Understanding the NIS2 Directive to Ensure Compliance

The NIS2 directive introduces new security requirements for organizations operating within the European Union. For businesses, it is therefore essential to determine whether you are affected and, if so, how you can comply effectively. 

Our cybersecurity experts explain everything you need to know about this directive and how to prepare for compliance.

Get support for your compliance

Quick Overview of the NIS2 Directive
Réponses aux questions fréquentes sur la loi Dora en cybersécurité.

What Is the NIS2 Directive?

The NIS2 Directive, adopted on December 27, 2022, is a major overhaul of the 2016 original NIS directive concerning European cybersecurity standards. This updated regulation extends the scope of NIS and aims to strengthen the security of networks and information systems while improving organizational resilience against cyber threats. 

 

« The requirements laid down by the European directive encourage many entities to build a solid roadmap for deploying and strengthening their cyber defense resources, with the objectives of safer structural operation, greater confidence vis-à-vis their stakeholders and improved competitiveness for businesses. » 

Vincent Strubel, Director General of the French National Agency for Information Systems Security (ANSSI) 

 

Does the NIS2 Directive Apply to Your Business?

+1 000 entities targeted

+18 business sectors concerned

 

The directive applies to two categories of organizations: Essential Entities (EE) and Important Entities (EI).  

Businesses exceeding critical thresholds in terms of sales (10 million euros), headcount (more than 50 employees), or significant economic impact are the primary focus. 

Refer to the table below to check if your organization needs to comply with NIS2 regulations.  

Effective Date of the NIS2 Directive

NIS2 came into force on January 16, 2023. EU member states had to transpose its directions into their respective national legislation by October 17, 2024. This is therefore a critical time for organizations to align their security measures with the new obligations. 

Mandatory compliance for essential and important entities

Essential Entities (EE) Important Entities (EI)
Public Administration   Chemical manufacturing
Drinking water Digital services providers
Wasterwater   Waste management
Energy sector Manufacturing industry
Space Industry   Food production, processing and distribution
  IT and communications services    Research
Financial market infrastructure   Postal and shipping services
  Digital Infrastructure
Healthcare
   Banking sector
Transportation

 

 

Discover Our Dedicated Cybersecurity Offer for the Healthcare Sector

Safety in Healthcare

Ensure Compliance with EU Cybersecurity Directives with Victrix

With our Scalable Security Operations Center (SEvOC), we help organizations meet the highest cybersecurity standards (GPDR, DORA, NIS2, ISO 27,001) 

Discover SEvOC

 

4 key obligations of NIS2 for essential and important entities

1

Governance

Take direct responsibility for cybersecurity strategies and integrate them into the organization’s overall governance framework.
2

Cybersecurity risk management

Establish regular assessments to identify, analyze, and mitigate vulnerabilities.
3

Obligation to inform

Report any significant cybersecurity incident within a maximum period of 24 to 72 hours.
4

Supply chain security

Ensure suppliers comply with equivalent cybersecurity standards.

Risks of non-compliance with NIS2

  • Fines up to 2% of global annual turnover 
  • Implementation of mandatory corrective measures enforced by authorities 
  • Suspension of critical activities until compliance is achieved 
  • Reputational damage, leading to loss of customer and partner confidence 

Did you know?

10 Million EurosThis is the maximum fine you can face for non-compliance under NIS2. 

Is your business NIS2 compliant?

Have your compliance assessed by experts in cybersecurity, risk management and compliance. 

Consult an expert 

 

 

SEvOC: Your partner in NIS2 compliance

Victrix guides and supports essential and important entities in achieving NIS2 compliance. With a rigorous approach and certified GRC consultants, we guarantee customized compliance tailored to your business reality. 

Compliance audit

We identify your gaps concerning NIS2 requirements and propose customized recommendations based on the specific standards of your business sector. 

Action plan development 

Following the compliance audit, we work with your teams to define the necessary steps and accelerate the compliance process. 

Implementation of compliance measures 

  • End-to-end encryption (E2EE) for optimal data security 
  • Action traceability to meet audit requirements 
  • Strengthening resilience to improve incident and downtime management 
  • Integration of reliable technological solutions for critical systems 

Monitoring and continous improvement 

Implement regular monitoring and evaluation processes. 

Start  your project with Victrix

 

Additional information about NIS2

5 Main goals of the NIS2 directive 

1. Strengthen cybersecurity for critical networks 

2. Harmonize security standards across the EU 

3. Enhance cross-border cooperation and information sharing 

4. Address digital threats in businesses more effectively 

5. Increase digital trust and protect fundamental rights 

 

6 key differences between NIS (2016) and NIS2 (2022) 

Extended Coverage: Includes sectors related to Important Entities (EI). 

Stronger Obligations: Stricter security measures at all levels—technical, operational and organizational. 

Improved Collaboration: Increased emphasis on information sharing between Member States and competent authorities. 

Incident Reporting: shorter deadlines and more detailed information required. 

Stricter Enforcement: Stricter compliance mechanisms and higher fines for non-compliance. 

*NEW* Supply Chains Security: Entities must verify the level of cybersecurity of their suppliers.