Adopted in 2022 by the European Union, the NIS2 Directive represents a significant advancement in the field of cybersecurity. Its main goal is to strengthen the resilience of critical infrastructures and harmonize practices across member states. By expanding the scope of the original NIS Directive, it imposes strict requirements aimed at ensuring the continuity of essential services in the face of growing digital threats. This article offers a detailed exploration of the directive, its implications, and its strategic impact.
The NIS2 Directive aims to address the growing sophistication of cyber threats and proactively protect critical infrastructures. Its objectives include harmonizing cybersecurity requirements among member states, strengthening the resilience of organizations providing essential services, improving incident management to reduce their impact on operations, and encouraging enhanced cooperation among member states to combat cross-border cyberattacks.
The NIS2 Directive establishes specific criteria to determine the entities concerned, notably essential and important businesses. These criteria are primarily based on:
Competent authorities, such as the ANSSI in France, also have the ability to designate specific entities based on additional criteria.
Essential entities are generally medium to large-sized businesses operating in the sectors defined in Annex 1 of the directive. They must meet one of the following threshold criteria:
Important entities are those that do not meet the criteria defining essential entities. By default, any entity not falling into the category of essential entities will be considered an important entity.
Are you ready for NIS2? Contact DATIVE for a complete compliance audit.
Compliance with NIS2 promises better protection against cyberattacks through robust policies, reduced service interruptions for critical infrastructures, and increased trust from business partners and customers in digital systems.
The NIS2 Directive substantially broadens the scope compared to its previous version, covering a wider range of sectors deemed critical for the security of infrastructures and services. It now includes traditionally sensitive sectors such as energy, transport, and telecommunications, but also extends to essential fields such as:
This extension of sectors aims to better protect the critical links in interconnected supply chains, which can be prime targets for digital attacks, and to strengthen overall resilience against cyber threats. The image below illustrates the affected sectors and the interconnections between these strategic domains.
The directive imposes a direct responsibility on business leaders for cybersecurity, including the establishment of a clear risk management policy and the obligation to report to the competent authorities on the security status.
Entities concerned must implement rigorous processes to identify and assess risks, monitor emerging threats, and document and report any significant incident within the prescribed timeframes.
A central pillar of NIS2 is the increased collaboration among member states, embodied by the exchange of information on threats and incidents and the implementation of coordinated responses to major cyberattacks.
Compliance begins with an initial risk assessment to identify specific vulnerabilities. Organizations must then develop a cybersecurity strategy incorporating technical and organizational measures and invest in training and awareness to strengthen internal capabilities.
NIS2 puts your cybersecurity to the test. Entrust DATIVE with the compliance of your industrial systems.
Organizations can take advantage of guides from ENISA, risk assessment tools, threat intelligence platforms, and European grants dedicated to cybersecurity.
Non-compliance with the obligations imposed by the NIS2 directive can lead to substantial financial penalties. The fines depend on the category of the entity concerned:
These sanctions aim to encourage organizations to comply with cybersecurity requirements and ensure the protection of critical infrastructures against cyber threats.
ISO/IEC 27001: Information Security Management System (ISMS)
EU Cybersecurity Act
GDPR (General Data Protection Regulation)
NIS2 vs ISO/IEC 27001
Both standards align with risk management and cybersecurity of networks and information systems. However, their approach differs: ISO/IEC 27001 provides a certifiable framework for information security management, allowing companies to receive official recognition of their compliance. In contrast, NIS2 imposes binding legal obligations, making compliance mandatory for affected organizations.
NIS2 vs EU Cybersecurity Act
NIS2 aims to strengthen digital resilience and risk management of critical infrastructures by imposing strict requirements on strategic businesses. The Cybersecurity Act focuses mainly on the cybersecurity certification of products and services, ensuring their reliability before being marketed. Additionally, this certification helps secure technologies used in critical infrastructures covered by NIS2.
NIS2 vs NIST Cybersecurity Framework (CSF)
Although NIS2 and NIST Cybersecurity Framework (CSF) share common goals such as risk management, digital resilience, and incident response, their approaches differ. NIST CSF offers a flexible and adaptable framework, allowing organizations to tailor their cybersecurity strategies based on their needs. In contrast, NIS2 imposes strict obligations, especially for critical sectors, leaving less room for adaptation according to context.
NIS2 vs GDPR
The GDPR and NIS2 pursue distinct yet complementary objectives. The GDPR focuses on personal data protection, imposing strict rules on the processing and storage of sensitive European citizens' information. NIS2, on the other hand, targets the cybersecurity of critical infrastructures, ensuring that these entities implement solid measures to protect their systems. Both regulations overlap on the security of sensitive information and incident notification obligations, thereby strengthening the overall protection of data and infrastructures.
The evolution of NIS:
Thus, in 2025, NIS2 is fully in force, and member states must have integrated the requirements into their legislation, with the EU monitoring the effectiveness and compliance of cybersecurity measures across Europe.
There is an expected increase in the integration of artificial intelligence in cybersecurity tools, as well as a rise in the requirements for third-party vendors in supply chains.
The directive provides enhanced resilience against cyberattacks, improves regulatory compliance by reducing the risk of sanctions, and strengthens competitiveness through increased trust from partners and customers.
However, the initial costs of compliance can be high, particularly for SMEs. Additionally, the complexity of technical requirements may demand specialized skills that are difficult to mobilize.
Don’t let NIS2 catch you by surprise. Plan your compliance now.
In conclusion, the NIS2 Directive represents a major turning point in the cybersecurity of critical infrastructures in Europe. It imposes stricter requirements and governance aimed at ensuring the resilience of essential sectors against increasingly sophisticated cyber threats. While compliance may seem complex, it offers both enhanced protection and an opportunity to strengthen trust with partners and clients. Companies must therefore act now to assess their risks and prepare to meet the new obligations.
The NIS2 Directive is a European Union legislation aimed at strengthening the cybersecurity of critical infrastructures and digital services.
Critical sectors such as energy, healthcare, transportation, and digital infrastructures are directly targeted.
Non-compliant organizations risk significant financial penalties and a loss of trust from their partners.
By adopting appropriate governance, strengthening risk management, and collaborating with the relevant authorities.
Yes, it is an expanded version tailored to current cybersecurity needs.