April 23, 2026
,

NIS2 Directive: securing networks and information systems

In the context of accelerated digitalization and an increasingly complex security landscape, the European Union has taken a decisive step by adopting the NIS2 Directive. This legislative framework modernizes previous rules and establishes a common level of cybersecurity protection across all Member States, adapting to emerging global threats.

The first Directive on the security of network and information systems (NIS), adopted in 2016, represented an important starting point. However, the rapid evolution of cyberattacks and society’s growing dependence on digital services have shown the need for a more robust and unified approach. NIS2 aims to eliminate fragmentation between Member States and raise resilience standards in critical sectors.

One of the most significant changes introduced by NIS2 is the expansion of the list of covered entities. The Directive is no longer limited to traditional essential service providers but now covers a much broader range of sectors, divided into two categories:

Highly critical sectors: Energy, transport, banking, healthcare, water, digital infrastructure, public administration, and space.
Other critical sectors: Postal services, waste management, manufacturing of chemicals and food, electronics production, and digital providers.

Unlike the previous regulation, NIS2 introduces a general rule based on the size of the organization, eliminating uncertainty related to national-level classification.

Companies and institutions falling under the scope of the Directive must implement rigorous risk management measures. These include system security policies, incident management procedures, supply chain security, and the use of encryption.

A key aspect is increased accountability at the top level: management teams become directly responsible for non-compliance with security measures. Furthermore, the Directive simplifies the process for reporting significant incidents, imposing clear deadlines for notifying the competent authorities.

NIS2 places strong emphasis on cross-border cooperation. Through the European Cyber Crises Liaison Organisation Network (EU-CyCLONe), Member States will be able to coordinate responses to large-scale incidents.

To ensure compliance, the Directive introduces a much stricter sanctions regime. Authorities have the power to impose substantial administrative fines, similar to those under the GDPR, on entities that fail to comply with the new security standards.

The NIS2 Directive entered into force at the beginning of 2023, and EU Member States are required to transpose its provisions into national law by October 17, 2024. Organizations should therefore begin adapting as soon as possible to meet legal requirements and protect their digital infrastructure.
Read the full article

Detailed information and legislative context can be found on the official page of the European Commission:
https://digital-strategy.ec.europa.eu/en/policies/nis2-directive

Related articles