NIS2—increasing
cybersecurity
across Europe
NIS2 is an amendment to “The Network and Information Security (NIS) Directive”, which aims to elevate the level of cybersecurity across the EU member states and make the European Union more resilient to cybercrime.
With the new NIS2 requirements for companies, more sectors will need to analyze their security measures and adapt to stricter security standards. They’ll need to improve incident response and enhance intelligence sharing across member states. This aims to create a unified and stronger level of cybersecurity.
While the NIS2 Directive sets a baseline for cybersecurity requirements, it’s important to note that local legislators in each EU member state have the authority to strengthen the directive or expand its scope. For instance, they can impose additional responsibilities or extend the sectors to which the directive will apply.
SECTORS IMPACTED
BY NIS2
The NIS2 Directive impacts a wide range of sectors, introducing stricter rules for critical sectors like energy, health, digital infrastructure, and transport, which are classified as “essential entities”. It also extends to other critical sectors, such as manufacturing, production, and postal services, which are identified as “important entities”.
NIS2 EXPANDS CRITERIA
FOR AFFECTED ENTITIES
In addition to defining sectors, NIS2 requirements for companies establish additional criteria for determining which entities must comply with the directive.
Micro
More than 10 employees and more than €2 million in turnover or with a total annual balance greater than or equal to €2 million.
Medium
More than 50 employees and more than €10 million in turnover or with an annual balance sheet greater than or equal to €10 million.
In highly critical sectors, these are considered as important companies/entities.
Large
More than 250 employees and more than €50 million in turnover or an annual balance sheet greater than or equal to €43 million.
In highly critical sectors, these are considered as key companies/entities.
+++ Ask our security experts
Our security experts can guide you through the assessment to help you understand whether your business falls under NIS2 regulation and in which areas further action will be necessary, e.g., the implementation of new services, updating or extending existing services, or implementing/updating your processes.
Due to local differences, please visit our local web pages.
Select country
STRENGTHENING CYBERSECURITY
IN THE EU WITH NIS2 DIRECTIVE
The new NIS2 requirements for companies aim to strengthen the resilience of EU member states against cybersecurity threats. The objectives are designed to ensure that essential services provided by businesses and public authorities are better protected from malicious interference, data loss, and operational disruptions.
Obligations and supervision under NIS2
The NIS2 Directive defines obligations and supervision based on an organization’s categorization. “Essential entities” must comply with the full scope of NIS2 requirements and measures, undergo proactive supervision (ex-ante), report incidents to the CSIRT within the specified timeframe, and conduct independent audits. “Important entities”, on the other hand, must implement risk-based security measures independently and verify them through self-assessment. They are subject to reactive supervision (ex-post), with action taken in case of incidents or non-compliance evidence, and they must report significant incidents and cyber threats to the CSIRT in a timely manner.
Understanding the Responsibility for NIS2 Compliance
The NIS Directive defines several penalties for an organization that does not comply with its requirements. Accountability encompasses everyone from IT professionals to senior executives. This means that senior managers must ensure effective risk management and supervision.
Non-compliance can severely impact businesses, including:
Financial disruption: Fines, obligation to security investments
Business disruption: Focus diverted to compliance, regulatory monitoring, license suspensions
Reputation damage: Public disclosure requirements
Executive consequences: Fines, criminal liability, and role bans
Financial Sanctions
Essential Entities
Important Entities
Steps to achieve NIS2 compliance
Understanding whether your organization is classified as an essential or important entity under the NIS2 Directive is crucial. To make the process more manageable and to comply with NIS2 requirements, focus on three key areas:
Consultancy and process services: Address technical security needs, establish comprehensive policies and procedures, and implement operational changes for compliance.
Technology and managed solutions/services: Deploy advanced security tools, provide continuous monitoring and updates, and support compliance with automated enforcement.
Security monitoring and validation: Continuously monitor systems, validate security measures through testing and audits, and ensure timely incident reporting.
To ensure full compliance, businesses must leverage a range of security and consultancy services across all three levels. By concentrating on these three elements, you can simplify your approach to NIS2 compliance and strengthen your organization’s resilience.
RELIABLE SECURITY SOLUTIONS
FOR NIS2 COMPLIANCE
NIS2 plays a crucial role in enhancing the security of the EU, making it a safer place to live, work, and thrive. Our solutions automatically align with all relevant NIS2 requirements, providing a strong foundation for compliance by default. From our extensive portfolio of services, we’d like to highlight the following:
Get advanced threat detection and response with Security Operations Center (SOC), protecting your business from cyberattacks without an in-house team. Detect, classify, and escalate security incidents with reports and insights.
Lower costs
More cost-effective than building an in-house security team.
Qualified experts
Always up to date with the latest security trends, protection strategies, and trainings.
Continuous monitoring
24/7 monitoring of security events, 365 days a year.
Prompt reaction
Proactive response to cyber treats.
Virtual Chief Information Security Officer is a service that provides businesses with executive-level cybersecurity leadership on a flexible or outsourced basis, rather than employing a full-time CISO in-house.
Accelerated cyber resilience
Bring your cybersecurity vision into reality cost-effectively without hiring a full-time security executive.
Compliance
Reveal compliance gaps and focus on the right compliance actions.
Tailored security
Security policies and a remediation plan tailored for your organization.
Security & compliance management
Keep track with continuous risk assessment and real-time insights.
Protect your business from data loss and system downtime with Backup as a Service (BaaS). Quickly restore data from any point in time and ensure business continuity within hours.
Business continuity
Automatized backups to quickly recover from data loss.
Cost efficiency
Cloud-based service, eliminating the cost of on-premise solutions, and allowing for scaling as the business grows.
Automation
Scheduled backups performed automatically, ensuring data is constantly protected.
Fast recovery
Restore business operations, data and systems quickly after an incident.
Ensure business continuity with DRaaS (Disaster Recovery as a Service). Securely replicate critical data in the cloud for rapid recovery from natural disasters, cyber incidents, and more, thereby minimizing system downtime and data loss.
Minimized system downtime
Reduces operational interruptions, keeping services running with automated failover and fast recovery.
Cross-platform compatibility
Enables recovery across on-premises, cloud, and hybrid environments.
Financial & compliance protection
Reduces financial losses and ensures regulatory compliance for data protection and continuity.
Continuous data replication
Minimizes data loss by replicating data in real time, ensuring access to the latest version.
WHY CHOOSE
TELEKOM BUSINESS EUROPE?
FAQ
NIS2 Directive
What is the NIS2 Directive?
The need to strengthen cybersecurity is undeniable. According to global data experts at Statista, “Cybercrime increasingly ranks among the most prevalent and damaging offenses of our time.” In response to this growing threat, the EU has updated the NIS2 Directive to better address today’s complex cybersecurity landscape and ensure broader protection for businesses and organizations.
However, the NIS2 Directive doesn’t necessarily require a complete overhaul of your existing cybersecurity measures. In many cases, it’s about refining specific areas and enhancing existing procedures. You might also be underusing tools already available to you—particularly in the cloud. Before investing in new systems, consider how you can strengthen your current solutions.
When does the NIS2 Directive come into play?
EU Member States had until October 17, 2024, to integrate NIS2 into their national laws. This required each state to develop and publish its compliance plans. Now, individual countries are establishing specific timelines for organizations within their borders.
As a result, there is no EU-wide compliance deadline. Timelines vary by country, with most deadlines anticipated in 2025, and some possibly extending into early 2026.
Our T Business Europe team is well-versed in these essential details. We can connect you with your local representative here.
What are the differences between the original directive and NIS2?
NIS2 is more robust than its predecessor, impacting a wider range of sectors, including manufacturers of critical products, public administration, and space. It introduces a two-tier system, classifying organizations as either “essential entities” (Annex I) or “important entities” (Annex II), with different obligations, supervision levels, and penalties based on this classification.
The NIS2 Directive imposes stricter security measures and significantly higher penalties to ensure compliance. It also shifts accountability from IT departments to senior leadership, with executives potentially facing public disclosures or bans on future roles if found non-compliant.
Unlike the original directive, NIS2 mandates active supervision by national authorities, including regular audits and security checks. It emphasizes supply chain security, requiring organizations to conduct risk assessments and audits. Additionally, it clarifies incident reporting with specific timelines and requirements.
RELATED
CONTENT
Would you like to learn more about this topic in your country?
Go directly to the relevant for your country and learn more about our local product portfolio.
Select country
Our experts are more than happy to
answer any questions you might have.