What you'll take away
The original Network and Information Security (NIS) Directive covered a narrow set of operators of essential services. In most member states, 'essential' meant energy, transport, banking, financial market infrastructure, healthcare, drinking water, and digital infrastructure. If your company was not a national grid operator or a clearing house, NIS1 was largely irrelevant.
NIS2, which became directly applicable across EU member states in October 2024, changed the scope fundamentally. The new directive covers 18 sectors, including postal services, waste management, manufacturing, food production, chemical production, digital providers, and public administration — in addition to the original essential services. Estimates suggest 160,000 additional entities are now in scope compared to NIS1.
Are You in Scope?
NIS2 divides entities into two categories with different obligation levels:
- Essential entities: Operators in sectors identified as critical — energy, transport, banking, financial markets, healthcare, drinking water, wastewater, digital infrastructure (IXPs, DNS, TLD registries, cloud providers, data centres, CDNs), ICT managed service providers, space. Medium-to-large enterprises (150+ employees or €10M+ turnover) in these sectors are essential entities.
- Important entities: Operators in expanded sectors — postal and courier, waste management, chemicals, food, manufacturing of medical devices/electronics/machinery/vehicles, digital providers (marketplaces, search engines, social networks). Enterprises above the SME threshold in these sectors are important entities.
Crucially, NIS2 applies to any entity that provides services to EU customers, regardless of where the entity is headquartered. A UK-based managed services provider serving EU enterprise clients is in scope. A US SaaS company with significant EU revenue may be in scope depending on classification.
The Four Core Obligations
1. Risk Management Measures
NIS2 requires entities to implement technical, operational, and organisational measures proportionate to the risks posed to their network and information systems. This is not a documentation exercise — the directive specifies concrete domains including policies for risk analysis and information system security, incident handling, business continuity and crisis management, supply chain security, encryption and key management, access control policies, and secure development practices.
2. Incident Reporting
The NIS2 incident notification timeline is the most operationally demanding requirement for most organisations. Significant incidents — those that have or could have a serious impact on service provision — must be reported to the national competent authority within 24 hours of becoming aware of them (early warning), with a more detailed notification within 72 hours, and a full incident report within one month. Most organisations lack the internal detection and response infrastructure to meet this timeline.
3. Supply Chain Security
Entities must address cybersecurity risks in their supply chains — meaning their direct suppliers and service providers. This includes assessing the security practices of suppliers, including provisions in contracts, and regularly reviewing supplier security posture. This is the obligation that most compliance programs underestimate: it requires extending security governance beyond the organisation's own perimeter to every material supplier.
4. Board-Level Accountability
NIS2 imposes personal liability on management bodies. Senior management must approve the cybersecurity risk management measures, oversee their implementation, and can be held personally liable for infringements. National authorities can impose temporary bans on individuals from management positions for persistent non-compliance. This is the provision that has driven NIS2 onto board agendas in a way that no previous cybersecurity regulation has.
Penalties for Essential entities: up to €10 million or 2% of global annual turnover, whichever is higher. For Important entities: up to €7 million or 1.4% of global turnover. National supervisory authorities also have the power to order temporary suspension of operations in severe cases.
Is your security posture audit-ready?
48-hour turnaround. No obligation.
The Supply Chain Obligation — The Hardest Part
The supply chain security obligation is receiving the least preparation of the four core requirements and will likely generate the most enforcement action in the regulation's early years. Entities must assess the cybersecurity practices of their suppliers, which requires a supplier security questionnaire or assessment process, contract provisions requiring minimum security standards, and a process for reviewing and acting on findings.
In practice, this means managed service providers are receiving security assessment requests from their NIS2-regulated customers at a volume that is overwhelming procurement processes. MSPs that cannot demonstrate NIS2-aligned security practices — through questionnaire responses, SOC 2 Type II reports, ISO 27001 certification, or comparable evidence — are starting to lose contract renewals to providers who can.
The 24-Hour Incident Reporting Gap
Almost no mid-market organisations currently have the detection and response infrastructure to meet the 24-hour initial notification requirement. The requirement is not 24 hours to investigate and remediate — it is 24 hours from awareness to notifying the competent authority that a significant incident has occurred. Meeting this requirement demands 24/7 security monitoring with documented escalation paths, a defined 'significant incident' threshold aligned with the regulation's criteria, and a response team that can prepare and submit the early warning notification within business hours of detection.
Organisations that rely on business-hours IT support, or that lack structured incident response processes, need to address this gap before an incident occurs — not during one.
What You Need to Implement
- Security baseline assessment: Map current controls against NIS2's required domains. Identify gaps in risk management documentation, incident response capability, and supply chain governance.
- 24/7 monitoring capability: Either build or procure Security Operations Centre capability that provides continuous network and system monitoring with incident detection aligned to the 24-hour reporting window.
- Incident response plan: Documented, tested response procedures aligned to the NIS2 notification timeline. Include pre-prepared early warning notification templates and designated personnel authorised to submit them.
- Supply chain security programme: Supplier inventory, tiered assessment approach (critical vs. non-critical suppliers), contract provisions, and review schedule.
- Management training and governance: Board and senior management briefing on personal liability provisions, approval of the risk management framework, and documented oversight process.
- Technical controls implementation: Encryption for data at rest and in transit, MFA for all privileged access, vulnerability management programme, and secure development lifecycle.
GYSP's NIS2 Compliance Practice
GYSP's Cyber Security practice delivers NIS2 compliance programmes covering scope determination, gap assessment, technical controls implementation, incident response capability design, supply chain security programme development, and management governance frameworks. For organisations that need ongoing monitoring to meet the 24-hour notification requirement, our managed security services provide the SOC capability without the overhead of building it internally.
“The board accountability provision in NIS2 is what makes this regulation different from every EU cybersecurity directive that came before it. Previous regulations penalised the organisation. This one can penalise the individuals who run it. That changes the conversation at every level.”
— Rahul, AI/ML Delivery Head — GYSP.tech
