Loading...
Loading...
Directive (EU) 2022/2555
European Union directive on cybersecurity adopted on 14 December 2022, replacing NIS 1 (2016). Significantly expands the scope: essential entities (energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, public administration, space) and important entities (postal, waste, chemicals, food, manufacturing, digital providers, research). Tiered incident notification: 24 hours early warning, 72 hours notification, one month final report. Sanctions up to €10M or 2% of worldwide turnover for essential entities.
NIS 2 (Network and Information Security 2) is European Directive (EU) 2022/2555 of 14 December 2022, which replaced the original NIS Directive of 2016. It substantially raises the cybersecurity bar across the EU economy by expanding scope, harmonizing requirements, and tightening enforcement.
NIS 2 distinguishes two categories of in-scope organizations. Essential entities: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Important entities: postal services, waste management, chemicals, food, manufacturing of medical devices, computers, machinery, motor vehicles, digital providers (search, social, marketplace), and research. Size thresholds apply (typically medium-sized or larger), with critical-actor exceptions regardless of size.
Obligations span ten control domains: risk analysis and information system security policies, incident handling, business continuity, supply chain security, security in network and information systems acquisition/development, policies and procedures for assessing effectiveness, basic cyber hygiene and training, cryptography, access control and asset management, and human resources security.
Incident notification is tiered: an early warning within 24 hours of becoming aware of a significant incident, a notification within 72 hours with initial assessment, and a final report within one month. Penalties reach €10 million or 2% of worldwide annual turnover (whichever is higher) for essential entities, and €7 million or 1.4% for important entities. Personal liability for management bodies is explicitly contemplated.
The original NIS Directive (Directive (EU) 2016/1148) was adopted in July 2016 in the wake of major cyber incidents affecting European operators (TV5Monde 2015, Locky and Petya ransomware). It targeted operators of essential services and digital service providers, but transposition was uneven across Member States, leading to fragmented enforcement.
The European Commission proposed NIS 2 in December 2020 as part of the EU Cybersecurity Strategy. It was adopted on 14 December 2022 and published in the OJEU. Member States had to transpose by 17 October 2024, though several (including France with Law 2024-364 in October 2024) only completed transposition close to the deadline, with operational implementation extending through 2025-2027.
NIS 2 has cross-references with DORA (financial services), CER Directive (Critical Entity Resilience), and the EU Cyber Resilience Act (products with digital elements). Organizations in scope of multiple frameworks must align their compliance programs to avoid duplication.
The shift from NIS 1 to NIS 2 multiplies by 5 to 10 the number of in-scope entities across the EU — moving from a few hundred critical operators to tens of thousands of organizations. Many directors discover in 2025-2026 that their entity now falls in scope, having not been concerned by NIS 1.
Personal liability for management bodies is one of the most consequential changes. NIS 2 explicitly contemplates personal sanctions and even temporary suspension of directors for serious failures. This represents a culture shift: cybersecurity is no longer a CISO concern delegated downward, it's a board-level accountability with personal exposure.
Compliance cost varies dramatically with maturity. For an organization already running ISO 27001 or aligned with HIPAA / DORA, the delta is manageable. For a mid-sized industrial company or municipal authority discovering the topic, it's a 12 to 24-month transformation program with meaningful budget.
For non-EU organizations: NIS 2 has limited extraterritorial reach but the supply chain provisions push obligations down to vendors regardless of location.
Our NIS 2 approach is operational, not just documentary. We start with a self-qualification: is the entity in scope, in which category, with what notification thresholds? This becomes the basis for the action plan and the executive briefing.
We then work three axes: risk mapping (crossing critical assets with sector-specific cyber scenarios), incident notification process (24h / 72h / 1 month — tested with tabletop exercises), and the supply chain workstream (NIS 2 explicitly requires monitoring critical suppliers, which transforms commercial contracts).
For organizations also in scope of DORA, EU AI Act, or ISO 42001, we produce a unified compliance matrix rather than running parallel programs. Our principle: a cyber program that doesn't fit on a single executive dashboard page won't survive the year.
Regulation (EU) 2022/2554 strengthening operational resilience of the EU financial sector, fully applicable since 17 January 2025. Covers ba…
Updated version of the NIST Cybersecurity Framework, released February 2024. Six functions: Govern (new), Identify, Protect, Detect, Respond…
International standard specifying requirements for an Information Security Management System (ISMS). Latest revision published October 2022,…
Free initial scoping. We assess your context and identify concrete levers.