We understand it can be a challenge to stay on top of new cybersecurity regulations, especially when they affect the vital services your organization provides. This is why we provided you with a NIS2 FAQ to guide you step by step, clarifying what NIS2 entails, who falls under its scope, and how to meet its requirements. We’re here to help you feel confident about safeguarding your operations while remaining compliant.
The primary goal of the NIS2 Directive is to increase cybersecurity capabilities throughout the European Union. It encourages stronger risk management among key infrastructure providers, increases collaboration among EU member states, and enforces stricter requirements for reporting security incidents.
NIS2 applies to both “essential” and “important” entities. These are companies or institutions that deliver vital services needed to keep society, the economy, and the internal market functioning smoothly.
NIS2 has an expanded sector scope, introduces clear consequences for non-compliance, sets new security standards, and enhances cooperation across jurisdictions and the mechanisms for reporting cyber incidents.
The main difference lies in the organization’s scale and the potential social or economic impact of disruptions. A service outage at an essential entity can result in far-reaching consequences—economic instability, public safety risks, and major social disruption. Although important entities can also experience negative impacts, those impacts tend to be relatively less severe.
Possibly. Even if it does not fit the “essential” or “important” size categories, an organization can still fall under NIS2 if it is a sole provider of a critical service, if disruption could significantly affect public safety or health, if it poses systemic risks, or if it is vital to a particular sector (including at the national level).
Typically, essential entities exceed the upper boundary for medium-sized enterprises: more than 250 employees, annual turnover above 50 million euros, and a balance sheet exceeding 43 million euros. Entities of special strategic value might be deemed essential regardless of size.
Important entities generally have between 50 and 250 employees, with an annual turnover of up to 50 million euros and a balance sheet not exceeding 43 million euros—or they surpass these limits while still delivering services deemed “important.” Additionally, entities with 50–250 employees that do not meet certain thresholds can still be labeled as important if they operate in key sectors or meet specific critical criteria.
If an organization qualifies as both, it must comply with the requirements set for essential entities.
Yes. All entities subject to the directive must inform the relevant authorities about any incident threatening service continuity. Essential and important entities have a strict timeline: an initial notification within 24 hours (covering the nature of the incident and cross-border implications), an interim report within 72 hours, and a final report within 30 days detailing severity, impact, root cause, mitigation steps, and cross-border effects.
One practical method is to use a GAP analysis questionnaire, which compares existing cybersecurity measures to the directive’s requirements, highlighting areas needing improvement.
The timeline varies based on factors like current cybersecurity maturity, organizational complexity, size, and national specifics. On average, many entities can reach full compliance within about 12 months.
Essential entities may face fines up to 10 million euros or 2% of their global annual turnover—whichever is higher—while important entities can be fined up to 7 million euros or 1.4% of their worldwide annual revenue, again depending on which figure is greater.
We hope this NIS2 FAQ has made the Directive a bit clearer and easier to navigate. If you’re unsure about any details or would like more personalized guidance, our team is ready to assist. Feel free to reach out for further support or answers to any additional questions.
