Back to articles

The business implications of the NIS2 Directive

The NIS2 directive will be implemented by autumn 2024 and, building on the NIS1 directive, is a notable advancement in the European Union’s approach to cybersecurity. The primary goal of NIS2 is to harmonise interpretations of cybersecurity risk management and reporting obligations. It mandates EU members to implement national cybersecurity strategies and set up suitable supervisory bodies. However, how will this impact private business, and which organisations must brace themselves for new obligations?


Under the current cybersecurity model, EU members have the authority to determine which entities qualify as operators of essential services. NIS2 not only broadens the list of sensitive sectors but also introduces a uniform size cap to identify the entities within its purview, targeting medium-sized and larger enterprises operating in relevant sectors. EU states will be able to make certain exceptions to this general rule, allowing them to both include or disregard entities depending on the importance of their operations within sensitive sectors.


According to the directive, these sectors are divided into two. The first category covered by Annex I expands on strategic sectors covered by NIS1 (energy, transport, financial institution, healthcare, ICT). The groundbreaking difference with NIS2 is the newly added category of Annex II sectors encompassing a wide range of industries such as waste management, chemicals, food production, and various types of manufacturing.

Essential or important

In principle, large enterprises operating in Annex I will be classified as essential, while those medium-sized and/or active entities in Annex II will be considered important. This differentiation leads to the establishment of varied supervisory regimes for essential and important entities, striking a balance between the need for oversight and added administrative burdens on entities and authorities. Essential entities are subject to more comprehensive supervision, whereas important entities face a lighter scrutiny, based on ex post evaluation in the event of incidents.

Supply chain

The reach of NIS2 extends beyond essential and important entities directly affected by its provisions. It emphasises the importance of cybersecurity resilience throughout the supply chain. As a result, entities not directly governed by NIS2 may find themselves subject to new cybersecurity obligations through contractual agreements with partners compliant with NIS2.


NIS2 only establishes a foundational framework of rules; the specifics will be determined by each member state. Given the extensive applicability of these new cybersecurity regulations, businesses and their advisors should monitor governmental proposals concerning NIS2 implementation and the measures to be adopted in each country.

16 April 2024