Cyberattacks are becoming more frequent and increasingly sophisticated. The incidents in 2022 made clear that cyberthreats such as ransomware, phishing, and business email compromise do not discriminate between small, medium and large enterprises. The trend toward supply chain attacks—where cybercriminals target suppliers in order to infiltrate their customers’ networks—has intensified, with high-profile compromises such as the SolarWinds breach. In 2020, SolarWinds, a company providing network management and IT security software, disclosed that attackers had compromised its Orion software. The breach allowed malicious updates to be distributed to numerous client organizations. By inserting malware into updates for SolarWinds Orion, attackers were able to compromise networks across many private firms and public agencies that used the product. This widely publicized incident was labeled a “supply chain attack” because it exploited users’ trust in software updates from a reputable vendor. The SolarWinds event had far-reaching consequences and exposed weaknesses in the software supply chain, prompting many organizations to strengthen their security measures. Rather than attacking companies directly, cybercriminals increasingly exploit subcontractors and suppliers to gain easier access to customer networks. All companies are now vulnerable. Small and medium-sized enterprises are 4.5 times more likely to fall victim to cyberattacks than larger organizations combined. They are often targeted with malware that can encrypt critical systems and destroy backups—an approach that has led to business collapse in some of the most severe cases. This underscores the importance of preparedness across all organizations.
Against this backdrop, the NIS2 Directive (the Directive on the security of network and information systems) represents a major development aimed at strengthening the protection of digital infrastructure across Europe. NIS2, the successor to the original NIS Directive, is one of several major initiatives intended to create a more robust and harmonized framework for network and information security. The new directive has prompted extensive debate about its reach and implications. What will it mean for companies and public administrations within the EU?
What is the NIS2 Directive?
The NIS2 Directive (Network and Information Systems Security, version 2) is a European regulation designed to harmonize and strengthen cybersecurity across the EU. As the successor to the original NIS Directive, it introduces new measures to ensure a high level of security for network and information systems. NIS2 was adopted in January 2023, and EU member states have a defined period to transpose the directive into national law.
Who is affected by NIS2?
NIS2 covers a broad range of sectors and applies to private companies, public administrations and other entities operating within the EU. One strategic aim of the directive is to expand the scope to include essential service providers and digital service providers operating in sectors deemed critical to the economy and society. NIS2 will cover providers of public electronic communications, digital services—such as social networking platforms and data center services—and healthcare services, including entities involved in medical devices, biosciences, pharmaceutical research and development, and manufacturers of medical equipment.
NIS2 primarily distinguishes two categories of entities:
Operators of Essential Services (OSE) / Essential Entities (EE): These are organizations that provide services essential to society and the economy, including energy, transport, healthcare, banking and financial services, water, digital infrastructure and other digital services.
Digital Service Providers (DSP) / Important Entities: These are businesses or organizations that deliver digital services such as cloud services, online platforms, search engines, e‑commerce services and similar offerings. They fall under the directive if they meet specific threshold criteria regarding user numbers or economic value.
Under NIS2, an entity is classified as essential or important based on two criteria:
- Size of the entity (number of employees, turnover, annual balance sheet total);
- Criticality to the economy: the nature and importance of the services provided by the entity.
What are the main changes compared with NIS1?
NIS2 introduces several significant changes relative to the original NIS Directive, including:
Wider scope: NIS2 broadens the directive’s reach to cover a larger set of sectors and digital service providers, bringing new categories of organizations under cybersecurity obligations. Stronger security requirements: The directive imposes enhanced security measures, including stricter preparedness and incident response requirements and more demanding reporting obligations. Security scoring: NIS2 introduces a security scoring mechanism to evaluate the resilience of covered entities, enabling authorities to identify organizations with varying levels of cybersecurity maturity.
NIS2 places multiple new obligations on affected entities. Key technical, organizational and operational measures must be implemented by essential and important entities, including:
- Supply chain security obligations. Organizations must ensure information security across the entire supply chain. This requires suppliers, subcontractors and partners to adhere to appropriate security standards.
- Incident reporting obligations. Security incidents that significantly affect the continuity of essential services must be reported to competent authorities within defined timeframes.
- Management accountability. Senior management must ensure that security policies and procedures are implemented, maintained and periodically reviewed.
What measures must companies and local authorities take to comply?
Companies and local authorities will need to strengthen security standards, set up incident reporting mechanisms, and likely conduct risk assessments and security audits. They should also coordinate closely with relevant national authorities.
Implementation of concrete cybersecurity measures:
- Perform risk analyses and establish security policies for information systems. Each entity should review its organizational structure to assess cyber risk;
- Implement incident management processes;
- Develop business continuity (BCP) and disaster recovery plans (DRP) to preserve operations during and after incidents, including proper backup handling and crisis management;
- Ensure secure acquisition, development and maintenance of networks and information systems;
- Regularly evaluate cyber risk management measures;
- Adopt cryptographic policies and techniques to protect sensitive information;
- Establish asset management and access control policies to enforce least-privilege access and prevent unauthorized intrusion;
- Train employees in cyber hygiene and best practices, embedding these across the organization;
- Deploy multi-factor authentication (MFA) and strong authentication mechanisms to enhance access security;
- Comply with any national notification requirements, such as issuing an initial alert to the competent authority within 24 hours in the event of a security incident where applicable.
What are the risks of non-compliance?
Organizations that fail to comply with NIS2 face financial penalties. The directive establishes fines for non-compliance: for certain categories, penalties may reach up to 10 million euros or 2% of global annual turnover, and for other categories up to 7 million euros or 1.4% of global annual turnover. If a breach of NIS2 also amounts to a personal data breach under data protection rules, the interaction between frameworks will be handled according to applicable law; authorities assess each case based on the circumstances. In addition to fines, non-compliant organizations may be held liable for operational or financial losses resulting from security incidents. Member states must transpose NIS2 into national law by October 2024 at the latest, and some countries may accelerate implementation by building on their existing NIS1 frameworks.
Accountability of top management
NIS2 places clear responsibility on an organization’s top management. Executives must take an active role in cybersecurity governance and ensure appropriate measures are in place to protect networks and information systems.
Raising awareness across teams and leadership
Cybersecurity awareness is essential for NIS2 compliance. Organizations must invest in educating staff to recognize and prevent cyberthreats, while ensuring that management understands the strategic importance of cybersecurity and regulatory compliance.
The NIS2 Directive represents a major milestone in strengthening Europe’s cybersecurity posture. Organizations and local authorities should take immediate steps to align with the new requirements, boost resilience against cyberattacks and prevent security incidents. Compliance helps avoid significant financial penalties and protects an organization’s reputation and trust. A range of resources—such as national guidance from competent authorities—can assist organizations in meeting NIS2 obligations, and specialized cybersecurity service providers can offer practical support.
Email security solutions form a key component of any NIS2 compliance strategy because email remains a primary attack vector. Security services that filter phishing, ransomware and malware can block malicious messages before they reach users’ inboxes and play an important role within a wider security program. However, full compliance requires a holistic approach to information security and risk management across the entire organization.