๐Ÿ‡ช๐Ÿ‡บ NIS2 Now Enforced โ€” October 2024 ๐Ÿ’ถ โ‚ฌ10M Maximum Fines for Essential Entities ๐Ÿ” 10 Mandatory Security Measures โ€” Article 21 ๐Ÿ‘” Management Personal Liability Under NIS2 ๐Ÿญ 18 Critical Sectors Covered ๐Ÿ‡ช๐Ÿ‡บ NIS2 Now Enforced โ€” October 2024 ๐Ÿ’ถ โ‚ฌ10M Maximum Fines for Essential Entities ๐Ÿ” 10 Mandatory Security Measures โ€” Article 21 ๐Ÿ‘” Management Personal Liability Under NIS2 ๐Ÿญ 18 Critical Sectors Covered
๐Ÿ‡ช๐Ÿ‡บ EU DIRECTIVE 2022/2555

What is the NIS2 Directive?

The Network and Information Security Directive 2 (NIS2) is the EU's most comprehensive cybersecurity law, mandating 10 security measures across 18 critical sectors. In force since October 2024.

๐Ÿ“‹ OVERVIEW

NIS2 โ€” The New Standard for EU Cybersecurity

NIS2 (Directive EU 2022/2555) replaced the original NIS Directive in January 2023 and member states were required to transpose it into national law by October 2024. It significantly expands the scope of organisations subject to cybersecurity obligations and introduces stricter enforcement mechanisms.

Unlike its predecessor, NIS2 covers both essential and important entities across 18 sectors, imposes personal liability on management, and requires mandatory incident reporting within 24 hours of awareness.

18
Critical Sectors
10
Mandatory Measures (Art. 21)
โ‚ฌ10M
Max Fine (Essential)
24h
Early Warning Reporting
ESSENTIAL vs IMPORTANT ENTITIES
Essential Entities
Energy, Transport, Banking, Financial Market Infrastructure, Health, Drinking Water, Wastewater, Digital Infrastructure, ICT Service Management, Public Administration, Space
Fine: Up to โ‚ฌ10M or 2% of global annual turnover
Important Entities
Postal Services, Waste Management, Chemicals, Food, Manufacturing, Digital Providers, Research
Fine: Up to โ‚ฌ7M or 1.4% of global annual turnover
๐Ÿ“‹ ARTICLE 21(2)

10 Mandatory Security Measures

NIS2 Article 21(2) requires all covered entities to implement these 10 minimum cybersecurity risk-management measures. These are the baseline regulators and auditors will assess.

ART. 21(2)(a)

Risk Analysis & IS Security Policies

Policies on risk analysis and information system security. Organisations must create governance frameworks, structures, and procedures to analyse cybersecurity risks.

ART. 21(2)(b)

Incident Handling

Detection, analysis, containment, recovery and notification procedures for cybersecurity incidents.

ART. 21(2)(c)

Business Continuity

Backup management, disaster recovery and crisis management to ensure operational resilience.

ART. 21(2)(d)

Supply Chain Security

Security in supplier relationships and third-party service providers. Includes vulnerability assessments of direct suppliers and their cybersecurity practices.

ART. 21(2)(e)

Network & IS Acquisition, Development & Maintenance

Security in acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure.

ART. 21(2)(f)

Cybersecurity Risk-Management Effectiveness

Policies and procedures to regularly assess the effectiveness of the cybersecurity risk-management measures in place.

ART. 21(2)(g)

Cyber Hygiene & Training

Basic cyber hygiene practices and cybersecurity training for all staff, including role-based and management-level training.

ART. 21(2)(h)

Cryptography & Encryption Policies

Policies and procedures regarding the use of cryptography and, where appropriate, encryption of data at rest and in transit.

ART. 21(2)(i)

HR Security, Access Control & Asset Management

Human resources security procedures, access control policies, and management of hardware and software asset inventories throughout their lifecycle.

ART. 21(2)(j)

MFA & Secure Communications

Multi-factor or continuous authentication, secured voice, video and text communications, and secured emergency communication systems within the entity.

โ„น๏ธ These are minimum measures
Article 21 measures are not exhaustive. Entities may need additional controls depending on their risk profile. Management bodies are personally accountable under Article 20 for approving and overseeing these measures.
๐Ÿญ COVERED SECTORS

18 Critical Sectors Under NIS2

NIS2 covers a far wider range of sectors than its predecessor, affecting an estimated 180,000+ entities across the EU.

โšก

Energy

Essential
๐ŸšŒ

Transport

Essential
๐Ÿฆ

Banking

Essential
๐Ÿ“ˆ

Financial Markets

Essential
๐Ÿฅ

Health

Essential
๐Ÿ’ง

Drinking Water

Essential
๐Ÿšฐ

Wastewater

Essential
๐ŸŒ

Digital Infrastructure

Essential
๐Ÿ’ป

ICT Management

Essential
๐Ÿ›๏ธ

Public Administration

Essential
๐Ÿ›ธ

Space

Essential
๐Ÿ“ฎ

Postal Services

Important
๐Ÿ—‘๏ธ

Waste Management

Important
๐Ÿงช

Chemicals

Important
๐ŸŽ

Food

Important
๐Ÿญ

Manufacturing

Important
๐Ÿ“ฑ

Digital Providers

Important
๐Ÿ”ฌ

Research

Important

Ready to Achieve NIS2 Compliance?

Start your free trial today. All 10 measures. All 3 panels. No complexity.

Start Free 30-Day Trial See the Platform
WhatsApp Us