NIS2 directive
NIS2: Who’s affected and how to prepare
Educational content
July 10, 2025
5 min read
Cybersecurity threats are evolving in both types and numbers. In Europe, the European Union has introduced a response in the form of the NIS2 directive. The purpose of the directive is to strengthen cybersecurity resilience among digital service providers and, not least, operators of critical infrastructure. It mandates enhanced risk assessment and management, incident reporting, and supply chain security measures. In other words, understanding NIS2 is crucial to ensure compliance and protect your operational performance.
What does NIS2 stand for?
NIS2 stands for Network and Information Security Directive 2. The “2” indicates its role as the successor to the original NIS directive (Directive (EU) 2016/1148).
NIS was issued to reflect the EU’s commitment to strengthening cybersecurity measures and initiatives across member states. NIS2 expands the scope and introduces more stringent requirements to address the growing complexity of cyber threats.
What is the NIS2 directive?
The NIS2 directive is a legislative framework aimed at achieving a high common level of cybersecurity across the EU. According to ENISA it replaces the original NIS directive and introduces enhanced measures for risk management, incident reporting, and supply chain security.
NIS2 applies to a broader range of sectors, including energy, transport, health, and digital infrastructure, ensuring that essential and important entities implement appropriate cybersecurity practices
Who is impacted by the NIS2 directive?
In addition to the initial NIS directive, NIS2 expands its reach to include both essential and important entities across a wide range of sectors. Essential entities include organizations operating in critical infrastructure sectors such as energy, transport, finance, health, and digital infrastructure. In other words, it includes operators of power plants, electricity transmission systems, and energy distribution networks, which are increasingly dependent on interconnected digital systems to function securely and reliably.
Important entities such as those in manufacturing, food production, and postal services are also brought under the directive’s scope. NIS2 applies to medium and large enterprises in these categories, as well as smaller companies where their operations are critical to the economy or society.
“NIS2 reflects a necessary shift in how we view digital risk, not just as an IT issue, but as a business-critical concern across both operational and information systems. By expanding its scope to include, for example, critical infrastructure, the directive acknowledges that digital disruptions can move far beyond the server room.
The security of our interconnected systems can impact public safety, economic stability, and national resilience, so NIS2 is about strengthening and improving cybersecurity throughout the EU, focusing on risk management, incident handling, business continuity, and information sharing.”
Jan Bo Lilliendal, IT & Compliance director, Opoura
How can your business best prepare for NIS2?
Once it has been determined how the NIS2 Directive applies to your organization, a set of required measures must be prepared and implemented to ensure compliance. The requirements are divided into four categories:
Risk management
Corporate accountability
Reporting obligations
Business continuity
In addition to these four categories, there exists a list including 10 minimum measures that need to be implemented as a baseline. We have listed a few below:
1
Conduct risk assessments
Companies must evaluate their current cybersecurity setup and identify gaps relative to NIS2 requirements.
2
Implementing security incident response protocols
Companies must establish protocols for detecting, responding to, and reporting cybersecurity incidents.
3
Training
Companies should prioritize incident and business continuity training.
4
Ensure supply chain security
Companies should map, assess, and manage risks associated with third-party vendors and service providers.
Non-compliance with NIS2 may expose your organization to increased cybersecurity risks, potentially disrupting operations and affecting overall business performance. Also, it may affect your stakeholders’ trust in your company.
“Achieving NIS2 compliance isn’t just about meeting regulatory requirements; it’s about building a resilient cybersecurity framework that protects your organization’s critical assets and supports ongoing operational performance. In addition to the measures defined in the Directive, it often also requires a cultural change within an organization.” Jan Bo Lilliendal, IT & Compliance director, Opoura.
