NIS2: the directive starts living in practice, not just in PDFs

The NIS2 directive was adopted at the end of 2022. EU member states were required to transpose it into national law by October 2024. That date has passed. Some countries have enacted their laws, others are still completing the process, but the enforcement regime has begun - this is no longer a future threat, but a current requirement for those it covers.

For companies operating in Europe or holding supply chain relationships with European partners, this is not an abstract compliance question. It is an operational question with specific deadlines and specific consequences.

Who NIS2 covers

NIS2 significantly expands the set of organizations compared to the previous version of the directive. It now covers organizations in 18 sectors - including energy, transport, financial infrastructure, healthcare, digital infrastructure, manufacturing, food, chemicals, and others.

The classification runs along two categories: "essential" and "important" entities. The first are large organizations in the most critical sectors. The second are smaller organizations or those in less critical sectors. Requirements are similar, but the supervisory regime and penalties differ.

Threshold criteria: more than 50 employees or annual turnover above 10 million euros for most sectors. Company size does not exempt an organization from NIS2 if it operates in a covered sector.

What the directive requires

The key obligations fall into two blocks.

Risk management: organizations must take technical and organizational measures to manage cybersecurity risks. This includes security policies, incident management, business continuity, supply chain security, access management, encryption, and security in development.

Incident notification: requirements have become stricter and more specific. For a significant incident - initial notification to the regulator within 24 hours, a detailed report within 72 hours, a final report within one month. This is not "when we figure it out" - these are hard deadlines.

Management accountability: NIS2 explicitly establishes top management responsibility for cybersecurity. Executives must undergo training and approve risk management measures. This cannot be fully delegated to the IT department.

Why the supply chain matters

If your company is not European but is a supplier to European organizations covered by NIS2, this affects you. The directive requires "essential" and "important" entities to manage cybersecurity across their supply chain. That means your counterparties will be asking questions about your security posture and may require documentation.

This is a change in market dynamics, not only in legislation.

Where to start

The first step is to determine whether you fall under NIS2 in the jurisdictions where you operate. This is a question for lawyers with knowledge of the specific national legislation.

The second step is to assess your current compliance gap. NIS2 does not invent anything fundamentally new - it largely mirrors what ISO 27001 and similar frameworks describe. If you have a mature information security program, the gap may be small. If not, it may be significant.

The third step is to ensure that an incident notification process exists and that the 24-hour deadline is achievable. This requires readiness in advance, not improvisation at the moment of the incident.

Four questions for self-assessment:

1. Do you operate in a covered sector or work with counterparties that fall under NIS2?
2. Do you have a documented incident response process with clear time constraints?
3. Do you manage cybersecurity in the supply chain - or only within your own perimeter?
4. Is top management explicitly involved in cybersecurity, rather than just delegating it?