If your organization operates in the EU or provides digital services to its citizens, then the NIS2 cybersecurity Directive is essential for you. It’s not just another piece of EU legislation. Moreover, it’s a major upgrade to Europe’s cybersecurity law. Many businesses have been following the old NIS1 rules, which are now officially outdated. Therefore, NIS2 has raised the bar for cybersecurity, accountability, and reporting across the board.

NIS2, known as the Network and Information Security Directive 2, came into force in January 2023. To add on, the EU Member States had until October 17, 2024, to bring it into national law.

That date has now passed, which means enforcement is real and active. This requirement is a compliance mandate for thousands of businesses, from energy and healthcare providers to cloud platforms and digital suppliers. Specifically, the scope of the directive has also expanded. So, if you thought your business was safe from regulation under NIS1, then you have to reassess your posture. This is because many mid – sized and even smaller service providers now fall under its reach.

The goal of this blog is simple. We’ll break down what’s changed from NIS1 to NIS2, who exactly falls in scope, what new requirements are on the table, and what practical steps you need to take to stay compliant. More importantly, you’ll see how acting early can give your company both a compliance edge and a market advantage.

We’ll begin by revisiting NIS1 to understand its foundations, then move on to the biggest updates under the NIS2 cybersecurity directive. Following that, we’ll explore what EU firms must do now and end with simple guidance to help you plan your next steps.

Tl; DR:

Concern:
The old NIS1 rules are no longer effective. To elaborate, the cyber threats have grown, supply chains are more connected, and the EU has now raised its standards with the NIS2 cybersecurity Directive. NIS2 is already in force, and regulators expect companies to comply with it. Businesses that delay risk severe fines, personal liability for executives, and damage to customer trust.

Overview:
NIS2 widens the net to include more sectors and service providers, covering everything from energy and transport to manufacturing, food, and public administration. It introduces tighter governance, risk management, and incident reporting duties, demanding that cybersecurity become a board – level priority. Even non – EU companies serving EU clients are in scope. The goal is clear: create a unified, high-standard cybersecurity culture across Europe.

Solution:
Building compliance from scratch can feel overwhelming, but that’s where CertPro can help. We guide organizations through the NIS2 journey by aligning their systems with ISO 27001 and GDPR frameworks. Even though it does not guarantee full compliance,  complying with ISO 27001 and GDPR significantly helps firms satisfy most NIS2 requirements. Take action now and partner with CertPro today to protect your business, stay compliant, and turn cybersecurity into a real competitive advantage.

NIS1 TO NIS2: AN OVERVIEW OF THE UPDATE

When the first NIS Directive (NIS1) came out in 2016, it was a major step for Europe. It was the EU’s first attempt to set common cybersecurity rules for key sectors like energy, transport, banking, healthcare, and online marketplaces. The fundamental idea is to protect essential services and digital platforms that keep society running. Accordingly, it applied mainly to two groups, such as operators of essential services (OES) and digital service providers (DSPs).

But there was one hidden issue. Each Member State had its own way of interpreting and enforcing the law. Some countries moved quickly, while others were slow to set standards or penalties. As a result, the level of protection varied widely across the EU, and there was a lack of uniform or harmonized security culture. In simple terms, what counted as “critical” in one country might not in another.

Fast forward a few years, and the current digital world has changed dramatically. To elaborate, the businesses were more connected, supply chains were more complex, and cyberattacks were far more frequent and severe. Hence, the old NIS1 framework couldn’t keep up with the rapid evolution of the business world. This problem is due to its limited scope and uneven enforcement, which left too many gaps, especially as more industries started relying on cloud systems, remote access, and third – party vendors.

That’s why the EU rolled out NIS2, formally known as Directive (EU) 2022/2555. It was adopted in December 2022 and has been in force since January 2023. Furthermore, the member States had until October 17, 2024, to bring it into national law. NIS1 is repealed from 18 October 2024 (when national laws apply).

More than an update, the NIS2 cybersecurity directive is a complete revamp of the previous one. It broadens the scope to cover more sectors and suppliers, tightens reporting rules, and standardizes enforcement across Member States. The goal is to create a truly harmonized cybersecurity foundation across Europe. Thereby, businesses could achieve greater clarity, consistency, and resilience in an increasingly risky digital landscape.

WHAT ARE THE KEY CHANGES UNDER NIS2?

WHO NEEDS TO COMPLY WITH NIS2? SCOPE EXPLAINED

NIS2 applies to a much wider group of organizations than its predecessor. These regulations likely apply to businesses operating in the EU that provide essential or important services. But even non-EU firms offering digital or critical services to EU users may need to comply.

Under NIS2, organizations are categorized into two groups: essential entities and important entities. To clarify, the essential ones cover sectors where disruption would have a serious impact, like energy, transport, banking, health, water, and public administration. Similarly, the important entities include sectors like postal services, waste management, manufacturing, food production, and digital platforms. Member States identify which companies belong where, mostly based on their size and how critical their services are to society.

Here’s the quick test: if your company is medium or large, say over 50 employees or €10 million in annual turnover, and operates in a covered sector, you’re likely in scope. Notably, smaller firms typically escape the scope unless they are the sole providers of a critical service in a region.

NIS2 also stretches beyond EU borders. If you’re a non-EU provider serving EU clients, you may need to appoint an EU representative or designate your main EU base (the “lead establishment”).

A practical way to check your status is to ask yourself:

• Do we operate or supply within the EU?
• What sector are we in?
• How big is our company?
• Are we the sole provider of a vital service?

Finally, remember that NIS2 must be transposed into each Member State’s law because it is a directive.

KEY STEPS TO FOLLOW IN COMPLYING WITH NIS2

Complying with NIS2 is a process of changing how leadership views cybersecurity. Let’s understand the key steps to follow in the NIS2 implementation process.

Governance & Accountability: In particular, the boards and senior managers now carry direct responsibility. This implies that executives may face personal liability if a major incident arises due to inadequate oversight. So, the first step is to make cybersecurity a standing topic in board meetings. 

Risk Management: Companies must know what they’re protecting. To clarify, they must list all digital assets, identify weak spots, and apply practical measures like strong access control, encryption, and supplier security reviews. For instance, imagine you are a manufacturing client; the biggest weakness might not be your network but your unmonitored supplier portal.

Incident Response Plans: You must have a clear plan for spotting, classifying, and escalating cyber incidents during the NIS2 implementation process. Under NIS2, initial notification to authorities must happen fast, often within 24 hours, followed by a detailed report later.

Vendor Management: Then there’s the supply chain. You’re expected to evaluate your partners’ cybersecurity posture just as you do your own. If a key vendor goes down, your business could be next.

Internal Policies: Internal culture also carries equal importance here. Staff training, solid password policies, vulnerability management, and secure development should be part of daily life.

Monitoring: Finally, conduct test runs and improve. Accordingly, run penetration tests, track KPIs, and review lessons learned after each incident or drill.

Mapping to Existing Frameworks: If you already follow ISO 27001 or NIST, you are well ahead of others. This is because the NIS2 aligns well with those frameworks. Therefore, consider NIS2 cybersecurity compliance as an upgrade rather than an added layer of rules. This approach will make your organization more trusted, resilient, and ready for future changes.

CONCLUSION

NIS2 is inevitable for EU-based firms.  The deadline has already passed, and regulators kindly anticipate your prompt action. Therefore, every delay increases your exposure to risks and penalties. A single breach, data leak, or compliance miss can cost your company money, trust, and reputation. Hence, taking swift action now is far cheaper than repairing the damage later.

CertPro helps companies like yours meet NIS2 requirements with clarity and confidence. Our team simplifies complex compliance work by aligning your cybersecurity systems with ISO 27001 and GDPR standards. These frameworks not only strengthen your defenses but also build a strong foundation to fulfill the key security and governance expectations under NIS2.

We focus on what protects your business and builds long-term trust with customers, regulators, and partners. Additionally, startups and growing firms especially gain an edge here. Because a solid cybersecurity posture shows investors and clients that your business is secure, responsible, and ready to scale.

At CertPro, we combine compliance expertise with real business understanding. If you want to assess your current risks or close existing gaps, contact CertPro today. Let’s secure your operations and turn compliance into your competitive strength.

FAQ