May 2024

The Business Implications of NIS2

The NIS2 directive will be implemented by autumn 2024 and, building on the NIS1 directive, is a notable advancement in the European Union’s approach to cybersecurity. The primary goal of NIS2 is to harmonise interpretations of cybersecurity risk management and reporting obligations. It mandates EU members to implement national cybersecurity strategies and set up suitable supervisory bodies. However, how will this impact private business, and which organisations must brace themselves for new obligations?



According to the directive, these sectors are divided into two. The first category covered by Annex I expands on strategic sectors covered by NIS1 (energy, transport, financial institution, healthcare, ICT). The groundbreaking difference with NIS2 is the newly added category of Annex II sectors encompassing a wide range of industries such as waste management, chemicals, food production, and various types of manufacturing.

Essential or Important

In principle, large enterprises operating in Annex I will be classified as essential, while those medium-sized and/or active entities in Annex II will be considered important. This differentiation leads to the establishment of varied supervisory regimes for essential and important entities, striking a balance between the need for oversight and added administrative burdens on entities and authorities. Essential entities are subject to more comprehensive supervision, whereas important entities face a lighter scrutiny, based on ex post evaluation in the event of incidents.

Supply Chain

The reach of NIS2 extends beyond essential and important entities directly affected by its provisions. It emphasises the importance of cybersecurity resilience throughout the supply chain. As a result, entities not directly governed by NIS2 may find themselves subject to new cybersecurity obligations through contractual agreements with partners compliant with NIS2.


NIS2 only establishes a foundational framework of rules; the specifics will be determined by each member state. Given the extensive applicability of these new cybersecurity regulations, businesses and their advisors should monitor governmental proposals concerning NIS2 implementation and the measures to be adopted in each country.

For more details, get in touch with the author, Head of Compliance Jeremiasz Kuśmierz.

Originally published Spring 2024 in GGI FYI