Skip to content
27kay27kay

NIS2 Directive: What It Means for Your Organization

(updated: ) · 5 min read · 27kay
NIS2complianceISO 27001information security

NIS2 significantly expands who needs to comply with EU cybersecurity rules

The NIS2 Directive replaces the original NIS Directive and brings far more organizations under EU cybersecurity regulation. If you operate in the EU - or serve EU customers in certain sectors - you likely need to pay attention.

The original NIS Directive covered a narrow set of “operators of essential services.” NIS2 expands this dramatically. It now applies to organizations across 18 sectors, divided into “essential” and “important” entities. Member states were required to transpose the directive into national law by October 2024, and enforcement is now underway across the EU.

Does NIS2 apply to your organization?

NIS2 covers organizations in these sectors:

Essential entities (stricter oversight): energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space.

Important entities (lighter oversight but still regulated): postal services, waste management, chemicals, food production and distribution, manufacturing of critical products, digital providers (online marketplaces, search engines, social networks), and research organizations.

The size threshold matters too. Generally, NIS2 applies to medium-sized organizations and above (50+ employees or EUR 10 million+ annual turnover). Some entities are covered regardless of size - DNS providers, TLD registries, and certain digital infrastructure operators.

If your organization falls into one of these sectors and meets the size criteria, NIS2 applies. There is no opt-in or registration process - you are expected to self-assess and comply.

What NIS2 requires you to do

The directive mandates a set of cybersecurity risk management measures. If you already have an ISO 27001 certified ISMS, most of this will look familiar:

Risk management measures

Organizations must implement “appropriate and proportionate technical, operational, and organisational measures” to manage cybersecurity risks. The directive specifies minimum requirements including:

  • Risk analysis and information system security policies - essentially your ISMS scope and policies
  • Incident handling - detection, response, and recovery processes
  • Business continuity and crisis management - backup management, disaster recovery, crisis plans
  • Supply chain security - assessing and managing risks from your suppliers and service providers
  • Secure system acquisition, development, and maintenance - including vulnerability handling and disclosure
  • Encryption and multi-factor authentication - where appropriate to the risk level
  • Security awareness training and basic cyber hygiene practices
  • Human resources security, access control, and asset management

Incident reporting

NIS2 introduces a multi-stage incident reporting obligation that is more demanding than most organizations are used to:

  1. Early warning - within 24 hours of becoming aware of a significant incident
  2. Incident notification - within 72 hours, with an initial assessment of severity and impact
  3. Intermediate report - upon request from the authority, or when the situation changes significantly
  4. Final report - within one month of the incident notification, covering root cause, impact, and remediation

A “significant incident” is one that causes or could cause severe operational disruption or financial loss, or that affects other organizations. The thresholds will be further defined by each member state.

Management accountability

This is new and important. NIS2 explicitly requires that management bodies (boards, C-suite) approve cybersecurity risk management measures and oversee their implementation. Management can be held personally liable for failures to comply. They must also undergo cybersecurity training.

This is not a box-ticking exercise. Regulators can and will hold leadership accountable.

Penalties for non-compliance

NIS2 introduces significant fines:

  • Essential entities: up to EUR 10 million or 2% of global annual turnover, whichever is higher
  • Important entities: up to EUR 7 million or 1.4% of global annual turnover, whichever is higher

Beyond fines, competent authorities can order audits, issue binding instructions, require specific remediation actions, and in extreme cases order the temporary suspension of services or the prohibition of individuals from exercising management functions.

How ISO 27001 maps to NIS2

If you already have an ISO 27001 certified ISMS, you are well positioned. The overlap is substantial:

NIS2 requirementISO 27001 coverage
Risk analysis and policiesClause 6.1, Clause 8.2-8.3
Incident handlingAnnex A controls A.5.24-A.5.28
Business continuityAnnex A control A.5.29-A.5.30
Supply chain securityAnnex A control A.5.19-A.5.23
EncryptionAnnex A control A.8.24
Access control and MFAAnnex A controls A.5.15-A.5.18, A.8.5
Security awarenessClause 7.3, Annex A control A.6.3
Asset managementAnnex A controls A.5.9-A.5.14

The gaps are typically in NIS2-specific areas: the strict incident reporting timelines (24-hour early warning is tighter than most ISMS processes), supply chain risk assessment depth, and the explicit management liability requirements.

The CER Directive - physical resilience

Alongside NIS2, the CER (Critical Entities Resilience) Directive addresses physical and non-cyber threats to critical infrastructure. It covers similar sectors but focuses on physical security, natural disasters, and other disruptions.

If your organization is classified as a critical entity under CER, you will need to conduct risk assessments that include physical threats, implement resilience measures, and report incidents that disrupt essential services. Many of the organizational measures overlap with NIS2 and ISO 27001, but the physical security requirements go beyond what most ISMS frameworks cover.

How 27kay can help

NIS2 compliance is largely about having a well-implemented information security management system - which is exactly what ISO 27001 certification delivers. We help organizations assess whether NIS2 applies to them, identify gaps between their current ISMS and NIS2-specific requirements, and implement the additional measures needed - particularly around incident reporting timelines and supply chain security.

If you are unsure whether NIS2 affects your organization or want to understand what it means for your existing certification, let’s talk - we can map your current state against the requirements and give you a clear picture of what needs to change.