Data Center in server room with server racks

Products & Services

The European NIS2 Directive

A European framework designed to strengthen resilience across 18 critical sectors.

NIS2 sets out the European rules for cybersecurity within organizations and their supply chains

More obligations, more oversight, more certainty. The NIS2 Directive reinforces the rules for digital resilience in strategic sectors across the EU.

To address the growing cyberthreat landscape, the EU has replaced the original NIS Directive with NIS2 (Directive 2022/2555). NIS2 introduces stricter security requirements, strengthens supply chain security, refines reporting obligations and implements tougher supervision and enforcement, including harmonized sanctions across the EU. The new directive has been in force since 18 October 2024, replacing the previous NIS Directive.

Core requirements of the NIS2 Directive

New obligations for organizations in four key areas:

Risk management.
Corporate responsibility.
Incident reporting for essential and important entities.
Business continuity.

Assessment

BSI NIS2 EU Assessment

Evaluate your organization’s NIS2 compliance. Suitable for all sizes and maturity levels and also available voluntarily for suppliers.

FAQs

Frequently Asked Questions about NIS2

NIS2 applies to organizations that provide services essential or important to the European economy and society.

The directive expands the number of covered sectors and adds a size threshold. Smaller organizations that are critical to a member state’s functioning can also be included to mitigate risks in case of cyberattacks.
NIS2 not only broadens the range of affected sectors but also introduces stricter and more specific reporting requirements.

It strengthens the security of critical ICT technologies. Member states will conduct joint risk assessments for key supply chains, in collaboration with the European Commission and ENISA. Read our brochure for more information.

Download brochure
These are organizations that typically have more than 250 employees, an annual turnover of at least €50 million or a balance sheet total of €43 million. Examples include energy, transport, banking, financial market infrastructure, central government, healthcare, space, water supply and digital infrastructure (such as cloud and ICT service providers).
These are organizations with more than 50 employees, an annual turnover of at least €10 million, or a balance sheet total of €10 million.

Sectors include postal and courier services, waste management, chemicals, research, food production, manufacturing, digital services (such as social networks and online marketplaces) and local governments.
The NIS2 Directive recognizes that some sectors already have dedicated cybersecurity legislation. Sectoral rules may complement or further specify NIS2 requirements, as long as they do not overlap.
The best way to make sure your business complies with the NIS2 requirements is to get ISO/IEC 27001 certification. This is a standard for information security, cybersecurity and privacy protection. The NIS2 Directive specifically mentions this standard. Although ISO/IEC 27001 and the NIS2 Directive have different aims, they work well together. ISO 22301, on the other hand, covers aspects of business continuity management (BCM), which further reinforces the comprehensive approach to NIS2 implementation.

Download brochure
In addition to certification to ISO/IEC 27001 and ISO 22301, BSI offers a gap analysis to determine your level of compliance. As supply chain security is a core element of NIS2, we can also audit your supply chain. For more information about our support, please refer to our brochure.

Download brochure
Our comparison document provides a clear overview of the relationship between NIS2 and ISO/IEC 27001. Download the mapping tool for more insight.

Download mapping tool
Organizations subject to NIS2 that fail to comply can face fines of up to €10 million or 2% of global annual turnover, whichever is higher.

In addition to financial penalties, administrative or criminal measures may also apply. More information can be found in our brochure.

Download brochure

Insights & Media

Insights into the latest risks and opportunities in the digital space

View Insights & Media

Quality control inspector examining machine part on production line.

Blog

EU AI Act: BSI Training for Responsible AI Compliance

Read the Blog

Whitepaper

The Future of Electronics

Read the Whitepaper

Whitepaper

How Regulation Can Help Unlock the True Power of AI

Read the Whitepaper

Whitepaper

How AI Helps Organizations Enter New Markets

Read the Whitepaper

Whitepaper

Democratization, Collaboration and Education in AI

Read the Whitepaper

Whitepaper

Unlocking the Potential of Consumer Wearables in Healthcare

Read the Whitepaper

Why BSI

Independent and expert: strengthening digital trust

We help you address cybersecurity and compliance challenges effectively.

As a global leader in digital trust assurance, BSI supports organizations in improving their security posture and building confidence in their ability to manage cybersecurity risks effectively.

Building a resilient future together

Discover how we can work together to address cybersecurity challenges more effectively and efficiently.

Get in touch