NIS2 is no longer a regulatory-watch topic. The directive is in force across the EU. Above all, its scope covers tens of thousands of entities, versus a few hundred under NIS1. Thus, many executives discover they are in scope through a customer questionnaire or an M&A deal. Here is how to find out where you stand, and what to do next.
Who is in scope of NIS2?
The directive distinguishes two categories: essential entities and important entities. They span 18 sectors, from energy and health to digital services, food, transport and public administration. Two criteria matter. First, size: from 50 employees or EUR 10 million in revenue for most sectors. Second, the nature of the activity, because certain entities are designated regardless of size.
One point is often overlooked. Indeed, the directive also reaches suppliers and subcontractors of regulated entities indirectly. Their customers then impose security requirements on them by contract. Thus, you can be affected by NIS2 without being legally subject to it.
What are the obligations?
The obligations fall into three blocks. First, governance. Management bodies must approve cyber risk management measures and oversee their implementation. Their accountability can even be personal. Second, security measures: risk analysis, supply chain security, incident handling, business continuity, encryption and access control, notably. Third, notification. Any significant incident triggers an early warning within 24 hours, a notification within 72 hours, then a final report.
What are the penalties?
The directive sets a dissuasive sanction regime. It reaches up to EUR 10 million or 2% of worldwide turnover for essential entities. It falls to EUR 7 million or 1.4% for important entities. However, the most immediate risk is often commercial. Indeed, a lack of demonstrable compliance loses a tender or a major customer.
Where to start?
Start with a scoping analysis. It determines whether you are covered, in which category, and for which activities. Then comes a gap analysis against the requirements. It leads to a prioritized action plan: what actually protects first, what documents second. Thus, compliance runs as a program, with milestones, owners and board-level reporting. It is not yet another IT project.
One particular case deserves attention: M&A deals. Indeed, if the entity you are acquiring or divesting is in NIS2 scope, compliance applies from Day 1. Thus, the subject belongs in the due diligence and in the separation or integration plan.
The takeaway
NIS2 moves cybersecurity from the technical arena to the governance arena. It is now a boardroom subject, with executive accountability. The good news, however: a well-built foundation answers NIS2, DORA for the financial sector and ISO 27001 at the same time. And that, without tripling the effort.