NIS2—increasing
cybersecurity
across Europe

NIS2 is an amendment to “The Network and Information Security (NIS) Directive”, which aims to elevate the level of cybersecurity across the EU member states and make the European Union more resilient to cybercrime.

With the new NIS2 requirements for companies, more sectors will need to analyze their security measures and adapt to stricter security standards. They’ll need to improve incident response and enhance intelligence sharing across member states. This aims to create a unified and stronger level of cybersecurity.

While the NIS2 Directive sets a baseline for cybersecurity requirements, it’s important to note that local legislators in each EU member state have the authority to strengthen the directive or expand its scope. For instance, they can impose additional responsibilities or extend the sectors to which the directive will apply.

SECTORS IMPACTED
BY NIS2

The NIS2 Directive impacts a wide range of sectors, introducing stricter rules for critical sectors like energy, health, digital infrastructure, and transport, which are classified as “essential entities”. It also extends to other critical sectors, such as manufacturing, production, and postal services, which are identified as “important entities”.

Essential 
Entities

This category comprises organizations that are crucial for maintaining critical infrastructure and services. Any disruption to them could have severe consequences for society and the economy.

  • Energy
  • Transport
  • Banking
  • Financial market infrastructures
  • Health
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • ICT service management (B2B services)
  • Public administration
  • Space

Important
Entities

This category comprises organizations that provide important services that are less critical than “essential entities”. Their disruption could have a considerable impact, but not to the extent of those that are classified as “essential entities”.

  • Chemicals (manufacture, production, and distribution)
  • Digital providers
  • Postal and courier services
  • Waste management
  • Food (production, processing, and distribution)
  • Manufacturing
  • Research

NIS2 EXPANDS CRITERIA
FOR AFFECTED ENTITIES

In addition to defining sectors, NIS2 requirements for companies establish additional criteria for determining which entities must comply with the directive.

Micro

More than 10 employees and more than €2 million in turnover or with a total annual balance greater than or equal to €2 million.

Medium

More than 50 employees and more than €10 million in turnover or with an annual balance sheet greater than or equal to €10 million.

In highly critical sectors, these are considered as important companies/entities.

Large

More than 250 employees and more than €50 million in turnover or an annual balance sheet greater than or equal to €43 million.

In highly critical sectors, these are considered as key companies/entities.

+++ Ask our security experts

Our security experts can guide you through the assessment to help you understand whether your business falls under NIS2 regulation and in which areas further action will be necessary, e.g., the implementation of new services, updating or extending existing services, or implementing/updating your processes.

Due to local differences, please visit our local web pages.

Select country

STRENGTHENING CYBERSECURITY
IN THE EU WITH NIS2 DIRECTIVE

The new NIS2 requirements for companies aim to strengthen the resilience of EU member states against cybersecurity threats. The objectives are designed to ensure that essential services provided by businesses and public authorities are better protected from malicious interference, data loss, and operational disruptions.

Obligations and supervision under NIS2

The NIS2 Directive defines obligations and supervision based on an organization’s categorization. “Essential entities” must comply with the full scope of NIS2 requirements and measures, undergo proactive supervision (ex-ante), report incidents to the CSIRT within the specified timeframe, and conduct independent audits. “Important entities”, on the other hand, must implement risk-based security measures independently and verify them through self-assessment. They are subject to reactive supervision (ex-post), with action taken in case of incidents or non-compliance evidence, and they must report significant incidents and cyber threats to the CSIRT in a timely manner.

Understanding the Responsibility for NIS2 Compliance

The NIS Directive defines several penalties for an organization that does not comply with its requirements. Accountability encompasses everyone from IT professionals to senior executives. This means that senior managers must ensure effective risk management and supervision.

Non-compliance can severely impact businesses, including:

  • Financial disruption: Fines, obligation to security investments

  • Business disruption: Focus diverted to compliance, regulatory monitoring, license suspensions

  • Reputation damage: Public disclosure requirements

  • Executive consequences: Fines, criminal liability, and role bans

Financial Sanctions

10M or 2%

Essential Entities

annual income worldwide
7M or 1.4%

Important Entities

annual income worldwide

Steps to achieve NIS2 compliance

Understanding whether your organization is classified as an essential or important entity under the NIS2 Directive is crucial. To make the process more manageable and to comply with NIS2 requirements, focus on three key areas:

  1. Consultancy and process services: Address technical security needs, establish comprehensive policies and procedures, and implement operational changes for compliance.

  2. Technology and managed solutions/services: Deploy advanced security tools, provide continuous monitoring and updates, and support compliance with automated enforcement.

  3. Security monitoring and validation: Continuously monitor systems, validate security measures through testing and audits, and ensure timely incident reporting.

To ensure full compliance, businesses must leverage a range of security and consultancy services across all three levels. By concentrating on these three elements, you can simplify your approach to NIS2 compliance and strengthen your organization’s resilience.

RELIABLE SECURITY SOLUTIONS
FOR NIS2 COMPLIANCE

NIS2 plays a crucial role in enhancing the security of the EU, making it a safer place to live, work, and thrive. Our solutions automatically align with all relevant NIS2 requirements, providing a strong foundation for compliance by default. From our extensive portfolio of services, we’d like to highlight the following:

Get advanced threat detection and response with Security Operations Center (SOC), protecting your business from cyberattacks without an in-house team. Detect, classify, and escalate security incidents with reports and insights.

Lower costs

More cost-effective than building an in-house security team.

Qualified experts

Always up to date with the latest security trends, protection strategies, and trainings.

Continuous monitoring

24/7 monitoring of security events, 365 days a year.

Prompt reaction

Proactive response to cyber treats.

Virtual Chief Information Security Officer is a service that provides businesses with executive-level cybersecurity leadership on a flexible or outsourced basis, rather than employing a full-time CISO in-house.

Accelerated cyber resilience

Bring your cybersecurity vision into reality cost-effectively without hiring a full-time security executive.

Compliance

Reveal compliance gaps and focus on the right compliance actions.

Tailored security

Security policies and a remediation plan tailored for your organization.

Security & compliance management

Keep track with continuous risk assessment and real-time insights.

Protect your business from data loss and system downtime with Backup as a Service (BaaS). Quickly restore data from any point in time and ensure business continuity within hours.

Business continuity

Automatized backups to quickly recover from data loss.

Cost efficiency

Cloud-based service, eliminating the cost of on-premise solutions, and allowing for scaling as the business grows.

Automation

Scheduled backups performed automatically, ensuring data is constantly protected.

Fast recovery

Restore business operations, data and systems quickly after an incident.

Ensure business continuity with DRaaS (Disaster Recovery as a Service). Securely replicate critical data in the cloud for rapid recovery from natural disasters, cyber incidents, and more, thereby minimizing system downtime and data loss.

Minimized system downtime

Reduces operational interruptions, keeping services running with automated failover and fast recovery.

Cross-platform compatibility

Enables recovery across on-premises, cloud, and hybrid environments.

Financial & compliance protection

Reduces financial losses and ensures regulatory compliance for data protection and continuity.

Continuous data replication

Minimizes data loss by replicating data in real time, ensuring access to the latest version.

WHY CHOOSE
TELEKOM BUSINESS EUROPE?

ONE-STOP SHOP FOR CLOUD

We do it all—from on-premise connectivity to end-to-end cloud services and 24/7 operational support for industry and the public sector.

ECOSYSTEM OF GREAT PARTNERS

We provide expertise in the public cloud vs. existing on-premise architecture and are a registered Tier 1 cloud service provider for Microsoft Azure, which means we can manage end-to-end customer lifecycles.

UNIQUE COVERAGE IN EUROPE

We are the only operator present in 10 Central and Eastern European countries providing IT and telco solutions for business needs. What’s more, we’re experts on local cyber threats in each country.

EXCELLENT CUSTOMER EXPERIENCE

We offer end-to-end services with access to our own fiber network and top-tier local resources for our core areas: Digital, Connectivity, Cloud, and Security.

MAXIMUM SECURITY

We run 60 highly secure data centers across Europe to meet all your IT and telco needs. Keep your business safe and secure – and your data where you want it.

SUSTAINABLE ON PRINCIPLE

We strive to harmonize economic, social, and ecological aspects. That’s why we’re committed to responsible business practices and using resources efficiently along our entire value chain.

FAQ
NIS2 Directive

What is the NIS2 Directive?

The need to strengthen cybersecurity is undeniable. According to global data experts at Statista, “Cybercrime increasingly ranks among the most prevalent and damaging offenses of our time.” In response to this growing threat, the EU has updated the NIS2 Directive to better address today’s complex cybersecurity landscape and ensure broader protection for businesses and organizations.

However, the NIS2 Directive doesn’t necessarily require a complete overhaul of your existing cybersecurity measures. In many cases, it’s about refining specific areas and enhancing existing procedures. You might also be underusing tools already available to you—particularly in the cloud. Before investing in new systems, consider how you can strengthen your current solutions.

When does the NIS2 Directive come into play?

EU Member States had until October 17, 2024, to integrate NIS2 into their national laws. This required each state to develop and publish its compliance plans. Now, individual countries are establishing specific timelines for organizations within their borders.

As a result, there is no EU-wide compliance deadline. Timelines vary by country, with most deadlines anticipated in 2025, and some possibly extending into early 2026.

Our T Business Europe team is well-versed in these essential details. We can connect you with your local representative here.

What are the differences between the original directive and NIS2?

NIS2 is more robust than its predecessor, impacting a wider range of sectors, including manufacturers of critical products, public administration, and space. It introduces a two-tier system, classifying organizations as either “essential entities” (Annex I) or “important entities” (Annex II), with different obligations, supervision levels, and penalties based on this classification.

The NIS2 Directive imposes stricter security measures and significantly higher penalties to ensure compliance. It also shifts accountability from IT departments to senior leadership, with executives potentially facing public disclosures or bans on future roles if found non-compliant.

Unlike the original directive, NIS2 mandates active supervision by national authorities, including regular audits and security checks. It emphasizes supply chain security, requiring organizations to conduct risk assessments and audits. Additionally, it clarifies incident reporting with specific timelines and requirements.

RELATED
CONTENT

Would you like to learn more about this topic in your country?

Go directly to the relevant for your country and learn more about our local product portfolio.

Select country

Our experts are more than happy to
answer any questions you might have.

Contact us directly