What is NIS2 (Network and Information Security Directive 2)?
EU directive (2022/2555) that EU member states transposed into national law by October 2024. Expands cybersecurity baselines to ~150,000 organizations across 18 sectors (essential + important entities). Requires risk management, incident reporting, supply-chain security, and management accountability. Penalties up to €10M or 2% of global turnover.
Full explanation
NIS2 replaces the original NIS Directive and dramatically widens scope. Sectors: energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, space, postal/courier, waste management, chemicals, food, manufacturing of medical devices/computers/electrical equipment/transport equipment/machinery, digital providers, research. SaaS vendors selling into these sectors face flow-down requirements: incident reporting within 24/72 hours, supply-chain due diligence, MFA on critical access, vulnerability management, business continuity. Member-state implementations vary; most have transposed by 2025.
Example
A SaaS vendor selling to EU healthcare organizations falls in scope as an 'important entity' digital service provider. They must implement: written cybersecurity policies, MFA on all admin access, incident-response procedures (24-hour early-warning notification to national CSIRT, 72-hour incident notification), supply-chain risk assessments, and management-board accountability for cyber risk. Penalties for non-compliance up to €7M or 1.4% of turnover for important entities.
FAQ
Am I in scope?
If you operate in one of the 18 listed sectors AND meet the size thresholds (typically 50+ employees or €10M+ turnover for 'important' entities; 250+ employees or €50M+ turnover for 'essential' entities), yes. Smaller entities may still be in scope if specifically designated.
How does it relate to DORA?
DORA (financial-sector specific) takes precedence over NIS2 for financial entities. Other sectors fall under NIS2. Some entities may have flow-down requirements from both regulations.