The NIS 2 Directive is an EU cyber directive that imposes security and risk management obligations on organizations operating in particular sectors. It has been implemented and is already operative in several EU member states. Organizations subject to the directive as implemented are required to self-register with local authorities, adopt cybersecurity management measures, implement training, and report cyber incidents within 24 hours.
Who must comply depends on sector, size, and EU establishment
NIS 2 applies to organizations that are considered “essential” and “important” entities. NIS 2 applies to both of these types of entities, but essential entities are subject to stricter enforcement and oversight obligations. If an entity is in scope of NIS 2, and qualifies as essential or important, depend on three factors (i) an entity’s activities in a “critical sector” or “highly critical sector”, (ii) except for some sectors, if it employs more than 50 persons or has annual turnover and/or balance sheet exceeding EUR 10 million – consolidated on a group level, and (iii) the provision of services or carrying out of in-scope activities in the EU and, except for some sectors, establishment in the EU.
As a first step, an organization should check whether it provides services or carries out activities in any of the “in-scope” sectors in the EU. In scope “highly critical sectors” sectors includes for example energy, transport, banking, health, digital infrastructure such as cloud computing, data centers, and telecom, and information and communication service management. In scope “critical sectors” include, for example postal services, chemicals and food manufacture/production/distribution, online marketplaces, online search engines, online networking services platforms, and research organizations.
If an organization has satisfied the first factor, it must check if it meets the applicable “size” threshold. Importantly, the “size” of an entity is determined not only by the headcount and turnover/balance sheet of that entity, but also taking into account the headcount and turnover/balance sheet of linked and partner entities at a group level. If your organization has a local entity in a single EU country that has a single employee and a modest annual turnover but that entity meets the threshold of a medium-sized enterprise because it is part of a multinational group, the organization has satisfied the “size” factor that determines if the organization must comply with NIS 2. In limited sectors, entities are in-scope independently of their size.
The final, third step to determine if NIS 2 applies is to analyze if an organization is established in the EU and where. In principle, organizations are subject to the national legislation implementing the NIS 2 Directive in the EU member state in which the organization is established. However, the threshold for establishment is low. Organizations can be considered established in the EU with minimal stable arrangements which could be a single employee employed by a non-EU entity but permanently working in the EU. There is also an extraterritorial application of NIS 2 for some sectors such as the digital and IT managed services sectors. For such sectors, as soon as the organizations provide services in the EU, even if from outside the EU with no EU establishment, NIS 2 applies.
An example common to many multinational groups is that a US parent company provides IT managed services such as an IT helpdesk intragroup. According to some cybersecurity authorities, such provision of IT managed services to EU affiliates would subject the US parent company, even if not the local EU affiliates themselves, to NIS 2 compliance. It does not matter that these intragroup services are ancillary to a company’s business and not its core business activity/sector.
How to comply
The main obligations for essential and important entities under NIS 2 are to (i) self-register with competent cybersecurity authority(ies) in the competent EU member state(s), (ii) adopt specific cybersecurity risk management measures, (iii) train management and employees on NIS 2, and (iv) notify relevant competent cybersecurity authorities and in some cases individual service recipients upon learning of a cybersecurity incident with “significant impact on service provision”. The details of what an organization must do in these four areas of compliance are found in each national law implementing NIS 2.
Registration requirements and deadlines vary by EU member state and by sector. If you don’t have an establishment in the EU, but you are nevertheless subject to NIS 2 because you provide services in the EU in an in scope sector subject to extra-territorial application such as digital and IT managed services, you must appoint a local representative in one of the EU member states where you offer your services. This is a concept similar to the requirement in Art. 27 of the GDPR. If your organization has affiliates in the EU, the affiliates would be required to comply with NIS 2 as implemented in the countries where they are established, again, save for specific sectors. For the telecom sector, you need to register and comply with the law of each EU member state where you provide services. For the digital and IT managed services sector, you only need to comply with the law of the EU member state of your main establishment in the EU, if you have establishments in the EU, or of your appointed representative, if you are not established in the EU.
An EU Member State that quickly implemented NIS2 and where self-registration started in December 2024 for some sectors is Belgium. The Belgian authority recommends entities tackle NIS 2 compliance in 7 steps. See more detailed guidance here: Ready for NIS2? | CCB Safeonweb and NIS 2 Quickstart Guide | CCB Safeonweb
First, you should determine which entities are in-scope for NIS 2 and in which EU member state. Second, you would register your in-scope NIS 2 entities with competent authorities. This registration requirement applies just from being subject to NIS 2 and before any notifiable cybersecurity incident. You register through online forms available from the applicable local authority where you must self-disclose your sector and size. Third, you should plan, and document, cybersecurity training. Then comes the technical work of implementing appropriate and proportionate cybersecurity risk-management measures. NIS 2 sets out a high number of “minimum measures”. For this step, the Belgian authority has developed a specific framework based on existing standards called the “CyberFundamentals” framework CyberFundamentals Framework | CCB Safeonweb  meant for IT professionals to understand and implement. Such Belgian framework is currently being adopted by other EU member states and can therefore be leveraged for NIS 2 compliance across multiple EU jurisdictions. The Belgian authority provides a tool where IT professionals can compare NIS 2 requirements against other frameworks the IT professionals are already familiar with such as ISO27001. You should also prepare your organization for the possibility of having to quickly satisfy the cybersecurity incident reporting requirements. The preparation should include having templates and processes ready to meet the strict timelines for the multiple reports that are required.
When you are faced with a potentially reportable cybersecurity incident, you should determine if it is an incident under NIS 2 and if it has significant impact. An incident is “an event compromising the availability, authenticity, integrity or confidentiality of data stored, transmitted or being processed, or of services that networks and information systems offer or make accessible”. An incident shall be considered to be significant where it has a significant impact on the provision on the NIS 2 services and the incident (i) has caused or is capable of causing severe operational disruption to any in-scope services or serious financial loss to the entity concerned; or (ii) has affected or is capable of affecting other persons by causing considerable material or physical, or moral damage to persons. If these tests are satisfied, the organization(s) is/are required to notify the competent authority(ies). Individual service recipients are also required to be notified of incidents that have an impact on service provision in certain circumstances. There are numerous notification obligations. An early warning notification must be submitted to the applicable authority without undue delay and in any event within 24 hours. An incident notification must then be submitted without undue delay and in any event within 72 hours. A final report must be submitted no later than 1 month after the submission of the incident notification or if it is an ongoing incident a progress report and final report within 1 month of the incident being contained. The final report must include detailed information such as root cause and cross border impact of the incident. Confidentiality rules apply to information transmitted during an incident, it being noted that information may be shared with other national and EU authorities.
NIS 2 also has requirements to ensure supply chain security. This is a NIS 2 obligation that is often overlooked, because the requirements on this topic are less prescriptive compared to other aspects of NIS 2. To satisfy the requirements, at minimum organizations subject to NIS 2 should implement a supply chain security policy, contractually impose information security requirements on their suppliers, perform appropriate audits and keep a registry of their direct suppliers and service providers. Specific measures will depend on the sectors and national implementing laws. For the digital sector, see in particular the Commission implementing decision here.Â
Finally, the cybersecurity work done by your organization should be assessed and validated. For this requirement, it matters if you are an “essential” or “important” entity. For essential entities, mandatory regular NIS 2 conformity assessments apply.
Sanctions and Remedies
In-scope entities are generally subject to the competence of the EU Member State where it is established. Save for exceptions, as outlined above with respect to the main establishment or representative.
Penalties for failure to comply with NIS 2 are up to EUR 10m or 2% of total worldwide annual turnover for essential entities and up to EUR 7m or 1.4% of total worldwide annual turnover for important entities, whichever is higher.
National authorities will also be able to issue warnings and order an in scope entity to inform the natural or legal persons potentially affected by a significant cyber threat.
Senior management of an in-scope entity, such as board members, can be held personally liable for breach of the entity’s obligations under NIS 2.
Outlook
14 EU Member States have transposed the NIS 2 Directive and 13 are still in the process of doing so. For the EU Member States that have already transposed NIS 2, deadlines to register have already passed in Hungary, Belgium, Italy, Slovakia, Latvia, Greece, and Finland and some countries have set specific penalties for failure to register. We have not yet seen any sanctions under NIS 2 in the EU Member States where it has been transposed. Currently, the local authorities seem focused on being helpful answering questions and clarifying the scope of NIS 2 even where registration deadline has already passed.
