In short
NIS2 replaced the first Network and Information Security directive with a wider scope and stronger obligations. It separates covered organisations into essential and important entities, mostly by sector and size.
The practical work is not a certificate on the wall. It is risk management, incident handling, business continuity, supply-chain security, access control, encryption where appropriate, and a reporting process that can move inside the required windows.
Where it bites
NIS2 bites when a company discovers late that a sector, subsidiary, managed service, or supplier role puts it in scope. The painful part is proving governance, supplier checks, logging, and incident response after the board has already accepted the risk.
What to check
- Are you an essential or important entity under the sector, size, and national implementation rules?
- Can your team send the early warning, incident notification, and final report through the correct national channel?
- Do supplier contracts, access controls, backup tests, and incident runbooks prove the controls actually work?
Common questions
What is the NIS2 Directive?
NIS2 is the EU cybersecurity directive that sets risk management, governance, and incident-reporting obligations for essential and important entities in critical sectors.
Does NIS2 apply directly to every SME?
No. Scope depends on sector, size, role, and national implementation. Some SMEs are in scope because they provide critical digital or managed services, or because a national law designates them.
What should you check first for NIS2?
Start with scope classification, national registration duties, incident reporting channels, supplier risk, management accountability, and evidence that security controls run in production.