NIS 2 Guide – 2025: Strengthening Your Organization’s Cybersecurity


28 Nov 2024 | Cybersecurity, Legislation and Compliance | 0 comments

NIS-2-Guide-2025

Why is the NIS 2 Directive crucial for cybersecurity?

The NIS 2 Directive (Network and Information Security) came into effect on January 16, 2023, within the European Union, replacing the initial NIS Directive of 2016. This updated regulation addresses the growing and diversifying cyber risks. It applies to thousands of Essential Entities (EE) and Important Entities (IE) across Europe, spanning 18 sectors of varying criticality (healthcare, public administration, transport, water, waste management, etc.). Its transposition into national laws by October 17, 2024, is vital to counter increasingly severe cyber crises. However, NIS 2 also represents a significant challenge, as companies of all sizes must meet stringent security requirements or face substantial financial penalties.

Main objectives of the NIS 2 Directive

Enhancing European coordination

NIS 2 aims to bolster the overall level of cybersecurity across the European Union by further securing the networks and information systems of thousands of organizations and essential infrastructures. This harmonization of cybersecurity levels involves sharing expertise in cyber defense and ensuring coordination among EU member states, especially during cyberattacks. Such efforts aim to guarantee a swift and unified response to cyber crises and enhance risk identification.

This European cooperation takes shape through the creation and management of various exchange networks:

EU-CyCLONe

The European Cyber Crises Liaison Organization Network (EU-CyCLONe) was established to study and respond to large-scale incidents in a coordinated manner. Introduced alongside NIS 2, its purpose is to ensure the regular exchange of relevant information among member states and EU institutions. EU-CyCLONe notably works to develop a shared understanding of significant cybersecurity incidents and crises and to coordinate their management. (Source : NIS 2 Directive)

CSIRT Network

Established in 2016 under the original NIS Directive, the CSIRT Network (Computer Security Incident Response Teams Network) brings together representatives from EU member states and the CERT-EU (Computer Emergency Response Team). Meeting three times a year, the network aims to strengthen trust among member states and promote rapid and effective operational cooperation.

NIS Cooperation Group

Launched in 2017 under Article 11 of the NIS Directive, the NIS Cooperation Group includes representatives from EU member states, the European Commission, and ENISA. Its objectives include:

  • Supporting and facilitating strategic cooperation between member states,
  • Encouraging information exchange and mutual trust,
  • Raising overall cybersecurity maturity and national capabilities through training and tools.

(Source : Cyber Gouv)

Increasing operational resilience

The directive requires affected entities to implement measures to strengthen operational resilience. This entails being prepared to handle cybersecurity incidents by developing and testing incident management and business continuity plans in advance. Establishing technical and organizational processes is critical, including deploying secure solutions and designating trained teams. These measures are essential to mitigate the impact of cyberattacks on organizations.

Entities subject to the NIS 2 Directive

Essential Entities (EE) and Important Entities (IE): What’s the difference?

Around 10,000 European public and private organizations must comply with the NIS 2 Directive. These entities are divided into two categories: Essential Entities (EE) and Important Entities (IE), operating within either critical or highly critical sectors. This classification tailors regulatory obligations to the size and criticality of the entities, influencing the severity of penalties. However, each country defines specific identification criteria. In France, for instance:

  • Essential Entities (EE) largely include large companies in highly critical sectors.
  • Important Entities (IE) primarily encompass medium-sized organizations in highly critical sectors and entities within critical sectors.

This classification replaces the former designation of “OES” (Operators of Essential Services).

Critical and highly critical sectors

The following sectors are designated as highly critical:

Les secteurs classés comme hautement critiques sont : 

  • Energy
  • Transport
  • Banking
  • Financial market infrastructures
  • Healthcare
  • Drinking water
  • Wastewater
  • Digital infrastructure
  • IT service management
  • Public administration
  • Space

Critical sectors include:

  • Postal and courier services
  • Waste management
  • Chemical manufacturing, production, and distribution
  • Food production, processing, and distribution
  • Manufacturing
  • Digital providers
  • Research

Unlike NIS 1, central administrations of member states and certain local authorities now fall under the NIS 2 scope.
(Source : Mon Espace NIS 2)

Key Requirements of the NIS 2 Directive

Risk Management

Risk management is at the core of the NIS 2 Directive. Article 21 of the European regulation outlines a series of measures that entities must implement, such as:

  1. Policies for risk analysis and information system security;
  2. Incident handling and business continuity measures, including backup management, disaster recovery, and crisis management;
  3. Supply chain security, including measures ensuring security in relationships with direct suppliers or service providers;
  4. Security in the acquisition, development, and maintenance of networks and information systems, including vulnerability management and disclosure;
  5. Policies and procedures for assessing the effectiveness of cybersecurity risk management measures;
  6. Basic cyber hygiene practices and cybersecurity training;
  7. Policies related to cryptography, including encryption where applicable;
  8. Human resource security, access control policies, and asset management;
  9. Use of multi-factor authentication, secure communication systems (voice, video, text), and emergency communication systems where applicable.

Incident Reporting

In case of significant cybersecurity incidents, entities are required to notify the national authorities responsible for implementing NIS 2 as quickly as possible. Specific notification procedures are defined by national laws, along with what constitutes a “significant incident.” Typically, organizations have 24 hours to inform authorities of an incident.

Here is the list of competent authorities per EU member state, listed as the main point of contact for NIS 2 entities:

GermanyBSI (Bundesamt für Sicherheit in der Informationstechnik)
AustriaOffice for Strategic Networking and Information Systems Security
BelgiumCCB (Centre pour la Cybersécurité Belgique)
BulgariaMinistère de l’administration en ligne
CyprusDigital Security Authority (DSA)
CroatieNational Security Authority
DenmarkCenter for Cyber Security
SpainDepartamento de Seguridad Nacional
EstoniaInformation System Authority
FinlandNational Cyber Security Centre, Finnish Transport and Communications Agency (Traficom)
FranceANSSI (Agence nationale de la sécurité des systèmes d’information)
GreeceDirection de la Cybersécurité du Ministère de la Gouvernance Numérique
HongrieNational Cyber Security Center 
IrelandNational Cyber Security Centre
ItalieNational Cybersecurity Agency (ACN) 
LettonieMinistry of Defense
LithuaniaNational Cyber Security Centre
LuxembourgInstitut Luxembourgeois de Régulation
MalteMalta Critical Infrastructure Protection Directorate
NetherlandsNationaal Cyber Security Centrum
PolandMinistry of Digital Affairs
PortugalCentro Nacional de Cibersegurança
Czech RepublicNational Cyber and Information Security Agency 
RomaniaRomanian National Computer Security Incident Response Team (CERT-RO)
SlovakiaNational Security Authority
SlovénieGovernment Information Security Office
SwedenSwedish Civil Contingencies Agency (MSB)

Leadership Training

Training organizational leaders is a key requirement under NIS 2. Cybersecurity measures within organizations must be approved and monitored to ensure effectiveness. Leaders must undergo specific training on NIS 2 compliance, cybersecurity standards, and risk management to make informed decisions.

Furthermore, employees at all levels should be made aware of these practices to ensure that proper cybersecurity measures are applied throughout the organization.

Achieving Compliance with the NIS 2 Directive

Organizational and Technical Measures

To achieve compliance, organizations should follow a clear roadmap that includes:

  • Audits, 
  • Risk mapping, 
  • Identifying involved teams, 
  • Training and awareness programs, 
  • Deploying security tools and strategies aligned with their criticality level.

These organizational and technical measures should be integrated into a well-defined plan, subject to regular updates and controls.

Learn more about the various steps involved in NIS 2 compliance

The Role of France’s ANSSI

The French National Cybersecurity Agency (ANSSI) plays a crucial role in transposing the NIS 2 Directive into French law. ANSSI also assists businesses in achieving compliance by providing resources through its “Mon Espace NIS 2 platform. Organizations can use these resources to determine their regulatory obligations and classification.

ENISA’s Role in Europe

At the European level, the European Union Agency for Cybersecurity (ENISA) offers extensive resources on NIS 2, including infographics detailing key requirements like incident reporting.

NIS 2 Incident Reporting

See other infographics

Penalties for Non-Compliance

Financial Sanctions

Unlike NIS 1, the NIS 2 Directive imposes significant financial penalties for non-compliance, which can reach up to €10 million or 2% of an organization’s annual turnover. These penalties are tailored to the criticality level and size of the organization.

The European Context of the NIS 2 Directive

Transposition of the Directive Across Member States

The transposition of the NIS 2 Directive varies across EU member states. Some countries, such as Belgium, Croatia, and Hungary, have already incorporated the directive into their national legislation. However, others, like France and Germany, are facing delays despite their advanced cybersecurity maturity:

  • France presented its draft NIS 2 law on October 15, 2024, just two days before the deadline.
  • Germany plans to finalize the transposition by early 2025.

These delays create uncertainty for entities that must prepare for compliance. In France, the National Cybersecurity Agency (ANSSI) has announced a three-year grace period during which non-compliant organizations will not face sanctions.

Conclusion: A Shared Cybersecurity Challenge

The NIS 2 Directive is essential for raising cybersecurity standards across the EU. By adopting technical, legal, and organizational measures, Essential Entities (EE) and Important Entities (IE) can not only comply with regulatory requirements but also strengthen their operational resilience against cyberattacks. While achieving compliance is challenging, it also represents an opportunity to build sustainable cybersecurity maturity and contribute to the collective security of European nations.

FAQ on the NIS 2 Directive

What is the NIS 2 Directive?

Adopted in October 2024, the NIS 2 Directive is the EU’s updated framework for strengthening cybersecurity in networks and information systems. Building on the first NIS Directive, it addresses growing cyber threats and aims to harmonize security requirements across Europe, ensuring a high level of cybersecurity and operational resilience for critical infrastructures.

What are the key challenges of NIS 2?

As cyberattacks increase and societies become more reliant on digital technologies, NIS 2 seeks to establish a robust framework for improving security in vital sectors such as finance, energy, healthcare, and others. By enforcing this directive, the EU aims to achieve higher cybersecurity standards, better defend against cyber threats, and protect essential services.

How can organizations prepare for NIS 2?

Organizations should follow a national compliance roadmap, including risk analyses and implementing technical and organizational measures to enhance cybersecurity. Training leaders and security teams is critical for understanding the new regulatory requirements. Platforms like France’s “Mon Espace NIS 2” provided by ANSSI help guide organizations through the compliance process.

Quelles sont les obligations imposées par NIS 2 ?

La directive NIS 2 impose aux entités régulées des obligations claires pour garantir un niveau élevé de cybersécurité. Parmi ces obligations, les entités doivent mettre en œuvre des mesures techniques, juridiques et organisationnelles proportionnées aux risques cyber identifiés. Elles doivent également signaler tout incident de sécurité majeur à l’autorité compétente, souvent l’ANSSI en France. En cas de non-respect de ces obligations, des sanctions peuvent être imposées, y compris des sanctions financières pouvant aller jusqu’à un pourcentage du chiffre d’affaires global. Ces exigences visent à harmoniser la sécurité des réseaux à l’échelle européenne.

What are the obligations under NIS 2?

The directive mandates that regulated entities implement proportional technical, legal, and organizational measures based on identified cyber risks. They must also report significant security incidents to the relevant authority (such as ANSSI in France). Non-compliance can result in penalties, including financial sanctions of up to a percentage of global turnover.

Who is affected by NIS 2?

NIS 2 applies to a wide range of entities, including Essential Entities (EE) and Important Entities (IE). These categories encompass critical sectors like healthcare, energy, transport, and digital services, as well as local governments and postal services. The primary criteria include the entity’s size, turnover, and societal importance, with the directive expanding its scope to ensure greater security throughout the supply chain.

What are the impacts of NIS 2 on businesses?

The directive imposes stringent cybersecurity requirements on businesses, requiring investments in security measures, employee training, and rigorous incident management processes. While challenging, these measures enhance security, protect organizational data, and improve resilience against cyber threats. They also provide a competitive advantage by building trust among partners and clients.