NIS2 Directive: who is affected?

Request checklist: Is my company affected?

Table of contents

NIS 2.0 Cyber Security Directive at a glance

The NIS2 Directive (Network and Information Security Directive 2) is an EU directive aimed at strengthening cybersecurity in the European Union. In essence, NIS2 extends the scope of the previous NIS Directive and covers not only critical infrastructure (such as energy and transport systems) but also important digital service providers. Affected organizations must implement strict security measures and are required to conduct risk assessments. To ensure the implementation of the directive, EU member states must establish a national cybersecurity authority.

When does the NIS2 Directive apply?

The NIS2 Directive entered into force on January 16, 2023 , replacing the current directive. Before NIS2 can have an impact on companies, it must be implemented by the member states in national laws and regulations. Member states have until October 17, 2024, to do so.


Who is affected by NIS2: essential and important facilities

Large and medium-sized companies (see definition below) from sectors with high criticality and other critical sectors are affected. Within these sectors, the terms “essential facilities” and “important facilities” are used:

Essential facility Important facility

Large companies:

  • Energy
  • Transportation
  • Banking
  • Financial market
  • Health
  • Drinking water
  • Wastewater
  • Management of ICT services
  • Space

Medium-sized companies:

  • Energy
  • Transportation
  • Banking
  • Financial market
  • Health
  • Drinking water
  • Wastewater
  • Management of ICT services
  • Space

Large & medium-sized :

  • Postal and courier
  • Waste
  • Chemicals
  • Food
  • Production
  • Digital services
  • Research

Medium-sized companies in sectors with a high criticality are therefore considered to be important facilities. Both essential and important facilities must implement the requirements. There are differencesin the way they are inspected by the authorities and in the sanctions imposed. While regular safety inspections are conducted “ex-ante” for essential facilities, inspections of important facilities are only conducted if there is reasonable suspicion.


Who is affected by NIS2: large and medium-sized companies

NIS2 categorizes companies by size:

Sizes according to NIS2 Employees Annual turnover
Small company < 50 AND < 10 mil. Euro
Medium-sized company < 250 AND < 50 mil. Euro
Large company > 250 OR > 50 mil. Euro

Note: The annual balance sheet total can also be used instead of the annual turnover, whereby the threshold between medium-sized and large companies is already 43 million (instead of 50 million).

Example: A company with 40 employees and a turnover of 12 million euros is therefore already considered a medium-sized company. If this company offers, for example, “digital services” (see above), it is considered an important institution according to NIS2 and must implement a series of risk management measures.

Who is affected by NIS2: small businesses in individual cases

Small companies (see definition above) are not covered by NIS2, but there are exceptions. The following companies fall within the scope of the directive, regardless of their size:

Request checklist: Is my company affected?


Risk management measures required for affected companies
  • Conducting a risk analysis with regard to the security of information systems
  • Development of a plan for the prevention, detection, and management of security incidents (incident management)
  • Ensuring business continuity through backup management, disaster recovery and crisis management
  • Security of the supply chain and security measures for the procurement and maintenance of IT and network systems
  • Measures to measure cyber and risk measures
  • Training employees in the areas of cyber security cyber hygiene
  • Developing guidelines for cryptography and encryption for all key areas
  • Monitoring of all access points and logging
  • Implemenntation of an information security management system with procedures, methods, and tools to increase information security (e.g., ISO 27001).
  • Use of multi-factor authentication and single-sign-on
  • Use of secure emergency communication systems
Reporting obligations for affected companies

In the event of significant incidents and threats, an early warning must be issued immediately, i.e., within 24 hours of becoming aware of the incident. An official report of the security incident must be submitted within 72 hours. A final report must be submitted to the authorities one month after this report has been submitted.

Sanctions for violations

The fine for major organizations is 10 million euros or 2 percent of global revenue.

For important organizations, the sanctions are a little less severe and amount to 7 million euros or 1.4 percent of global revenue.

NIS2 vs. DORA: what is the difference?

The NIS2 Directive and the Digital Operational Resilience Act (DORA) are both legal instruments of the European Union that deal with different aspects of cybersecurity.

NIS2 is a directive, which means that it must be transposed into national law by the EU member states. Member states have some leeway in the transposition to take into account the specific needs and circumstances of their country. DORA is a regulation, which means that it is directly applicable in all EU member states as soon as it enters into force. No national implementation is required.

NIS2 concerns operators of essential services (see definition above) and, unlike NIS1, digital service providers are now also considered to be such operators. The directive aims to ensure a high level of cybersecurity throughout the EU. DORA focuses on the resilience of the financial system in the EU. It primarily affects financial institutions and organizations in the financial sector. NIS2 and DORA are therefore different legal


Do you have any questions?

How can you best approach the topic of NIS2 in your organization? We are here to help!

Non-binding consultation

Create your digital project with us!

We are here to support you in building or enhancing your digital projects. Get in touch with us and find out how we can help bring your vision to life!