NIS2 Summary | Infodiz

📚 What is NIS2?

NIS2 (Network and Information Security Directive 2) is European Directive 2022/2555 of the European Parliament and of the Council of 14 December 2022, establishing measures for a high common level of cybersecurity across the European Union.

It replaces and repeals the previous NIS Directive (2016/1148).

🏢 Who Does NIS2 Apply To?

NIS2 applies to two categories of entities:

🔴 Essential Entities (Annex I)

Medium to large entities in highly critical sectors:

Energy (electricity, gas, oil, district heating, hydrogen)
Transport (air, rail, maritime, road)
Banking and credit institutions
Financial market infrastructures
Healthcare
Drinking water supply
Wastewater management
Digital infrastructure
Public administration (central and regional)
Space sector

🟡 Important Entities (Annex II)

Other critical sectors:

Postal and courier services
Waste management
Manufacture, production, and distribution of chemicals
Production, processing, and distribution of food
Manufacturing (medical devices, electronics, machinery)

📊 Size Criteria

NIS2 applies to medium-sized enterprises as defined in Recommendation 2003/361/EC:

Fewer than 250 employees
Annual turnover ≤ €50 million OR balance sheet total ≤ €43 million

⚠️ Who is EXEMPT (by default)

Micro-enterprises (fewer than 10 employees, turnover < €2 million), self-employed professionals, and artisans.

BUT — Micro and small enterprises also fall within scope if they are the sole national provider of an essential service or are explicitly designated by the Member State.

⚠️ Key Obligations

1. Cybersecurity Risk Management Measures (Art. 21)

Entities must implement appropriate measures to manage risks, including:

Risk analysis and assessment
Incident handling
Network and information system security
Backup and disaster recovery policies
Supply chain security
Security in the procurement and maintenance of systems
Access control policies
Use of cryptography and encryption
Security testing and vulnerability assessment
Intrusion detection systems

2. Incident Reporting Obligations (Art. 23)

Report significant incidents within 24 hours to your national CSIRT
Provide updates with substantial information as soon as it becomes available
Final report within 1 month with complete details

3. Registration

Entities must provide essential information to the competent national authority.

💰 Penalties (Art. 34)

🔴 Essential Entities

Maximum fine:

€10,000,000

OR 2% of global annual turnover (whichever is higher)

Management liability for serious violations

🟡 Important Entities

Maximum fine:

€7,000,000

OR 1.4% of global annual turnover

🇪🇺 Implementation in EU Member States

EU Directive 2022/2555 (NIS2) transposes NIS2 into national law in each Member State.

Designation of a national cybersecurity authority as the competent authority
Definition of essential and important entities according to European legislation
Sanctioning regime aligned with European maximums
Incident reporting procedures to your national CSIRT

📈 NIS1 vs NIS2 — Key Differences

Aspect	🆕 NIS1	✅ NIS2
Entities covered (example)	~700	~4,000-5,000 estimated
Sectors	7 sectors	15 sectors + Public Administration
Obligations	Generic	Detailed and specific
Maximum penalties	€150,000	Up to €10M or 2% of turnover
Incident reporting	Not mandatory	Mandatory within 24 hours
Supply chain	Not mentioned	Included (Art. 21)

📅 Entry into Force

NIS2 Directive: 17 January 2023 (application begins)
Transposition deadline: 17 October 2024
EU Directive 2022/2555 (NIS2): Effective from 18 August 2024 or from the dates provided for specific obligations