Cybersecurity & Data Management
NIS 2 Directive: A coordinated framework for strengthening cybersecurity in Europe
What is the NIS2 Directive and what are its objectives?
NIS2 Directive: The New Pillar of Cybersecurity in Europe
Meta description
Discover what the NIS2 Directive entails and how it will affect European companies. Everything about its implementation, requirements, and security goals.
Cybersecurity in Europe has become a strategic priority. With the entry into force of the NIS2 Directive (NIS 2 regulation), the European Union is establishing a more ambitious, robust, and coordinated framework to protect critical infrastructures and digital services. At SETEK, we explain what this new directive means, who it affects, and how to prepare to meet its demands.
What is the NIS2 Directive and What Are Its Goals?
The NIS2 Directive (Network and Information Security 2), also known as SRI 2 Directive, is the evolution of the first NIS Directive from 2016. Its main objective is to strengthen cybersecurity in Europe through greater regulatory harmonization, inter-state coordination, and stricter requirements for essential and digital sectors.
Its main goals include:
Improving incident response capacity.
Reducing security gaps in the supply chain.
Strengthening organizational resilience against cyber threats.
Promoting executive-level responsibility in digital risk management.
Key Changes from the Original NIS Directive
NIS2 significantly expands the scope and requirements compared to its predecessor:
The number of sectors and covered entities is increased.
Stricter obligations are introduced regarding risk management and incident reporting.
Direct responsibility is imposed on executive teams.
Penalties for non-compliance are established, comparable to the GDPR.
Which Entities Must Comply with NIS2?
The directive distinguishes between two types of organizations:
Essential entities: Including sectors like energy, transport, water, healthcare, banking, digital infrastructure, and public services.
Important entities: Including technology, postal and courier services, critical manufacturing, and digital service providers (e.g., cloud platforms or data centers).
Public and private companies, both large and medium-sized, operating in these sectors must adapt to the NIS 2 regulation.
Minimum Security and Risk Management Requirements
NIS2 sets a minimum set of security requirements, including:
Multifactor authentication and access management.
Updated incident response policies.
Continuous assessment of supply chain security.
Regular staff training and crisis simulations.
Use of encryption and proactive monitoring systems.
Incident Notification Obligations
One of the directive’s pillars is mandatory incident reporting:
Initial report: Within 24 hours of detecting a significant incident.
Intermediate report: Within the following 72 hours.
Final report: Within a maximum of one month.
This seeks to foster a rapid, coordinated, and transparent response across Europe.
Role of Executive Management and Corporate Responsibility
Executive leadership can no longer fully delegate cybersecurity management. NIS2 requires:
Direct involvement in strategic cybersecurity decisions.
Personal responsibility for non-compliance and damages.
Specific training in digital risk governance.
This reinforces a top-down approach to security culture.
Supervision, Penalties, and Compliance Mechanisms
Member States must designate national authorities empowered to:
Conduct audits and inspections.
Demand remediation plans.
Impose administrative fines of up to 2% of global annual turnover.
The national transposition process is ongoing, and it is expected that the regulations will be fully applied across the EU by October 2024.
Impact of NIS2 on the Supply Chain
Companies will need to assess risks related to suppliers, subcontractors, and third parties, integrating control mechanisms such as:
Third-party security audits.
Binding contractual clauses.
Joint incident response protocols.
This means that security is not only an internal issue but also an inter-organizational one.
Cooperation Between Member States and National Bodies
NIS2 promotes smoother coordination between Member States, including the creation of:
The European Cyber Crisis Liaison Organization Network (EU-CyCLONe).
Secure information exchange channels.
Common procedures for managing cross-border threats.
How to Prepare for NIS2 Transposition and Audits
At SETEK, we recommend a clear roadmap:
Assess your current situation with a gap analysis against NIS2.
Establish a progressive compliance plan, including training and technology.
Appoint an internal cybersecurity officer connected to the executive board.
Prepare for internal and external audits.
The NIS2 Directive is not just an obligation, but an opportunity to strengthen your organization against 21st-century threats.
Need Help Complying with NIS2?
The NIS2 Directive and the National Security Framework (ENS) share essential goals: ensuring an adequate level of protection in information systems. For Spanish companies, both frameworks should be understood as complementary. While NIS2 establishes EU-level requirements, the ENS provides a nationally adapted guide that many organizations are already following. Integrating both allows entities to anticipate future audits and improve their digital maturity.
The implementation of NIS2 also plays a crucial role in the evolution of cybersecurity in Industry 4.0, where the interconnection between industrial systems and digital networks multiplies the attack vectors. In this context, having a common regulatory framework like NIS2 ensures interoperability and protects critical processes. Industrial organizations must align their cybersecurity policies with these standards if they wish to maintain operational continuity and comply with future regulatory demands.
At SETEK, we specialize in integrating security and IT governance solutions aligned with the European framework. Contact us and take your company’s cybersecurity to the next level.