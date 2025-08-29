The Network and Information Security Directive 2, Directive (EU) 2022/2555 (NIS2) reshapes cybersecurity compliance across the European Union. The Directive aims to enhance cybersecurity and resilience within the Union, imposing uniform risk management and reporting obligations on both "essential" and "important" entities, and expanding the scope beyond traditional critical infrastructure providers. Companies that fall within scope may need to review and align their internal processes, controls, and governance structures with NIS2 — or risk enforcement consequences. The status of NIS2 implementation varies across EU Member States. For example, in Germany, the final law could take effect before the end of 2025; Italy has incorporated NIS2 into national legislation; and France is still in the process of enacting the necessary laws.

Who Is in Scope of NIS2?

NIS2 expands coverage to a wider range of sectors than the previous NIS Directive (Directive (EU) 2016/1148), including postal and courier services, as well as the chemical and food sectors. The Directive applies to both EU-established entities and, in some cases, non-EU service providers offering services within the EU. Entities are categorized as essential or important based on size, criticality, sector, or importance to the Member States. Sectors affected include:

, e.g., energy, transport, banking, digital infrastructure, public administration, healthcare. Other critical sectors, e.g., digital services (online marketplaces, cloud computing, and search engines), waste management, postal services, manufacturing of critical products.

Companies are considered in scope if they fall within these sectoral definitions and exceed specific size thresholds (typically medium-sized enterprises and above, i.e., more than 50 employees and €10 million turnover). Certain digital infrastructure and trust service providers are subject to NIS2 obligations regardless of size.

Enforcement and Accountability

Unlike the original NIS Directive, NIS2 introduces stronger enforcement powers for national authorities, including regular audits, security inspections, binding instructions, and — crucially — administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher. Moreover, management bodies are personally accountable for compliance, and governance failures may result in temporary bans or disqualification of individuals from leadership roles.

The Directive's intent is clear: cybersecurity is no longer a back-office technical issue — it is a board-level accountability matter and a core element of operational risk management.

Immediate Considerations for In-Scope Entities

Entities preparing for NIS2 may wish to consider the following areas:

Management bodies are explicitly responsible for compliance, including approval and oversight of cybersecurity strategies and regular training for executives and employees to establish an informed and security-aware culture throughout the organization. Cybersecurity Risk Management Framework: Regular risk assessments to identify vulnerabilities and develop proportionate protective measures. Companies must implement both technical and organizational measures tailored to specific risks, operational complexity, and service criticality, including access controls, security-by-design principles, encryption, and network resilience tools.

Implementation of NIS2 in Other EU Member States

EU Member States were required to transpose NIS2 into national law by October 17, 2024. The status of implementation varies, with some countries (e.g., Belgium, Denmark, Greece, Hungary, Italy, Malta, Slovakia) having enacted NIS2 legislation, while others (e.g., Germany, France) are still in the process. National implementations may contain specific deviations or additional requirements, so each national law should be assessed individually. The European Commission has launched infringement proceedings against EU Member States who failed to meet the implementation deadline.

Examples of National Implementation Laws and Draft Laws

Scope of Application: The current German draft law allows for business activities deemed "negligible" in relation to a company's overall operations to be excluded from the scope of the law. This provision is intended to prevent companies from being unnecessarily classified as important or highly important due to minor activities. To determine what is "negligible", the explanatory memorandum to the draft bill states that factors such as the number of employees or generated revenue can be considered. However, although such criteria provide guidance on how to interpret "negligible", legal uncertainties arise, as the term is not exhaustively defined in the draft, and there is a general question whether the EU framework allows for such exception at all.

Monitoring National Implementation of NIS2

Inconsistencies in national implementation create challenges, particularly for companies operating cross-border in the EU. For example, telecommunications companies may need to comply with NIS2 laws in every EU country where they provide services, whereas cloud and data center providers are generally subject only to the laws of their main establishment. However, many EU Member States are moving beyond the minimum requirements of NIS2, introducing more customized security obligations and liability for company leadership which creates compliance risks for companies. Therefore, this evolving landscape warrants continuous monitoring of legal developments in the relevant countries.

Conclusion

The NIS2 Directive sets out minimum harmonization standards, and EU Member States may adopt additional or stricter national requirements. Entities subject to NIS2 should consider reviewing their risk management, operational practices, and corporate governance in light of these obligations and monitor the legislative transposition process in each EU jurisdiction where they operate.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.