DV
DataVerifData Verification
ServicesDocumentationContact
European Directive

NIS2 Directive: Complete Guide 2024-2025

Everything you need to know about the new European cybersecurity regulation: obligations, affected sectors, penalties, and deadlines.

17 Oct 2024
EU Deadline
18
Sectors
10M€
Max Fine
What is the NIS2 Directive?

The NIS2 Directive (Network and Information Security 2) is European legislation that came into force on January 16, 2023. It replaces and strengthens the original NIS Directive from 2016, which was the first pan-European cybersecurity legislation.

NIS2 aims to establish a common high level of cybersecurity across the European Union. It imposes stricter cybersecurity risk management measures and incident notification obligations on essential and important entities.

EU Member States were required to transpose this directive into their national legislation by October 17, 2024. Affected organizations must comply with the new requirements or face significant financial penalties.

Main Objectives of NIS2
  • Harmonize cybersecurity requirements across all EU Member States
  • Expand scope to more sectors and entities (from 7 to 18 sectors)
  • Strengthen security requirements with 10 mandatory minimum measures
  • Improve cooperation between Member States through cooperation groups
  • Introduce stricter incident notification obligations (24h/72h)
  • Establish a dissuasive sanctions regime up to €10M or 2% of global turnover
NIS vs NIS2: Key Differences
AspectNIS (2016)NIS2 (2023)Covered sectors7 sectors18 sectors (11 essential + 7 important)Affected entitiesEssential service operatorsMedium and large entities (≥50 employees or ≥€10M turnover)Maximum finesVariable sanctions by StateUp to €10M or 2% of global turnoverNotification deadlineNo harmonized deadlineEarly warning 24h, incident report 72h