NIS2: What it is, who it applies to, and what it really changes

Introduction

This guide offers practical, detailed information to help you understand how the NIS2 Directive affects your organization and what concrete steps you can take. It does not replace the official text of the directive, which remains the main legal reference. You can read the full version on the European Union website, in English or Italian (eur-lex.europa.eu).

Understanding the directive and preparing for compliance early is not just about following rules. It is also a way to strengthen your resilience, gain customer trust, and protect business continuity.

NIS Directive 2: What it is and why it matters

Directive (EU) 2022/2555, known as NIS2, is the new European cyber security framework that replaces the previous NIS1 directive (2016/1148), improving and expanding its scope.

Its goal is to ensure a high and consistent level of security for networks and information systems across the European Union. This requires all member states to align their regulations, strengthen cross-border cooperation, and enforce minimum security standards for digital infrastructure and essential services.

NIS2 was introduced in response to a sharp rise in cyber attacks, increasing digitalization, critical dependence on technology, and the tight interconnection between public and private sectors. In a scenario where cyber threats impact hospitals, local governments, and manufacturing firms alike, a coordinated and structured response is no longer optional.

What’s new compared to NIS1

NIS1 was an important first step toward a more secure digital ecosystem, but it exposed several weaknesses. These included inconsistent implementation across member states, unclear criteria for identifying essential operators, and limited powers for supervisory authorities.

NIS2 aims to close these gaps. Its scope is broader and now includes sectors that were previously excluded, such as postal services, cloud providers, critical technology manufacturers, and certain areas of public administration. It introduces clear inclusion criteria based on company size and impact, applying the same rules across the EU.

Risk management requirements are more detailed. Organizations must now have plans in place for incident response, supply chain security, vulnerability management, and ongoing staff training. Reporting rules have also changed: significant incidents must be reported within 24 hours, followed by a full report.

National authorities will have stronger enforcement powers. They can carry out inspections, request documentation, and issue penalties of up to 10 million euros or 2% of global annual turnover, depending on the severity of the violation, similar to GDPR enforcement.

NIS2: Who it applies to

The directive mainly applies to two categories of organizations: essential entities and important entities.

Essential entities operate in sectors that are critical to national security and economic stability, such as:

• Energy
• Transport
• Healthcare
• Financial services
• Digital infrastructure

Important entities provide supporting or related services, including:

• ICT service providers
• Postal and courier services
• High-tech manufacturers
• Data center operators

Unlike NIS1, inclusion is no longer left to the discretion of individual member states. NIS2 introduces objective criteria: companies with at least 50 employees and annual revenue over 10 million euros fall within its scope. Member states can also include smaller companies if they deliver services considered strategic.

Crucially, NIS2 doesn’t apply only to the private sector. Certain public administration bodies, especially those with key roles in healthcare, national security, or transport, are also covered.

When does NIS2 come into force?

The directive was published in the Official Journal on December 27, 2022, and took effect on January 16, 2023.

Member states have until October 17, 2024, to implement it into national law. Companies affected by the directive must be fully compliant by that date. Preparing takes time and effort, especially for those without formal processes in place, so it’s important to act now.

NIS 2 Obligations

Organizations affected by NIS2 must adopt technical and organizational cybersecurity measures that match their level of risk, sector, and size.

Key obligations include:

• Identifying and assessing risks
• Protecting data and critical infrastructure
• Managing vulnerabilities
• Ensuring business continuity
• Providing ongoing staff training

In the event of a major incident, the directive requires a three-step notification process:

• An initial alert within 24 hours
• A detailed report within 72 hours
• A final report within one month

National authorities will have broad inspection powers and can impose severe penalties for non-compliance. It’s not just about how a company reacts to incidents, preventive measures also matter. Missing processes, continuity plans, or activity tracking can all be considered violations.

How to comply with NIS2

Complying with NIS2 starts with understanding your role in the digital supply chain. Each company must begin with a self-assessment: check if the directive applies, evaluate current cybersecurity maturity, and identify any gaps.

The next step is to build a structured action plan across several areas: governance, technology, staff training, and vendor management. This includes defining formal policies, appointing security officers, setting up incident response processes, and using tools for traceability.

Working with experienced partners in IT security and regulatory compliance can help speed up the process and ensure better results.

NIS2 and related regulations

NIS2 doesn’t exist in isolation. It must be interpreted alongside other key European regulations. The GDPR continues to govern personal data protection and often overlaps with the security requirements of NIS2. The DORA regulation, taking effect in 2025, focuses on the digital resilience of financial entities. The CER Directive (Critical Entities Resilience) targets the physical protection of critical infrastructure.

For businesses, this means adopting an integrated approach to compliance. Different regulations may have distinct requirements, but they also share common ground. A solid security management system can help meet multiple obligations at once, making compliance more efficient.

Download NIS2 in PDF format

You can view the full text of the directive directly in PDF format from the Official Jorunal at this link to the Official Gazette. If you want to compare it with the previous version, the NIS1 directive is also available at this link.

Conclusion

NIS2 marks a key regulatory and strategic shift in the protection of European information systems and digital infrastructure. It is a call to step up security practices, not just as a technical safeguard, but as a foundation for business continuity and market trust.

How Deepser can help with incident management

One of the key requirements of NIS2 is managing cybersecurity incidents quickly and effectively. Meeting strict reporting deadlines and coordinating responses requires tools that track every event and action.

Deepser is a comprehensive IT Service Management (ITSM) solution that helps companies manage all IT service processes, including incident handling.

Thanks to its integration with other business systems, user-friendly dashboards, and advanced SLA tracking, Deepser supports fast, compliant responses to NIS2 requirements while improving overall efficiency and IT resilience.