Quick answer: The NIS2 Directive (Directive (EU) 2022/2555) significantly expands EU cybersecurity requirements, covering over 160,000 entities across 18 sectors. Unlike NIS1, NIS2 affects mid-size companies, imposes personal liability on management, and requires 24-hour incident reporting. Member states had until October 17, 2024 to transpose it into national law.
What Is NIS2?
NIS2 is the EU's upgraded Network and Information Security Directive. It replaces the original NIS Directive (2016) which was criticized for inconsistent implementation across member states and too-narrow scope. NIS2 harmonizes cybersecurity requirements across the EU and significantly expands the range of affected organizations.
Who Must Comply?
NIS2 applies to essential entities and important entities across 18 sectors. The key threshold: organizations with 50+ employees or€10M+ annual turnover in covered sectors must comply.
Essential Entities (Higher obligations)
| Sector | Examples |
|---|---|
| Energy | Electricity, oil, gas, hydrogen, district heating |
| Transport | Air, rail, road, water transport operators |
| Banking | Credit institutions (also covered by DORA) |
| Financial market infrastructure | Trading venues, CCPs |
| Healthcare | Hospitals, laboratories, pharma R&D, medical devices |
| Drinking water | Water supply and distribution |
| Wastewater | Wastewater collection, treatment, disposal |
| Digital infrastructure | DNS providers, TLD registries, cloud providers, data centers, CDNs, IXPs |
| ICT service management (B2B) | Managed service providers, managed security service providers |
| Public administration | Central government entities (excluding judiciary/parliament) |
| Space | Operators of ground-based space infrastructure |
Important Entities (Standard obligations)
| Sector | Examples |
|---|---|
| Postal & courier | Postal service providers, parcel delivery |
| Waste management | Waste collection, treatment, recycling |
| Chemicals | Manufacturing, production, distribution |
| Food | Production, processing, distribution (wholesale) |
| Manufacturing | Medical devices, electronics, machinery, vehicles |
| Digital providers | Online marketplaces, search engines, social networks |
| Research | Research organizations |
NIS2 Requirements for Websites
If your organization falls under NIS2, your website and online services are in scope. Here are the specific website-related requirements:
1. Risk Management Measures (Article 21)
- Security headers: Implement HTTPS, HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy
- Access control: Strong authentication for admin panels, MFA for management interfaces
- Encryption: TLS 1.2+ for all connections, encrypt data at rest
- Supply chain security: Audit all third-party scripts, libraries, and dependencies — a compromised CDN or analytics script is a supply chain attack vector
- Vulnerability management: Regular vulnerability scans, patch management, WAF deployment
2. Incident Reporting (Article 23)
| Timeline | Requirement |
|---|---|
| 24 hours | Early warning to CSIRT/competent authority |
| 72 hours | Incident notification with initial assessment, severity, and impact |
| 1 month | Final report with root cause analysis, mitigation measures, and cross-border impact |
Website breaches count. If your website is defaced, suffers a DDoS, or leaks customer data, it's a reportable incident under NIS2 if it has a "significant impact" on the service.
3. Management Accountability (Article 20)
NIS2 introduces personal liability for management bodies. Directors and C-suite executives must:
- Approve cybersecurity risk management measures
- Oversee implementation
- Undertake cybersecurity training
- Can be held personally liable for non-compliance
NIS2 Website Compliance Checklist
| # | Action | Priority |
|---|---|---|
| 1 | Implement all security headers (HSTS, CSP, X-Frame-Options, etc.) | Critical |
| 2 | Enable TLS 1.2+ and disable older protocols (SSLv3, TLS 1.0/1.1) | Critical |
| 3 | Deploy MFA on all admin/CMS interfaces | Critical |
| 4 | Audit all third-party scripts and external dependencies | Critical |
| 5 | Implement automated vulnerability scanning (weekly+) | High |
| 6 | Set up DDoS protection (Cloudflare, AWS Shield, etc.) | High |
| 7 | Create incident response plan with 24h notification process | High |
| 8 | Implement logging and monitoring (SIEM, access logs) | High |
| 9 | Document supply chain — list all CDNs, APIs, SaaS integrations | High |
| 10 | Regular penetration testing (at least annually) | Medium |
| 11 | Implement Content Security Policy to prevent XSS/injection attacks | Medium |
| 12 | Review and update business continuity plan | Medium |
Start with a free scan: PrivacyChecker checks your website's security headers, TLS configuration, third-party dependencies, and known vulnerabilities in under 60 seconds.
Fines and Enforcement
| Entity type | Maximum fine |
|---|---|
| Essential entities | €10 million or 2% of global annual turnover (whichever is higher) |
| Important entities | €7 million or 1.4% of global annual turnover (whichever is higher) |
Additionally, competent authorities can: suspend certifications, impose temporary bans on management exercising functions, and order public disclosure of non-compliance.
Frequently Asked Questions
Does NIS2 apply to SMEs?
Generally no — NIS2 applies to organizations with 50+ employees or €10M+ turnover in covered sectors. However, certain entities are covered regardless of size: DNS providers, TLD registries, trust service providers, and entities that are the sole provider of a critical service in a member state.
How does NIS2 overlap with GDPR?
NIS2 focuses on network and information security (the systems), while GDPR focuses on personal data protection (the data). A data breach triggers reporting underboth regulations — NIS2 to the CSIRT (24h), GDPR to the DPA (72h). The requirements are complementary, not duplicative.
What if my country hasn't transposed NIS2 yet?
The transposition deadline was October 17, 2024. Some member states are delayed. However, the Directive's requirements are clear and fixed — organizations should prepare now regardless of national transposition status, as enforcement will be retroactive to the deadline.