The NIS2 Directive entered into force across all EU member states on 17 October 2024. It requires organisations in eighteen sectors to implement serious cybersecurity measures. What sets it apart from earlier legislation: board members are personally liable if the organisation falls short.
Many business owners assume NIS2 only applies to large companies and government bodies. That assumption is wrong, for one straightforward reason: the law flows down the supply chain.
Who Does NIS2 Apply To?
NIS2 distinguishes between two categories. The classification determines the intensity of supervision — not the obligations themselves.
Essential entities are organisations in sectors such as energy, transport, banking, healthcare, drinking water, digital infrastructure and government. Important entities include postal and courier services, chemical manufacturing, food production, digital marketplaces and research institutions.
The thresholds: medium-sized enterprises (50–249 employees, or €10–50 million turnover) and large enterprises (250+ employees, or €50+ million turnover). Small organisations are in principle exempt — but not always.
Providers of electronic communications networks, trust service providers, and certain DNS providers fall under NIS2 regardless of size.
The Supply Chain Requirement — Why It Affects You Anyway
Article 21 of NIS2 requires essential and important entities to manage the security of their supply chain. That means: your clients who fall under NIS2 are obliged to assess and document your cybersecurity practices.
An eight-person accounting firm may not directly fall under NIS2. But if their clients in the financial sector do, those clients will be checking the accountant’s security posture. A GP practice in the healthcare sector: healthcare appears in Annex I of NIS2. The obligations percolate down to smaller suppliers and partners through the chain requirement.
“I don’t fall under NIS2 myself” is not the end of the conversation. It’s the start of a different question: do my clients?
The Ten Required Measure Areas
Article 21 of NIS2 lists ten measure areas that every entity under the law must address. In plain terms:
- Risk analysis: document your digital risks and establish policy. Not as a one-off document, but as a living system.
- Incident handling: know what you do when something goes wrong. Who calls whom? What gets shut down? Who notifies the supervisory authority?
- Business continuity: backups are not optional. They must be tested. Make sure you can continue operating after an incident.
- Supply chain security: the cybersecurity practices of your suppliers are your responsibility to know and assess.
- Systems security: how do you procure software? How do you respond when a vendor discloses a security vulnerability?
- Effectiveness assessment: measure whether your measures work. Setting them up and forgetting them is not sufficient.
- Cyber hygiene and training: employees recognise phishing. Updates get installed. Password policies exist and are enforced.
- Encryption: sensitive data is encrypted — both in transit and at rest.
- Access management: who has access to what? Access rights are actively managed and audited.
- Multi-factor authentication: two-factor authentication is no longer optional — it is a requirement.
The Reporting Obligation: 24 Hours
For a significant incident — a cyberattack, data breach, or critical system failure — strict timelines apply. Article 23 of NIS2 requires:
- 24 hours: an early warning to the competent authority or CSIRT
- 72 hours: a full incident report
- 1 month: a final report
“Significant” means: serious operational disruption, substantial financial damage, or impact on other organisations.
A practical problem with cloud AI services: if the provider only informs you 48 hours after the incident, you already have a problem with your notification obligation. Your clock starts ticking when you become aware — not when the provider tells you. With a local AI deployment, you are inside the environment, you have the logs, and you can act immediately.
Personal Liability of Board Members
This is the article that distinguishes NIS2 from earlier cybersecurity legislation. Article 20 states that governing bodies — boards of directors, managing directors, general managers — must approve cybersecurity measures, oversee their implementation, and can be held personally liable if the organisation fails to comply.
In practice, “held personally liable” means: a temporary ban on management roles following negligence after a significant incident. The IT department is not responsible. You are responsible.
The same article requires board members to participate in cybersecurity training — and to ensure equivalent training is offered to their employees.
Three Steps You Can Take Now
1. Determine your position
Does your organisation fall directly under NIS2 through sector criteria and thresholds? Or indirectly, through the organisations you serve? Both questions deserve an honest answer.
2. Map your ICT suppliers
Which external software tools, cloud providers and services do you use? The supply chain requirement starts with knowing who you depend on — and what contract terms exist around incidents and notifications.
3. Lay the groundwork for incident response
Do you have a procedure for when something goes wrong? Who decides what? Who reports to whom? You don’t need a full SOC today. But a basic procedure — documented, tested, known to the right people — is the minimum.
NIS2 is not a paper law. It carries fines of up to €10 million or 2% of annual turnover for essential entities, and up to €7 million or 1.4% for important entities. And it has something rarer: it places responsibility explicitly with the people at the top.