What is NIS2?
NIS2 (Network and Information Security Directive 2) is a new European cybersecurity directive that replaces the original NIS directive from 2016. The directive entered into force in January 2023 and EU member states were required to transpose it into national legislation by October 2024.
The primary objective of NIS2 is to raise the level of cybersecurity across the EU and ensure a consistent approach to protecting critical infrastructure and services. The directive significantly expands the list of sectors required to meet strict security requirements.
- Directive in force from January 2023
- EU member states had until October 2024 to transpose
- In the Czech Republic implemented as the Cybersecurity Act
- Penalties up to €10 million or 2% of global turnover
Who must comply with NIS2?
NIS2 covers two types of entities — essential entities and important entities. Classification depends on the sector and the size of the organisation.
Sectors covered by NIS2:
Essential entities
- Energy
- Transport (aviation, rail)
- Banking and financial markets
- Healthcare
- Water management
- Digital infrastructure
- Public administration
- Space industry
Important entities
- Postal services
- Chemical manufacturing
- Food production
- Digital providers (cloud, data centres)
- Research
- Online platforms (social networks, e-commerce)
- Manufacturers of critical products
Company size:
NIS2 applies to medium and large enterprises:
- 50+ employees and annual turnover of €10M+, or
- 250+ employees or annual turnover of €50M+
Key NIS2 requirements
1. Risk Management and Cybersecurity
- Risk analysis — regular assessment of cyber threats
- Incident response plan — a clear procedure for security incidents
- Business continuity — ensuring continuity of services
- Security by design — security built into the development process
- Encryption and authentication — protecting data and identities
2. Supply Chain Security
- Cybersecurity assessment of suppliers and partners
- Contractual security requirements
- Third-party security monitoring
3. Access and Permissions Management
- Multi-factor authentication (MFA) for all administrators
- Least-privilege principle
- Regular audit of user accounts
- Automatic revocation of access when employees leave
4. Employee Training
- Regular cybersecurity training
- Phishing simulations and awareness campaigns
- Clear procedures for reporting security incidents
5. Incident Reporting
- Early warning within 24 hours — initial incident notification
- Incident notification within 72 hours — detailed incident description
- Final report within 1 month — complete analysis and conclusions
Penalties for NIS2 non-compliance
NIS2 introduces significantly stricter penalties than the previous NIS directive:
Essential entities
€10 million
or 2% of global annual turnover, whichever is higher
Important entities
€7 million
or 1.4% of global annual turnover, whichever is higher
In addition to financial penalties, personal liability for management may apply — executives can be held directly responsible for failure to meet security requirements.
Practical NIS2 Compliance Checklist
Checklist:
- Verify whether the company is subject to NIS2
- Determine the category (essential / important entity)
- Identify critical services and systems
- Conduct a cyber risk analysis
- Develop an incident response plan
- Establish a business continuity plan
- Implement MFA for all administrators
- Configure encryption for sensitive data
- Introduce access monitoring and logging
- Implement automated permissions management
- Appoint a responsible person for cybersecurity
- Conduct employee training
- Create internal guidelines and policies
- Assess the cybersecurity posture of suppliers
- Update contracts with vendors
- Set up third-party monitoring
- Establish an incident reporting process (24h / 72h / 1 month)
- Prepare contacts for the national CERT
- Create reporting templates
How Optimaly supports NIS2 compliance
At Optimaly we have extensive experience implementing security solutions for enterprise clients. Our projects are designed around "security by design" principles — security is embedded at every step of development.
Our NIS2 compliance services:
- Compliance assessment — evaluation of current state against NIS2 requirements
- Gap analysis — identification of security gaps
- Technical measures implementation — MFA, encryption, monitoring
- Access management platforms — permissions automation with audit trails
- Incident response plans — preparation for security incidents
- Azure Security Center integration — centralised security monitoring
NIS2 implementation timeline
| Date | Milestone |
|---|---|
| January 2023 | NIS2 directive entered into force across the EU |
| October 2024 | Deadline for transposition into national legislation |
| 2025 | Active enforcement of requirements and penalties for non-compliance |
| Ongoing | Regular audits and compliance updates |
Conclusion
NIS2 is not merely a regulatory obligation — it is an opportunity to strengthen your organisation's cybersecurity and protect critical services against cyber threats. Penalties of up to €10 million are a compelling incentive, but the real value lies in protecting your business and maintaining the trust of your customers.
If your organisation falls under NIS2, do not delay implementation. The earlier you start, the less stressful the compliance process will be, and the better prepared you will be for potential audits.
Need help with NIS2? We offer cybersecurity consulting as part of our security services.