NagaShield Security
NIS2 Directive

NIS2 compliance: who is concerned and how to get ready

The European NIS2 directive significantly broadens the range of organisations subject to cybersecurity obligations. If you operate in one of the covered sectors, the question is no longer "am I concerned?" but "am I ready?". Here is the essential — and how I support you.

In short

NIS2 (EU directive 2022/2555) is the European regulation that strengthens and broadens cybersecurity requirements for organisations across 18 sectors deemed critical. It replaces the first NIS directive and greatly increases the number of entities concerned. The organisations in scope are classified as "essential entities" and "important entities". They must implement cyber risk governance, adopt technical and organisational measures, report significant incidents (initial warning within 24h, notification within 72h) and secure their supply chain. The directive introduces management liability and dissuasive financial penalties. Transposition into French law is under way.

What is the NIS2 directive?

NIS2 (Network and Information Security 2) is a European directive adopted in 2022 (EU 2022/2555) succeeding the 2016 NIS directive. Its goal: raise the overall level of cybersecurity across the EU in the face of a sharply growing threat.

Compared with NIS1, NIS2 considerably broadens the scope of organisations concerned, harmonises requirements across member states, strengthens risk-management and incident-notification obligations, and introduces direct liability for management bodies. Each state transposes the directive into national law; in France this transposition is under way.

Who is concerned by NIS2?

NIS2 covers 18 sectors split into "highly critical" and "critical": energy, transport, banking, financial market infrastructures, health, drinking and waste water, digital infrastructure, public administration, space, postal services, waste management, manufacturing (medical devices, computer and electronic products, etc.), production and distribution of chemicals and food, digital providers, research.

Scope generally applies to medium and large companies in these sectors (from 50 employees or €10M turnover), but some entities are concerned regardless of size due to their criticality.

Essential vs important entities

NIS2 distinguishes two categories. "Essential entities" (highly critical sectors, large companies) are subject to proactive supervision. "Important entities" are subject to reactive supervision (in case of an incident or report). Both have similar obligations; the control and sanction regime differs.

What are the NIS2 obligations?

NIS2 mandates "appropriate and proportionate" cyber risk-management measures. In practice:

  • Implement a risk analysis and management policy
  • Adopt technical and organisational measures (access control, encryption, MFA, backups, business continuity)
  • Manage incidents: detection, handling and notification
  • Secure the supply chain and supplier relationships
  • Assess the effectiveness of measures and practise cyber hygiene and training
  • Involve and hold management bodies accountable (they can be held liable)

Incident notification: the deadlines

One of NIS2's flagship obligations concerns the rapid notification of significant incidents to the competent authority (in France, ANSSI):

  • Early warning within 24 hours of becoming aware of the incident
  • Full notification within 72 hours, with an incident assessment
  • Final report within one month

Penalties and management liability

NIS2 provides for dissuasive financial penalties, up to several million euros or a percentage of global turnover depending on the entity category. Beyond the fine, the directive introduces the liability of management bodies regarding the oversight of cybersecurity measures — a major shift that places the topic at board level.

How to achieve NIS2 compliance?

The good news: NIS2 requirements overlap heavily with ISO 27001. An organisation engaged in a structured ISMS already covers most expectations. The typical approach:

  • Determine whether you are concerned, and in which category (essential / important)
  • Run a gap analysis against the NIS2 requirements
  • Conduct a risk assessment and a prioritised treatment plan
  • Put in place governance, technical measures and notification procedures
  • Secure the supply chain (contractual clauses, supplier assessment)
  • Train and involve management in the steering

My NIS2 support

NagaShield helps you determine your eligibility, measure the gap and build a realistic roadmap to compliance — leveraging synergies with ISO 27001 to avoid redundant effort. As an outsourced CISO, I can also steer the programme over time and manage the relationship with authorities.

Frequently asked questions

Prepare your NIS2 compliance

Let's check together whether you are concerned and build your roadmap. Eligibility assessment during a free scoping call.

Request a free quote Book a call

Read also

ISO 27001 certificationOutsourced CISOAudit & PentestAll my services