Home » Compliance » NIS2 Directive Explained: Prepare for the Future
NIS2 directive explained in detailed

NIS2 Directive Explained: Prepare for the Future

The NIS2 Directive was proposed by the European Commission in December 2020 to create a common level of cybersecurity across the union. NIS2 stands for Directive on Measures for Network and Information Security. In tandem with the Cyber Resilience Act, the NIS2 directive is poised to shape the future of cybersecurity in Europe. 


This post will talk about the impact of the NIS2 directive on various sectors, discuss how businesses can prepare for the changes, and most importantly, it will help business users wrap their heads around the topic with minimal effort.

What is the NIS2 Directive? 

The NIS2 Directive (Directive (EU) 2022/2555) is a European Union legislative act that aims to establish a high common level of cybersecurity for entities operating in the European Union.

It primarily targets essential services like energy, transport, water supply, digital infrastructure, public administration, finance, etc. along with other important sectors like food, postal services, and digital service providers. Its goal is to ensure the implementation of robust risk management measures for network and information systems. And it mandates the immediate reporting of security incidents.

EU member states have until October 2024 to translate NIS2 into national law. In effect, companies that the NIS2 covers have until the same time to build compliance through the continuous enhancement of their cybersecurity capabilities.

💡To learn more about cyber regulations in Europe, we’ve provided a detailed list here.

The Timeline of the NIS2 Directive

December 2020NIS2 is proposed by the European Commission
November 2021European Parliament adopts its negotiating position
December 2021 – February 2022Trilogue negotiations between Parliament, Council, and Commission commence
February 2022Political agreement is reached
May 2022European Parliament votes to adopt NIS2
November 2022NIS2 is officially published in the EU Official Journal
January 2023NIS2 Directive comes into effect
October 2024Deadline for EU member states to transpose NIS2 into national law

NIS2 Directive: Key Requirements in Short

  • Risk Management
    • Implement strong incident management plans.
    • Secure your supply chain.
    • Enhance network security measures.
    • Implement stricter access controls.
    • Encrypt sensitive data.
  • Corporate Accountability:
    • Management oversees and approves cybersecurity plans.
    • Management receives cybersecurity training.
    • Potential penalties (liability, bans) for management in case of breaches.
  • Reporting Obligations:
    • Mandatory reporting of major cyber incidents impacting services.
    • Strict timelines for notification (e.g., 24-hour “early warning”).
  • Business Continuity:
    • Develop a plan for service restoration after cyber incidents.
    • Establish emergency procedures for response.
    • Create a crisis response team.

NIS2 minimum requirement breakdown

This NIS2 site has broken down 10 minimum requirements for businesses to comply with the new NIS directive. 

1. Risk assessment policies 

Organizations must establish clear and comprehensive risk assessment policies. This includes identifying vulnerabilities in their systems, monitoring potential attack surfaces, and conducting regular security audits.

2. Evaluation of security measures 

Businesses need to have procedures in place to regularly evaluate the effectiveness of their existing security measures. This allows for continuous improvement and adaptation to evolving threats.

3. Encryption & Cryptography Standards 

The NIS2 Directive mandates the use of encryption wherever relevant. This will impact the security of data in transit and at rest across and within organizations. 

4. Incident Response Plan

A clear and documented plan of action is critical for successful computer security incident response. According to NIS2, this plan should outline procedures for detection, containment, eradication, and recovery in the event of a cyberattack.

5. Secure System Procurement & Development

Organizations must have policies for secure procurement, development, and operation of information systems. This includes procedures for identifying and reporting vulnerabilities in acquired systems.

6. Cybersecurity Training & Hygiene

The observation of security best practices can thwart a lot of tragedies. Hence, organizations should establish protocols for basic computer hygiene and train all employees to abide by best practices.

7. Data Access Controls 

The principle of least privilege combined with strict access control measures must be employed. Companies should maintain an inventory of all relevant assets and monitor how they are accessed and handled. identity management tools like Uniqkey can make a great difference in this regard.  

8. Business Continuity Planning 

Up-to-date backups and a plan to regain control of critical IT systems during and after security incidents are key to business continuity planning. Having this plan in place is essential for NIS2 compliance. 

9. Multi-factor Authentication 

Organizations should leverage multi-factor authentication and other advanced solutions (continuous authentication, voice/video/text encryption) where appropriate to strengthen access control and communication security.

10. Supply Chain Security Management

The NIS2 Directive emphasizes the importance of securing the supply chain. A holistic view of overall supply chain security risk is required.

Comparing NIS2 and NIS1

FeatureNIS1 (2016)NIS2 (2022)
GoalBasic level of cybersecurity for essential servicesA high common level of cybersecurity for essential and important entities
ScopeLimited to operators of essential services in specific sectors (energy, transport, etc.)Expands to include additional sectors (waste, postal services, etc.) and important entities (e.g., online marketplaces)
Security RequirementsLess stringent, focused on risk management principlesMore prescriptive, outlining specific baseline measures (encryption, incident response plans)
Incident ReportingLess specific reporting obligationsStricter reporting requirements, mandating reporting of significant incidents within 24 hours
EnforcementWeaker enforcement mechanismsStronger enforcement with the potential for significant fines for non-compliance

Sectors in the EU covered by the new NIS directive

Sectors covered in NIS2
Image source: EY

Sectors covered by NIS2 are divided into two categories. 

  1. Category one: Essential entities
  2. Category two: Important entities

Essential entities include Energy, health, transport finance, water supply, digital infrastructure, space, and public administration.

Important entities include digital providers, postal services, waste management, food, manufacturing, chemicals, and research.

Both the essential and important entities are critical to the survival of the European economy and companies in both categories are liable to comply with the directive. The essential entities, however, have received a higher criticality rating. 

Essential Entities under the NIS2 Directive Across the Union

SectorAnnual Economic ImpactWorkforce (Millions)Key Security Risks
Energy€250 Billion1.6Supply Chain Risks, Interconnected Systems, Aging Technology, Advanced Persistent Threats, ICS Vulnerabilities
Health€1073 Billion14.3Lack of Standardization, Aging Technology, Sensitive Information, Insufficient Resources, Interconnected Systems, Lack of Employee Training
Transport5% GDP10Ransomware Attacks, Threats to Safety Systems, Limited Investment in Security, Connected Devices
Finance€197 Trillion Payments2Phishing, Website Spoofing, Ransomware Attacks, DDoS, Social Engineering, Supply Chain Attacks
Water SupplyUnspecified1.5Legacy Systems, Third-Party Risks, Limited Resources, Physical Threats, Insider Threats
Digital Infrastructure (Data Centers)€85.4 BillionUnspecifiedRansomware Attacks, Third-Party Challenges, Physical Security, Lack of Personnel, Compliance Issues
Public Administration22.1% GDPUnspecifiedRansomware Attacks, Phishing Attacks, State-Sponsored Attacks, Lack of Awareness, Large & Complex Systems, Limited Resources
SpaceUnspecifiedUnspecifiedSophisticated Cyberattacks, Supply Chain Risks, Human Error

The potential impact of the NIS2 on cybersecurity in the EU

The European Commission has envisioned the new NIS directive as a way to enhance the overall security health of verticals across Europe. While its true impact will be witnessed by the world over the next few years, we can discuss the vision itself. Here, we’ll analyze the potential impact of the directive on the digital infrastructure sector.

The data centres, CDNs, and other digital infrastructure providers will see some significant changes in security management owing to the directive.

  • Physical Security Upgrades: There will be stricter requirements for physical access control, potentially involving security cameras and stricter monitoring.
  • Enhanced Incident Response: There will be more emphasis on robust plans for cyberattacks, including clear roles, communication protocols, and procedures for evidence collection.
  • Increased Oversight: We can expect increased vigilance by competent authorities to ensure that security standards are met.
  • Market Boost for Security Solutions: The demand for innovative cybersecurity solutions will go up with companies striving to meet the new common cybersecurity level. This fosters competition and innovation in the digital infrastructure sector.

The impact is likely to be similar across verticals with obvious variations. Together with the CRA which doubles down on the security of all products with digital elements, the NIS2 is sure to impart lasting stability to the industries of Europe. 

Tips for companies preparing for NIS2 compliance

  • Create comprehensive policies for access management, risk assessment, and incident response
  • Build an incident response team and train them to handle security breaches through drills
  • Mandate the use of password managers by employees, and aim for centralised access control and monitoring with platforms like Uniqkey (helps cover 6 out 10 NIS2 measures)
  • Partner with regular vulnerability assessment providers
  • Integrate security testing into the development and supply chain pipelines

ℹ️ We’ve built the complete website to provide in-depth information on NIS2, helping businesses understand its requirements, achieve compliance, and avoid fines.


Uniqkey is the perfect password management solution for teams and businesses. Built with high usability in mind, Uniqkey makes it easy for employees to adopt secure password habits, raising company-wide security in a simple and effective way.