What does the NIS2 directive mean for organisations?

Arctic Wolf

What does the NIS2 directive mean for organisations?

Increasing cyber-resiliency for European Union Member Countries

The Network and Information Systems 2 (NIS2) directive is a Directive of the European Union to improve the security and resilience of networks and information systems and achieve a high common level of cybersecurity across the member countries in the EU. Companies will be required to disclose network and computer system incidents beyond just data breaches, as critical infrastructure and limited other industries were required under the initial directive.

About the NIS2 Directive

The previous Network and Information Systems (NIS) directive (EU-2016/1148) was updated and expanded to form the new NIS2 (EU 2022/2555) directive that was enacted on 14th December 2022, and comes into force, when transposed into local law in each member state, by 17 October 2024.
The directive sets out the extensions and modifications to the systems put in place for the original directive to enable better co-ordination in response to cyber-attacks across a wider breadth of industries and organisations.
NIS2 aims to make the EU as a whole more resilient to cyber threats and strengthen cooperation between Member States on cybersecurity. It builds on the previous NIS Directive and represents a further development of measures to meet the challenges of an increasingly digitalised world.

Who Does NIS2 Impact?

EU Member Countries

NIS2 applies to substantially more industries and organisations than its predecessor. To determine who must comply with the directive, organisations are deemed as very critical or critical and then sub-categorised as ‘Essential’ and ‘Important.’

A full list of covered entities can be found in NIS2 Annex I and II.

Supply Chain

Supply chain issues are regulated in the Article 21(2)(d) of the NIS2 Directive. According to this provision, one of the responsibilities of key and important entities will be to put in place appropriate and proportionate technical, operational and organizational measures to ensure supply chain security. For this reason, companies delivering into EU NIS2 sectors will also need to be NIS2 critical compliant.


NIS2 does not generally apply to micro-enterprises with fewer than 50 employees and an annual turnover of less than 7 million euros. However, such micro-enterprises would be covered under the Directive if the entity is deemed a vital service.

In addition, the NIS2 will continue to be a guiding framework for most businesses.

Non-EU Member Countries

If you are a non-EU member country, that does business within the EU, you are not bound by this EU legislation. However, non-EU member states doing business with any EU member countries will need to be compliant and should be prepared to implement similar comprehensive and resource-consuming measures.
Compliance can be overwhelming.
Multiple frameworks. Overlapping requirements. Let Arctic Wolf be your guide.
Ready to Understand and Meet Your Compliance Needs?

Additional Resources For

Security Leaders

Thursday, 21 March | 11:00 GMT

How European Organisations Can Get Ready and Set for the European Union’s NIS2 Regulation

NIS2: Why European Boards Need To Raise Their Cyber-Risk Game

NIS2 erklärt: Eine umfassende Einführung in die neue Cybersicherheits-Richtlinie