NIS2 – a new wave of cyber obligations

  • Home
  • Blog
  • NIS2 – a new wave of cyber obligations

NIS2 – a new wave of cyber obligations

If you run a business in the EU (or have clients in the EU) and the word “cybersecurity” gives you a little shiver, you’ve come to the right place. Introducing NIS2 – a new EU directive that will come into force in 2024/2025 and will affect significantly more companies than its predecessor, NIS1. But don’t worry – you don’t have to hire an army of experts right away.

What is NIS2?

NIS2 is the EU’s Network and Information Security Directive. It was adopted to improve overall digital resilience in Europe. It improves and expands on previous legislation (NIS1) because, well… the world has changed, threats have multiplied, and cybercriminals are on the prowl.

Who does this apply to?

Sectors of High Criticality
(Annex I)

Other Important Sectors
(Annex II)

1. Energy
2. Transport
3. Banking
4. Financial Market Infrastructure
5. Healthcare
6. Drinking Water
7. Wastewater
8. Digital Infrastructure
9. Management of ICT Services Provided to Third Parties
10. Public Administration
11. Space

  1. Postal and courier services
  2. Waste management
  3. Manufacture, production and distribution of chemicals
  4. Production, processing and distribution of food
  5. Manufacturing
  6. Digital providers
  7. Research

As a general rule, if you are at least a medium-sized company (over 50 employees or EUR 10 million turnover) and operate in one of the sectors mentioned, you probably have obligations under NIS2.

Need to be done

What will need to be done?

Exactly. Here are some key responsibilities you may face:

1. Risk Management
You need to know what threats you face and have a plan to defend against them. Audits, risk assessments, and technical security measures are essential.

2. Incidents? Report them!
If something serious happens (e.g., a data breach, ransomware attack), you must report it within 24 hours of detection to the appropriate CSIRT.

3. Supply Chain Security
You need to take care not only of yourself but also of your suppliers – especially those who have access to your systems or data.

4. Policies, Procedures, Awareness
You need formal policies, appropriate procedures, and trained employees. Cyber awareness is becoming a responsibility, not a “nice-to-have.”

5. Management Accountability
The management can no longer say, “I don’t know anything about this.” NIS2 provides for the personal accountability of management. Knowledge, commitment, and oversight – these are the new standards.

What are the penalties for non-implementation?

NIS2 isn’t just about checklists and best practices—it’s about tough obligations with real consequences. The European Union has decided to significantly tighten sanctions to enforce actual cybersecurity implementation, not just “paper compliance.”

Financial Penalties

NIS2 provides for significant administrative penalties intended to act as a deterrent – similar to the GDPR.

✔️ For essential entities:
Up to €10 million
or
Up to 2% of the total annual global turnover (from the previous financial year) – whichever is higher.

✔️ For important entities:
Up to €7 million
or
Up to 1.4% of the total annual global turnover – also, whichever is higher.

🔍 Example:
If an IT company with a turnover of €100 million per year (and classified as a key entity) fails to implement mandatory security measures or ignores the obligation to report an incident, the fine could be up to €2 million.

Liability of the Board and Management

This is one of the biggest changes in NIS2.

What does this mean?

  • Management members cannot plead ignorance.
  • They are obligated to oversee cybersecurity activities.
  • They may be held personally liable – for example, financially or disciplinarily – in the event of gross negligence.

The Directive requires:

  • Cybersecurity training for management.
  • Active management participation in decision-making regarding risks and security measures.

Other Sanctions and Supervisory Measures

In addition to fines, the supervisory authority may also:

  • Issue an order to implement specific security measures.
  • Order an audit or inspection.
  • In the case of serious violations, temporarily suspend operations or services (e.g., restrict access to systems).
  • Request the temporary suspension of a management board member.

What should you do to avoid fines?

The good news: you don’t have to become an expert in cybersecurity, EU law, and technical audits all at once. The bad news: simply “we have antivirus software” is no longer enough. But don’t worry – there’s no need to panic. Just approach the matter sensibly, step by step.

Here’s what you should do to avoid a fine, an inspection, or a frantic call from management at 3 a.m.:

Step 1: Determine if NIS2 applies to you at all

It sounds trivial, but surprisingly, many companies don’t even know they fall under NIS2. And the directive works on the principle of “didn’t you know? It’s your business.” Whether you operate in IT, healthcare, manufacturing, e-commerce, transportation, water utilities, or an SME, it’s worth checking out.

We can help you quickly figure it out – we conduct a quick qualification analysis, without legal jargon.

Step 2: Perform a security review – just like you would a car inspection

Ask yourself: do you really know what IT security looks like at your company?

  • Where is the data?
  • Who has access to it
  • What happens if ransomware locks down the server?
  • Do you have a backup, and can it be restored?

Sound familiar? Yes, indeed. NIS2 requires you to have everything documented and managed. Here again – we can help. We conduct security audits that don’t end with a 70-page report to file away, but with a clear plan: what’s working, what to improve, what to implement.

Step 3: Create procedures and policies

NIS2 loves documents. But it’s not about having a “security policy 2021.pdf” that no one has seen. It’s about real procedures that:

  • state what to do in the event of an incident (e.g., an attack, a leak),
  • who reports the matter and where (because you have 24 hours),
  • what needs to be regularly reviewed and tested,
  • who is responsible for what.

We can help you create these documents so that they make sense and can be used in a regular company, not just for compliance exams.

Step 4: Take care of your people – they are your first line of defense

No, a firewall isn’t enough. 90% of attacks start with… clicking on a bad link. And then it all starts – phishing, malware, system access, data leaks.

Train your people – technical and non-technical.
And here’s the good news: we have ready-made awareness courses you can do from your couch. We can also conduct simulated phishing to see who falls for the scam (but don’t be embarrassed, just for educational purposes).

Step 5: Don't leave it for later

This won’t be “just a law” – it will be a real obligation, with real inspections and, unfortunately, real penalties. Sometimes, all it takes is one serious gap or failure to report an incident, and things get ugly.

That’s why it’s worth acting in advance, not after the fact.

How can we help

And now the most important thing: you don't have to do it alone.

Our company specializes in precisely these topics. We help companies understand, implement, and meet NIS2 requirements – from quick insights, through audits and procedures, to training and incident response.

We operate without corporate hype, without bloat, and without unnecessary costs. For us, results matter, not reports to file away.

Want to see where you stand with NIS2?
Let us know – we’ll perform a assessment and tell you straight out what’s necessary and what’s not.

Write to us

References

Our knowledge, your security – a shield in the digital reality.

  • Email us
  • Niemczańska 33/6, 50-561 Wrocław, Poland
  • Mon-Fri, 9 AM – 6 PM (UTC)

Navigation

Services

karacena.eu
Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.