EU’s NIS2 Directive for cybersecurity resilience enters full enforcement

After years in development the European Union’s NIS2 Directive comes into full effect this week.

NIS2 expands the scope of its predecessor to cover 15 sectors, including manufacturing, digital providers (online markets, social networks), and postal services, alongside the previously covered operators of essential services (energy, transport, telecoms, and banking, etc.).

As a result, many more organisations will be required to comply with rules that cover risk management, incident response, vulnerability disclosure, resilience, and supply chain security.

What is the NIS2 Directive?

The NIS2 (Network and Information Security) Directive aims to provide a common level of cybersecurity across EU member states. The directive builds on its first iteration, NIS1, establishing stricter security requirements and expanding its scope.

NIS2 is geared toward boosting the cybersecurity resilience of essential and important service providers in a wide range of sectors. The scope of the regulations are estimated to affect more than 160,000 organizations across Europe, as well as companies outside the block that provide services within the EU.

The NIS2 Directive went into effect January 2023. EU member states were imposed a deadline of Oct. 17, 2024, to transpose the directive into law.

Why was NIS updated?

The revamped directive, which tightens up cyber resilience rules and extends the revised regulations to more sectors, was introduced in response to shortcomings in its predecessor, NIS1.

Sabeen Malik, VP of global government affairs and public policy at Rapid7, commented: “NIS2 was introduced because the implementation of NIS1 had limitations that became apparent due to the rapid pace of digitalisation during the pandemic, as well as the increasing interconnectedness of sectors and the heightened cyber risk against those sectors.”

NIS2 penalties and disclosure

NIS2 sets up strict enforcement measures with maximum fines of up to €10 million (US$10.86 million) or 2% of global annual turnover for noncompliance, in the most extreme cases.

NIS2’s disclosure rules are also strict. Breaches need to be reported rapidly. For example, significant incidents must be reported within 24 hours, and full details must follow within 72 hours.

Counting the cost of NIS2

Frontier Economics last year predicted the total cost of implementing NIS2 for EU businesses will be €31.2 billion (US$33.9 billion) per year, or 0.31% of the total turnover of sectors affected by the directive. The cost encompasses the expense of hiring cybersecurity experts and support staff, purchasing and installing hardware and software, and maintaining new cybersecurity processes.

Tim Wright, partner and technology lawyer at UK law firm Fladgate, told CSO: “NIS2 is hitting CISOs where it hurts: their budgets.”

CISOs have likely invested significant effort and expense to achieve compliance, with some experts suggesting that organisations may need to increase cybersecurity spending by up to 22%.

“Costs could approach €10 billion (US$10.9 billion) annually, EU-wide,” according to Wright. “However, ISO 27001 certified entities have a head start, with approximately 70% of NIS2 requirements already covered.”

Vincent Lomba, chief technical security officer at Alcatel-Lucent Enterprise, commented: “Many enterprises will need to invest in new technologies, including endpoint detection and response (EDR) and web application firewall (WAF). Many will also need to invest in training or new hires to operate their security operation centre (SOC) to better detect potential security threats and manage an eventual cyber crisis.”

Lomba continued: “However, the real cost for enterprises will not be the new technology required, but rather the investment needed to change employee mindset and company culture.”

Ready or not

Organisations compliant with ISO 27001 are considered well set up to comply with NIS2. However, the French Institution for National Cyber Security (ANSSI) estimates that only 10% of all organisations have adequate cybersecurity processes in place.

Issues with meeting the NIS2 deadline seem to be far from limited to organisations in France. A recent survey by backup vendor Veeam involving UK and European IT security decision-makers found that although nearly 80% of businesses are confident in their ability to eventually comply with NIS2 guidelines, two in three (66%) feared they would miss this week’s deadline.

Barriers to NIS2 compliance cited in the Veeam-sponsored survey included technical debt (24%), lack of leadership understanding (23%), and insufficient budget/investments (21%).

Standards alignment

The NIS2 Directive calls for risk-based security measures, incident reporting, and supply chain security, aligning it with other frameworks such as GDPR and ISO standards. “If they already hold certifications like ISO 27001 or ISO 22301, the extra requirements will be small adjustments, if any,” according to Andrew Pattison, head of GRC Consultancy Europe at IT Governance Europe.

The measures required by NIS2, such as cyber risk management, supply chain security, and business continuity, are good business practices that enhance organisational resilience. The effort and expense required to achieve compliance with NIS2 is therefore justifiable because it supports broader cybersecurity goals, according to industry experts quizzed on the topic by CSO.

Bharat Mistry, technical director for UK and Ireland at Trend Micro, said: “Becoming NIS2-compliant is a significant undertaking that requires a multidisciplinary approach, involving legal, technical, and management efforts. However, the investment is justified by the enhanced security posture, reduced risk of cyber incidents, and compliance with legal obligations, which can prevent costly penalties and reputation damage.”

Martin Rutterford, channel director for UK and Ireland at Check Point Software, commented: “The journey towards NIS2 compliance directly aligns with broader cybersecurity goals by fostering a culture of continuous improvement. It forces organisations to adopt more robust security postures, enhance resilience, and improve threat detection and response capabilities, all of which contribute to strengthening overall security frameworks.”

NIS2’s global impact

In the same way that GDPR has impacted global privacy practices, NIS2 is expected to effect standards and best practices for cyber resilience beyond the EU. But while GDPR’s global impact due to its focus on data privacy was massive, NIS2’s influence may be narrower and concentrated around critical sectors that are already highly regulated.

“NIS2 will significantly shape global cybersecurity practices, but perhaps not as universally as GDPR did for privacy,” according to Fladgate’s Wright. “One reason is that NIS2 is an EU directive which requires each member state to transpose into its own laws, whereas GDPR is a direct effect regulation.”

Wright continued: “Another is due to scope, with NIS2 primarily targeting critical sectors, whereas GDPR applies more broadly to personal data processing. Finally, GDPR’s fines and extraterritorial reach created a more immediate global impact.”

Del Heppenstall, head of cyber at KPMG UK, commented: “The reporting obligations and the requirements around cybersecurity risk management are more demanding than those of GDPR, so preparation will be key. Cybersecurity risk assessments are essential for establishing a baseline and identifying key risks.”

The NIS2 directive might become a de facto standard for cybersecurity best practices, particularly in critical sectors such as energy and healthcare. In the US, CISA’s Cyber Incident Reporting for Critical Infrastructure Act (CIRCIA), scheduled to come in October 2025, is likely to mirror many of the requirements of NIS2.

Businesses may need to consider NIS2 alongside other national, regional, and international regulations such as DORA (the EU’s Digital Operations Resilience Act), GDPR, and the EU AI Act.

“Rather than taking a fragmented approach, a ‘test once and comply with many’ methodology will be far more efficient and reduce costs,” KPMG’s Heppenstall advised. “Having a unified control framework allows organisations to guarantee compliance across a range of regulatory frameworks with a single test.”