIS2 yet? The directive's obligations still apply once the transposition deadline passes. Courts can invoke the directive directly in cases of clear non-compliance, even before full national transposition.