Europe’s cybersecurity landscape is shifting fast. With the NIS2 Directive (EU 2022/2555), companies across the continent now face tougher, standardized rules on digital resilience. And this time, the focus goes well beyond critical national infrastructure. From tech SMEs and cloud providers to regional telcos and online service companies, thousands of mid-sized organizations will soon fall under the same obligations once reserved for Europe’s largest utilities and operators.
Who Falls Under NIS2?
NIS2 broadens the original 2016 directive, extending coverage to medium and large entities across a wide range of sectors:
- Digital infrastructure: data centers, cloud providers, DNS services, CDNs.
- ICT and digital services: many B2B providers and online platforms.
- Telecom operators: not just national carriers, but also smaller public telcos providing connectivity.
- Other “essential” and “important” sectors: energy, transport, healthcare, public administration, postal services, manufacturing, and more
Entities are categorized as:
- Essential: generally ≥ 250 employees or ≥ €50M turnover.
- Important: ≥ 50 employees or ≥ €10M turnover.
Smaller companies can also be designated if they provide critical services or if their member state decides so.
What NIS2 Requires
Here’s what organizations now need to implement:
- tronger risk management: technical and organizational measures, supply-chain security, encryption, access control.
- Board-level accountability: management must approve and oversee cybersecurity strategy, and can be held personally liable for negligence.
- Fast incident reporting: notify within 24 hours, provide an in-depth report within 72 hours, followed by updates and a final report.
- Operational resilience: structured backups, disaster recovery, crisis simulations, and red-team testing.
- Heavy penalties: fines of up to €10 million or 2% of global turnover, plus potential liability for executives.
The Reality: Delayed Transposition
EU member states were required to transpose NIS2 into national law by October 17, 2024. Yet several — including Germany, Spain, France, and the Netherlands — have not completed the process. That leaves businesses facing uncertainty over enforcement details in their jurisdiction.
Meanwhile, ENISA has flagged that sectors like ICT, healthcare, government, and space remain behind on readiness, often due to outdated infrastructure, limited budgets, and supply-chain complexity.
A Practical Roadmap for 2025
| Step | What to Do |
|---|---|
| Eligibility check | Confirm if your company falls under “essential” or “important” entities. |
| Gap assessment | Map existing controls against NIS2 requirements. (Aon ) |
| Governance & training | Get the board engaged, designate a NIS2 officer, and roll out staff awareness programs. |
| Technical measures | Deploy MFA, patch management, encryption, secure backups, and monitoring. |
| Supply-chain oversight | Catalogue critical vendors, add resilience clauses into contracts. |
| Incident response | Build playbooks that meet the 24h/72h reporting deadlines. |
| Testing & drills | Run tabletop exercises and penetration tests. |
| Track national updates | Monitor how your country transposes NIS2 into law. |
Not Just Compliance: A Competitive Edge
Preparing for NIS2 isn’t just about avoiding fines. Done right, it’s an opportunity to:
- Strengthen customer and partner trust.
- Demonstrate operational resilience in competitive markets.
- Stay ahead of peers, especially in countries lagging behind on transposition.
As ENISA warns, cyber threats are intensifying. For Europe’s SMEs and telcos, NIS2 is more than a regulatory hurdle: it’s a resilience blueprint. And those who start now will be the ones customers rely on when the next disruption hits.
Want to get a free check of your compliance readiness? Request an initial assessment with our cybersecurity experts. Get in touch today, contact us!