NIS 2: what the directive changes for your business
The NIS 2 directive reinforces cybersecurity obligations in Europe. Find out who is affected, what is changing in practice and how to effectively prepare for it.
In two years, critical cyberattacks on European infrastructures have increased by more than 300%.
Hospitals, communities, industrial or energy operators... The most sensitive actors have become frequent targets. The impact is no longer just technical: it is economic, political, human.
It is in this context that the European directive NIS 2comes into force.
Assess your NIS 2 compliance level now
What is the NIS 2 directive?
The directive (EU) 2022/2555, known as NIS 2, reinforces the regulatory framework for cybersecurity. It has a twofold objective:
- Building resilience critical systems
- Harmonize requirements at the European level
It is aimed at essential entities (energy, transport, health, digital, finance...) and important entities(B2B manufacturing, digital infrastructures...). And broadens the scope of application of the initial NIS directive, with a new feature: obligations are now binding, regardless of the sector concerned.
NIS 2 also imposes new obligations on Member States:
- La designation of a competent authority, of a CSIRT national (Computer Security Incident Response Team), and a single point of contact for cooperation with the other Member States.
- The obligation for the entities concerned to report any major incident within 24 hours, with full notification within 72 hours.
- An approach based on risk assessment, with the implementation of appropriate technical and organizational measures, regularly revised.
How do I comply with the NIS 2 directive?
To comply with NIS 2, your organization must put in place documented technical and organizational measures, using a risk-based approach. Here are the steps to follow:
- Identify the area concerned (essential/important entities, targeted sectors).
- Analyze your risks (assets, vulnerabilities, past incidents).
- Structuring policies and procedures to manage incidents, continuity, IT security, subcontractors, training.
- Documenting and demonstrating your compliance (newspapers, reports, audits, awareness).
- Implement a progressive action plan (prioritization, monitoring, indicators, reporting).
Discover the NIS 2 features in Adequacy
Why act quickly?
The obligations introduced by NIS 2 are not limited to general principles. They involve resources, evidence, and above all responsibilities.
Penalties can range up to:
- 10 million euros or 2% of global annual turnover for essential entities
- 7 million euros or 1.4% of global annual sales for major entities
But in addition to fines, the directive introduces a strengthened accountability of managers.
In the event of a breach, they can be directly blamed for decisions or lack of decisions related to cybersecurity.
What are the concrete implications of NIS 2 for internal teams?
With NIS 2, IT, compliance, legal, and management teams are called upon to collaborate. This assumes:
- To monitor, qualify and document incidents
- To set up crisis management process
- To ensure security throughout the life cycle of information systems
- To have regular risk assessment procedures
- To generalize cybersecurity and cyber hygiene training
Facilitate your NIS 2 governance with a structuring tool
Status of transposition in France
The NIS 2 directive came into force at European level in early 2023. Member States had to transpose it into their national law by October 17, 2024. In France, the bill passed the first reading in the Senate on March 12, 2025. The National Assembly considered it starting in May 2025.
In practice, the directive is already applicable, and organizations need to prepare now to justify their implementation.
