NIS2 (Network and Information Security Directive 2) came into force across EU member states in October 2024, replacing the original NIS Directive and dramatically expanding both the scope of organisations covered and the penalties for non-compliance. If your business operates in Europe, supplies to European organisations, or handles data of EU citizens, this almost certainly affects you.

Who Is Covered?

NIS2 covers two tiers of organisations operating in critical sectors:

Essential Entities (strictest requirements): Energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space.

Important Entities (significant requirements): Postal and courier services, waste management, manufacturing of critical products, food, digital providers (search engines, social platforms, online marketplaces), research.

Critically, the threshold has been lowered significantly — organisations with 50+ employees or €10M+ turnover in covered sectors are now in scope. Many mid-market businesses that assumed NIS1 did not apply to them are now covered by NIS2.

Key Requirements

Risk Management Measures

  • Formal cybersecurity risk management policy, reviewed annually
  • Incident handling procedures with defined roles and response timelines
  • Business continuity and crisis management plans, including backup and disaster recovery
  • Supply chain security — assessment of third-party suppliers and their security posture
  • Network and information system security — access controls, encryption, vulnerability management
  • Multi-factor authentication enforced across all critical systems
  • Cybersecurity training for all staff, with specialist training for technical roles

Incident Reporting

NIS2 introduces strict reporting timelines that many organisations will find challenging:

  • 24 hours: Early warning to national CSIRT or competent authority for any significant incident
  • 72 hours: Incident notification with initial assessment of severity and impact
  • 1 month: Final report including root cause analysis, remediation steps and cross-border impact assessment

Management Accountability

One of the most significant changes in NIS2 is that senior management are now personally liable. Board members and C-suite executives can face fines and temporary bans from management roles for failures of oversight. Cybersecurity is no longer an IT issue — it is a board-level governance matter.

Penalties

For Essential Entities: up to €10 million or 2% of global annual turnover, whichever is higher.

For Important Entities: up to €7 million or 1.4% of global annual turnover.

These are maximums; regulators have discretion. However, given the post-GDPR enforcement environment, organisations should not assume leniency.

Your NIS2 Compliance Checklist

  1. Determine if your organisation is in scope (sector and size thresholds)
  2. Identify which EU member states you operate in — requirements may vary slightly by country
  3. Conduct a gap analysis against Article 21 technical and organisational measures
  4. Appoint a named NIS2 responsible person at board level
  5. Implement or update your incident response plan with the 24/72-hour reporting timelines
  6. Conduct supply chain security assessments for all critical third parties
  7. Enforce MFA across all systems — this is explicitly required
  8. Implement vulnerability management and patch within defined SLAs
  9. Deliver staff cybersecurity awareness training (documented)
  10. Test your business continuity and disaster recovery plans
  11. Register with your national competent authority if required

Baycop supports organisations across the EU with NIS2 readiness assessments, gap analysis and ongoing compliance management. Contact our GRC team for a free initial consultation.