Your Guide to NIS 2 Compliance: Changes, Challenges, and Next Steps

Key Points to Know:

• Implementation Deadline: EU member states must adopt NIS 2 into national law by October 17, 2024.
• Enforcement Begins: Full enforcement kicks in starting 2025.

The NIS 2 Directive marks a major step forward in how the European Union approaches cybersecurity. Building on the original 2016 directive, NIS 2 is designed to address today’s more complex digital landscape. Its goal is to create a stronger, more consistent cybersecurity standard across the EU, especially for sectors that are vital to society and the economy.

In this guide, we’ll walk through what NIS 2 is all about its background, the key changes it introduces, and what organizations need to do to stay compliant.

 Why NIS 2 Was Introduced

The original NIS Directive was a groundbreaking move to improve cybersecurity across critical sectors like energy, finance, and healthcare. But over time, some issues became clear:

• Different rules across countries cause inconsistency.
• Many essential services weren’t covered.
• Information sharing was limited.
• Cyber threats have become more advanced and widespread.

To fix these gaps, the EU introduced NIS 2 in 2022. It’s a more comprehensive approach that fits the EU’s broader digital strategy, aiming for a safer and more connected digital environment.

What’s New in NIS 2?

1. Wider Scope of Coverage
NIS 2 includes more sectors than before. It applies to both:

• Essential Sectors like energy, transport, banking, healthcare, water, public services, and space.
• Important Sectors like digital services, medical manufacturing, postal services, food production, and chemicals.

Organizations are also classified by size:

• Essential Entities: Large organizations (250+ employees or €50M+ turnover).
• Important Entities: Medium-sized businesses (50–249 employees or €10M–€50M turnover).

2. Common Cybersecurity Standards Across the EU
One of NIS 2’s biggest goals are to ensure that all member states apply the same rules. This means better consistency in how risks are managed and how incidents are reported.

3. Stronger Risk Management Requirements
All covered entities must:

• Regularly assess cyber risks and take appropriate action.
• Have incident response plans ready.
• Secure their supply chains, ensuring third parties follow good cybersecurity practices.
• Prepare for business continuity in case of cyber incidents.

4. Faster, Clearer Incident Reporting
NIS 2 tightens up the rules on how and when cyber incidents must be reported:

• Within 24 hours of detection, a basic alert must be sent to authorities.
• Within 72 hours, a more detailed report is needed.
• Within one month, a final analysis must be submitted.

5. Greater Accountability for Executives
Top management is now directly responsible for cybersecurity. Key requirements include:

• Assigning clear cybersecurity roles and responsibilities.
• Ensuring leadership undergoes regular cyber risk training.
• Facing potential fines or penalties for non-compliance.

 What Organizations Must Do to Comply

1. Improve Risk Management
Implement strong security controls such as:

• Firewalls, encryption, and intrusion detection.
• Third-party and supply chain vetting.
• Access control and secure data handling.

2. Strengthen Incident Response
Set up internal processes to quickly detect and report incidents. Monitor systems around the clock.

3. Establish Clear Governance
Assign responsibility for cybersecurity within the leadership team. Senior executives must stay educated and involved. 

What Happens If You Don’t Comply?

NIS 2 has serious consequences for those who fall short:

• Fines: Up to €10 million or 2% of global annual revenue whichever is greater.
• Other penalties: Orders to fix security gaps or even temporary suspension of operations. 

How EU Countries Will Work Together

To ensure a unified response, NIS 2 boosts collaboration among EU nations:

• EU-Cyclone: A new group focused on cross-border cyber crisis management.
• CSIRT Network: National incident response teams will continue working together and sharing threat intelligence.

Does NIS 2 Affect Companies Outside the EU?

Yes. If your company provides key services to the EU whether you’re based there or not, you’ll likely fall under the directive. Just like GDPR, NIS 2 has global reach and should be taken seriously by any business with EU ties.

Steps to Get Ready

To prepare for NIS 2, your organization should:

• Check if you're in scope: Are you an essential or important entity?
• Review cybersecurity policies: Update plans for incident response, governance, and supply chain security.
• Upgrade monitoring systems: You’ll need 24/7 visibility to meet reporting deadlines.
• Train leadership: Make sure executives understand their new responsibilities.
• Vet third-party risks: Strengthen your approach to vendor and partner cybersecurity.

 How Ampcus Cyber Can Help

We offer end-to-end support to help your organization get compliant and stay protected:

• Compliance Gap Assessment
• Custom Risk Management Frameworks
• Incident Response Planning and Training
• Security Controls Implementation
• Supply Chain Risk Management
• Ongoing Compliance Monitoring

With our Defender MXDR platform and expert team, we’ll help you stay ahead of cyber threats and ahead of compliance deadlines.