Read Time: 6 minutes

What Is NIS2? 

NIS2, short for the Network and Information Security Directive, is an EU regulation aimed at improving cybersecurity across the member states. It improves previous NIS Directive measures, addressing emerging cyber threats and vulnerabilities. 

By mandating stronger requirements on security, it aims to protect critical infrastructures, such as power grids, healthcare systems, and transport networks. Key elements of NIS2 include mandatory incident reporting, improved cybersecurity capabilities, and strengthened cooperation among EU countries.

It also expands the scope to include more sectors and types of operators under its protection. Compliance with NIS2 is crucial for organizations within its purview as it involves regulatory obligations and significantly bolsters the organization’s defense against cyber threats.

Who Needs to Comply with NIS2?

NIS2 significantly broadens the range of organizations that must comply compared to the original directive. It categorizes entities into two main groups: 

  • Essential entities: These include organizations in sectors vital to society and the economy, such as energy, transport, banking, healthcare, water supply, and digital infrastructure. Public administrations at the central level are also included.
  • Important entities: These are organizations operating in other key sectors like manufacturing of critical products, postal and courier services, waste management, food production, and digital services. Even if these entities are not considered essential, they still pose a significant risk if disrupted and are therefore subject to compliance.

The directive applies to both medium-sized and large organizations. Generally, companies with more than 50 employees or an annual turnover exceeding €10 million are within scope, although smaller organizations may also be included if they provide essential services or are deemed critical based on risk assessments.

NIS2 also affects organizations outside the EU if they offer services within the EU, requiring them to designate a representative in an EU member state where services are provided. This ensures that cross-border digital and infrastructure services remain protected.

What Are the Penalties for Noncompliance?

Organizations that fail to comply with NIS2 can face substantial penalties. The directive allows for administrative fines, which are determined based on the entity’s classification—essential or important.

  • Essential entities can be fined up to €10 million or 2% of their total global annual turnover, whichever is higher. 
  • For important entities, the maximum fine is €7 million or 1.4% of global annual turnover. These penalties are meant to ensure that cybersecurity is treated as a strategic and financial priority at the highest levels of management.

Noncompliance isn’t limited to monetary penalties. Supervisory authorities are also empowered to impose other corrective measures. These can include: 

  • Binding instructions
  • Orders to bring security measures into compliance
  • Temporary bans on management personnel responsible for serious breaches

Sanctions can be triggered by failures such as not implementing adequate cybersecurity measures, not reporting incidents in time, or obstructing audits and inspections. The aim is to enforce proactive cybersecurity governance and ensure that organizations treat their digital infrastructure with the same diligence as physical infrastructure.

The Complete NIS2 Compliance Checklist

1. Governance and Leadership

NIS2 makes senior leadership directly accountable for cybersecurity. Executives must integrate cyber risk into corporate governance and maintain visibility into threats, incidents, and compliance:

  • Define cybersecurity roles and responsibilities at board and executive levels.
  • Provide regular updates to leadership on cybersecurity posture and incidents.
    Deliver structured reports to the board on threat exposure and compliance status.
  • Require periodic cybersecurity training for senior management.
  • Appoint a CISO or equivalent who reports directly to executive leadership.

2. Risk Management and Security Measures

Organizations must adopt appropriate technical and organizational measures to manage cybersecurity risks. This starts with thorough risk assessments and continues through a layered, structured defense model:

  • Conduct comprehensive risk assessments covering assets, threats, and vulnerabilities.
  • Implement layered defenses (e.g., firewalls, MFA, IDS, secure coding).
  • Apply timely patches and updates to address known vulnerabilities.
  • Maintain operational controls like asset inventory, scanning, and access management.
  • Train staff on security awareness and enforce secure supply chain practices.
  • Use frameworks such as ISO/IEC 27001 or NIST for structure and compliance evidence.
  • Keep documentation of all measures for regulatory review.

3. Incident Handling and Reporting

Reliable incident response capabilities are essential. NIS2 sets strict timelines for reporting incidents and requires well-defined procedures for response and recovery:

  • Develop and regularly test an incident response plan with clear roles and steps.
  • Meet the 24-hour, 72-hour, and 1-month notification requirements.
  • Train response teams to assess severity and coordinate with stakeholders.
  • Involve legal, communication, and compliance teams in planning.
  • Document all incident-handling activities for auditing and learning.

4. Business Continuity and Crisis Management

Organizations must ensure critical services continue during cyber disruptions. This means preparing for incidents with contingency planning and regular crisis simulations:

  • Identify critical systems and perform business impact analyses.
  • Create and maintain contingency and recovery plans for key scenarios.
  • Include internal and external communication strategies.
  • Conduct regular crisis simulations with leadership and technical staff.
  • Keep crisis plans up-to-date and revise based on lessons from incidents.

5. Security in Network and Information Systems Acquisition

Cybersecurity must be embedded in the procurement and deployment of IT systems and services, ensuring resilience from the start:

  • Set procurement policies that require pre-purchase security evaluations.
  • Demand vendor compliance with security standards and practices.
  • Include contract clauses for patching, disclosures, and incident notifications.
  • Perform security risk assessments during the acquisition process.
  • Harden configurations and test systems before deployment.

6. Policies and Procedures for Evaluating the Effectiveness of Cybersecurity Risk Management Measures

It’s not enough to deploy controls—NIS2 requires proving they work. Organizations must monitor performance and adapt measures based on effectiveness:

  • Define KPIs and metrics to assess control effectiveness.
  • Run security audits, penetration tests, and compliance assessments.
  • Track remediation efforts from evaluation findings.
  • Report results to senior leadership regularly.
  • Refine policies and controls using threat intelligence and performance data.
Lanir Shacham
CEO, Faddom

Lanir specializes in founding new tech companies for Enterprise Software: Assemble and nurture a great team, Early stage funding to growth late stage, One design partner to hundreds of enterprise customers, MVP to Enterprise grade product, Low level kernel engineering to AI/ML and BigData, One advisory board to a long list of shareholders and board members of the worlds largest VCs

Linkedin

Tips from the Expert

In my experience, here are tips that can help you better adapt to the topic of application dependency mapping (ADM):

  1. Implement a phased approach

    Start with critical applications and their dependencies before expanding to less critical ones. This helps manage complexity and prioritize key areas first.

  2. Regularly update dependency maps

    Ensure maps are continuously updated to reflect changes in the environment. Automate this process where possible to maintain accuracy.

  3. Integrate with CI/CD pipelines

    Embed ADM tools within your CI/CD workflows to identify potential dependency issues early in the development lifecycle, reducing downstream problems.

  4. Conduct dependency audits

    Periodically review and audit application dependencies to identify outdated, redundant, or vulnerable components, ensuring they are replaced or upgraded as needed.

  5. Leverage AI and machine learning

    Use AI-driven ADM tools to predict and identify hidden dependencies and potential bottlenecks, enhancing overall visibility and performance.

7. Use of Cryptography and Encryption

To secure sensitive data, organizations must implement strong encryption standards and manage cryptographic keys rigorously:

  • Use recognized encryption standards (e.g., AES-256, TLS 1.3).
  • Encrypt data in transit and at rest, especially sensitive or personal data.
  • Secure communication between endpoints and across networks.
  • Establish robust key management practices (rotation, audit, revocation).
  • Review encryption schemes periodically to ensure compliance and strength.

8. Human Resources Security, Access Control, and Asset Management

NIS2 emphasizes securing the human and physical elements of cybersecurity. This means managing people, access, and assets with clear controls:

  • Integrate security into hiring, training, and termination processes.
  • Enforce least privilege with role-based access controls and duty segregation.
  • Conduct regular access reviews during role changes or offboarding.
  • Maintain accurate inventories of hardware, software, and data assets.
  • Classify and protect assets by criticality, and securely dispose of old equipment.

9. Use of Multi-Factor Authentication and Secure Communication

To protect against unauthorized access and data leaks, organizations must enforce MFA and secure communication across all systems:

  • Require MFA for admin, remote, and sensitive-system access.
  • Use secure protocols (e.g., SFTP, TLS) for communication and file sharing.
  • Replace outdated protocols that lack encryption or use weak ciphers.
  • Train users on secure communication and enforce policy adherence.

10. Compliance Monitoring and Continuous Improvement

Compliance with NIS2 requires continuous monitoring and adaptation. Organizations must monitor, audit, and continuously enhance cybersecurity to meet NIS2 standards:

  • Set up internal audit procedures and automated compliance monitoring.
  • Use tools and dashboards for real-time visibility into control performance.
  • Feed audit results and incident lessons into policy and training updates.
  • Regularly refine controls and practices based on feedback and best practices.

Supporting NIS2 Compliance with Faddom

Meeting the demands of NIS2 goes beyond simply using checklists; it requires continuous visibility into your IT infrastructure. Faddom offers agentless, real-time application dependency mapping across hybrid environments, enabling organizations to document their assets, understand interdependencies, and detect vulnerabilities without disrupting operations.

Faddom streamlines the process of achieving compliance with NIS2’s technical and organizational requirements, covering everything from risk assessments and incident response to governance reporting and digital supply chain mapping. With deployment in under 60 minutes, Faddom is the fastest way to gain clarity and control for long-term cybersecurity readiness.