The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated cybersecurity legislation, replacing the original NIS Directive from 2016. It significantly expands the scope, strengthens requirements, and introduces stricter enforcement — including personal liability for management.
If your organization operates in or provides services to the EU, NIS2 likely applies to you.
What Is NIS2?
NIS2 stands for the Network and Information Security Directive 2. It establishes a common framework for cybersecurity across EU member states, requiring organizations in essential and important sectors to implement appropriate security measures and report significant incidents.
Key changes from the original NIS Directive:
- Much broader scope — Covers more sectors and includes mid-size companies
- Stricter requirements — Mandatory risk management measures and incident reporting
- Management accountability — Senior management can be held personally liable
- Heavier penalties — Fines up to €10 million or 2% of global annual turnover
- Supply chain security — Organizations must assess and manage third-party risks
Who Does NIS2 Apply To?
NIS2 categorizes organizations into two groups:
| Category | Sectors | Size Threshold |
|---|---|---|
| Essential Entities | Energy, Transport, Banking, Financial infrastructure, Health, Drinking water, Wastewater, Digital infrastructure, ICT service management, Public administration, Space | Generally 250+ employees or €50M+ turnover |
| Important Entities | Postal services, Waste management, Chemicals, Food, Manufacturing, Digital providers, Research | Generally 50+ employees or €10M+ turnover |
Note: Some entities are covered regardless of size, including DNS providers, TLD registries, and providers of public electronic communications.
Key NIS2 Requirements
Article 21 specifies the minimum cybersecurity risk management measures that organizations must implement:
- Risk analysis and information system security policies
- Incident handling — Detection, response, and reporting procedures
- Business continuity and crisis management — Including backup management and disaster recovery
- Supply chain security — Managing risks from suppliers and service providers
- Security in acquisition, development, and maintenance of systems
- Policies for assessing effectiveness — Testing and auditing cybersecurity measures
- Cybersecurity hygiene and training
- Cryptography and encryption policies
- Human resources security and access control
- Multi-factor authentication and secure communications
Incident Reporting Under NIS2
NIS2 introduces a multi-stage incident reporting obligation:
| Stage | Deadline | Content |
|---|---|---|
| Early warning | Within 24 hours | Initial notification that a significant incident has occurred |
| Incident notification | Within 72 hours | Assessment of severity, impact, and indicators of compromise |
| Final report | Within 1 month | Detailed description, root cause, mitigation measures, cross-border impact |
Business Continuity Under NIS2
Business continuity is explicitly called out in NIS2 (Article 21.2c). Organizations must implement:
- Business continuity management procedures
- Backup management and disaster recovery
- Crisis management plans
- Regular testing and validation of continuity measures
This means having a robust BCP isn't just good practice — it's a legal requirement under NIS2.
Penalties and Enforcement
- Essential entities: Fines up to €10 million or 2% of global annual turnover (whichever is higher)
- Important entities: Fines up to €7 million or 1.4% of global annual turnover
- Management liability: Senior management can be held personally responsible for non-compliance
- Supervisory powers: Authorities can conduct audits, issue binding instructions, and suspend services
NIS2 Compliance Checklist
- Determine if your organization falls under NIS2's scope
- Conduct a comprehensive risk assessment
- Implement the required security measures (Article 21)
- Establish incident detection and reporting procedures
- Develop business continuity and crisis management plans
- Assess and manage supply chain security risks
- Train management and staff on cybersecurity
- Document everything for audit readiness
- Register with your national competent authority
- Test and continuously improve your measures
How Sohvo Helps with NIS2 Compliance
NIS2 explicitly requires business continuity management, and that's exactly what Sohvo is built for. The platform helps you:
- Document critical processes — Map your essential services and their dependencies
- Assess risks systematically — Evaluate threats to your resources with structured risk analysis
- Build continuity plans — Define recovery strategies with RTO/MTD targets
- Track incidents — Log and manage disruptions with the built-in incident tracker
- Demonstrate compliance — Generate reports showing your continuity posture for auditors and authorities