Compliance

NIS2 Directive

EU Directive 2022/2555 expanding cybersecurity requirements for essential and important entities across 18 sectors, with personal liability for management bodies and substantial fines for non-compliance.

The NIS2 Directive came into force across EU member states in October 2024. It substantially lowered the threshold for in-scope organisations from NIS1: now any organisation with 50+ employees or €10M+ turnover in covered sectors is subject to the directive. Covered sectors include energy, transport, banking, healthcare, digital infrastructure, water, waste management, and ICT service management.

Article 21 mandates ten categories of security measure including risk analysis, incident handling, supply chain security, encryption, and mandatory cybersecurity training. Article 23 requires incident reporting on a strict timeline: 24-hour early warning, 72-hour initial notification, one-month final report.

UK and US organisations are not directly subject to NIS2 but may have exposure through EU subsidiaries or supply chain obligations. The UK Cyber Security and Resilience Bill will broadly mirror NIS2 structure when enacted.

See: NIS2 Directive: What UK & US Operators Must Do Now.

← Back to Glossary