NIS2 Directive

The NIS2 Directive is the revised version of the EU Directive on the Security of Network and Information Systems (NIS) and was adopted by the European Parliament in January 2023. It represents a milestone in harmonizing cybersecurity requirements across the EU and sets out new, more comprehensive obligations for companies and organizations deemed critical or essential to the economy and society.

The goal of NIS2 is to strengthen resilience against cyberattacks, align security standards across the EU, and create a unified legal framework for cybersecurity. The directive significantly broadens its scope and now mandates a wide range of companies—from sectors such as energy, healthcare, finance, digital infrastructure, public administration, and waste management—to comply with strict security requirements.

Among other things, the directive requires:

·        The implementation of technical and organizational security measures

·        Obligations for risk analysis and security monitoring

·        Mandatory reporting of security incidents within 24 hours

·        Clearly defined cybersecurity responsibilities

·        Penalties for non-compliance

The implementation of NIS2 will take place at the national level through corresponding legislation. Companies are required to adapt their processes no later than October 2024.

The main challenge for organizations lies in establishing a documented and effective information security management system (often based on standards such as ISO/IEC 27001), building clear incident reporting channels, and integrating cybersecurity responsibilities at the executive level.

For affected organizations, the NIS2 Directive is not just a regulatory obligation, but also an opportunity to sustainably enhance their resilience against cyber threats.