[Updated July 2025]
Phishing attacks. Ransomware. Data breaches. Spoofing. Human errors resulting in exposure.
The NIS2 Directive is the result of – and the necessity for – this new cyber threat landscape. But what is the NIS2 Directive all about? And how do you comply with it?
We’ll tell you the answers here.
What is the NIS2 Directive?
NIS is short for Network and Information Security.
It’s an EU directive that defines a set of rules aimed at strengthening the overall level of cybersecurity in the EU – especially to protect critical infrastructure – as well as aligning the rules in this scope.
The first NIS Directive, established in 2016, therefore marked a significant milestone as the first EU-wide legislation dedicated to cybersecurity.
Several years down the line, the digital landscape has witnessed a big rise in threats. Largely due to the rapid digitalization and a notable surge in cyberattacks.
This has led to the development and finalization of the NIS2 Directive in 2022.
As a successor to the original NIS Directive, NIS2 seeks to address these emerging challenges by expanding its scope to cover a broader range of sectors.
As an example, this means that an EU country like Germany would go from 1,800 organizations covered by NIS1 to 29,000 organizations covered by NIS2.
%20Updated%20July%202025.png)
NIS2 also introduces stricter compliance requirements and enhanced security protocols. This is to ensure a more resilient and secure digital infrastructure across the EU.
Every member state in the EU had to transpose the NIS2 Directive into national law from October 18, 2024.
Through these national laws, EU member states were to oblige covered organizations to meet the minimum requirements in NIS2. These cover 3 areas:
#1: Requirements for adequate security
You must ensure that you implement an appropriate level of security and, as a minimum, comply with these 10 minimum requirements for implementing technical, operational, and organizational measures:
- Policies on risk analysis and information system security
- A plan for handling incidents
- Business continuity, such as backup management and disaster recovery, and crisis management
- Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
- Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
- Basic cyber hygiene practices and cybersecurity training
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Human resource security, access control policies, and asset management
- The use of multi-factor authentication or ongoing authentication solutions secured voice, video and text communications and secured emergency communication systems within the entity where relevant.
.png)
#2: Awareness and training of management, board members, and key employees
To be compliant with NIS2, your management, including the board, must undergo training. It’s also the management's responsibility to ensure that ongoing awareness and training is offered to other employees, especially key employees - such as the IT department.
This is to ensure that they get the knowledge and skills they need to identify risks. And to ensure that they can assess cybersecurity risk management practices and their impact on the services that your company offers.
#3: Reporting of incidents to the authorities
NIS2 has a multi-step approach to incident notification. This is to find the balance between rapid reporting to prevent the spread of incidents and in-depth reporting to learn valuable lessons.
Covered entities have:
- 24 hours to submit an early warning
- 72 hours to submit an incident notice
- One month to submit a final report.
Wrap-up
With the legal details and minimum requirements in place, you’re ready to put it all into practice and reach NIS2 compliance.
You can do this by following the 8 steps in our NIS2 playbook.
.png)