AuditArmer logoAuditArmer
All guides

EU cybersecurity for essential & important entities

NIS2 Directive, explained simply

Europe's biggest cybersecurity expansion in a decade.

In a nutshell

NIS2 is an EU directive that forces 'essential' and 'important' organisations to adopt strong cyber risk management, report incidents quickly, and hold leadership personally accountable.

The case for action

Why your organisation needs NIS2 Directive

Fines up to €10m or 2% of global turnover. Management can be held personally liable. Plus your customers will start asking for proof of compliance.

The upside

What your organisation gains

Avoid fines of up to €10m or 2% of global turnover.

Protect leadership from personal liability.

Win and retain EU customers who now demand NIS2 evidence.

Harden your supply chain against cascading incidents.

Scope

Who it covers — and where

Who it applies to

Medium and large organisations in 18 sectors — energy, transport, banking, health, digital infrastructure, manufacturing, food, postal services, public administration and more.

Where it applies

All 27 EU Member States. Non-EU companies offering in-scope services in the EU are also caught.

Timing

When you need to act

EU Member States transposed NIS2 into national law from October 2024. Enforcement is live — check your country's regulator for registration deadlines.

The path forward

Your roadmap to compliance

A practical journey — not a bureaucratic checklist. Tackle these stages in order and you'll move from "we should look into this" to ready.

  1. 1

    Determine whether you're 'essential', 'important' or out of scope.

  2. 2

    Register with your national NIS2 authority.

  3. 3

    Adopt the 10 minimum risk-management measures (risk analysis, incident handling, business continuity, supply chain security, MFA, etc.).

  4. 4

    Set up a 24-hour early warning and 72-hour incident reporting process.

  5. 5

    Train your management team — they're legally accountable.

  6. 6

    Review supplier contracts for security clauses.

Reality check

Common struggles (and how to fix them)

The struggle

Unsure whether NIS2 applies to you.

The fix

Use a sector + size test. If you have 50+ staff or €10m+ turnover in a listed sector, assume it does.

The struggle

Supply chain visibility is poor.

The fix

Start with a top-20 supplier register and security questionnaire, then expand.

Quick answers

Frequently asked questions

Need a head start on NIS2 Directive?

Use our ready-to-go tools and templates to skip the blank page.

Browse the store

Rate this guide

Be the first to rate.

Keep exploring

ISO 27001

Information Security Management

CMMC

Cybersecurity Maturity Model Certification

NIST CSF

NIST Cybersecurity Framework

Cyber Essentials

UK government-backed cyber baseline