NIS2 Directive: How Companies Can Meet Compliance & Cybersecurity Requirements
The NIS2 Directive introduces high standards and strict requirements to strengthen cybersecurity across the EU. Learn how to prepare and stay compliant.
Key Takeaways:
- Increasing cyber threats are leading to stricter security requirements for companies.
- The NIS2 directive extends the compliance obligations to more sectors and companies.Even after Brexit, UK businesses can not ignore NIS2-style rules if they engage with the EU, whether by operating within member states, supplying critical entities, or being part of EU-focused supply chains. At least 160,000 companies are affected in the impacted entities (see table below), including many SMEs and even start-ups.
- Risk management and reporting obligations are key requirements of NIS2. Non-compliance may result in substantial fines and personal liability for company executives.
- F24 solutions help businesses manage security incidents, from emergency planning and compliance with reporting deadlines through to recovery.
Contents of this page
What is NIS2?
NIS2 stands for the second Network and Information Security Directive. It is a revised version of the original NIS Directive, which was introduced in 2016. The aim of NIS2 is to increase the overall level of cybersecurity in the EU and protect more industries from cyber threats. The second directive came into force in October 2024, but many member states are still behind schedule. While some EU member states are still in the process of implementing the directive, it has already come into effect in certain countries. You can check the current implementation status across all EU countries using the NIS2 Tracker.
Who is obliged to comply with NIS2?
If you fall under “Essential Entities”, “Important Entities” or “Critical Infrastructures (KRITIS)”, you must comply with the NIS2 guidelines. Companies with at least 50 employees or an annual turnover of at least 10 million Euros are already subject to the requirements.
However, there are exceptions and not all measures apply equally to all sectors. For example, financial companies that fall under the DORA regulations, as well as operators of telecommunications networks, energy supply networks or energy systems and public administration are exempt from certain NIS2 measures.
NIS2 requirements
The new NIS2 directive sets Europe-wide minimum requirements for taking measures against cyber threats. The legal requirements are summarised here:
- Obligation to register, within 3 months
- Implementation & documentation of the 10 minimum measures for risk & incident management
- Professional proof of implementation and audits for KRITIS companies, for the first time after 3 years
- Reporting obligations for significant incidents: Initial report within 24h, confirmed initial report after 72h, final report after 4 weeks & progress reports if it takes longer than 4 weeks
- Duty to inform the public or customers in the event of incidents
Why Cyberattacks are often not the biggest threat?
The cyberattack itself is rarely the biggest challenge. The critical issues usually arise when processes are unclear: Who makes the decisions? Who informs whom? What deadlines apply? And how can communication remain effective under pressure?
This is where structured risk management becomes essential. Ambiguous workflows and undefined responsibilities often cause more damage than the attack itself. Under the NIS2 Directive, companies are required to establish risk management practices, develop procedures and concepts for cybersecurity measures, train employees, implement business continuity solutions, and report significant incidents within 24 hours. Affected organisations should adapt their strategies promptly to meet these requirements and ensure long-term resilience.
Risk analysis as part of the NIS2 directive
The NIS2 directive is closely linked to risk analysis as it requires organisations to design their security measures based on a comprehensive risk assessment. A key change is that with NIS2, organisations must also review the security in their supply chain to ensure that partners and suppliers do not introduce vulnerabilities into their own system.
Digital solutions, like those provided by F24, are particularly helpful here, as they automate processes, create transparency and increase efficiency.
Pragmatic implementation – how F24 helps you
Our FACT24 solution offers an all-in-one approach for implementing the 10 measures. It primarily supports companies in the preparation and management of security incidents, alerts, risk analyses and the distribution of information at critical moments.
FACT24 ENS+ enables:
- A structured alert system for all relevant individuals in the event of an emergency.
- Clear escalation levels, ensuring responsibilities are clearly defined and decisions can be made quickly.
- Integrated emergency communication via telephone and video conferencing, as well as secure chat – ensuring the organisation remains operational even in the event of IT failures or cyberattacks.
- Documentation and monitoring of incidents and actions.
- Risk assessment, prioritization of incidents, and adherence to NIS2 reporting deadlines.
In addition, FACT24 EDU enables targeted training of the crisis team and management to optimally prepare them for dealing with crisis situations and the requirements of the NIS2 directive.
More than 5,500 Customers from All Industries
Trust the Services of F24 in Critical Situations.
Related Solutions
Product Explorer
Find solutions that can suit your needs in case of emergency.
F24 SaaS-Solutions
Check out our range of smart solutions.
Crisis Response
Prepare and manage your crisis response with our smart solutions, designed specifically for critical situations.
Act Effectively in Times of Crisis with F24’s Smart Solutions
Don’t let an emergency turn into a crisis. Act clearly and decisively with the help of F24 solutions. Our products help crisis teams communicate consistently during critical situations. Our software supports organisations to respond to situations using all communication channels in real-time and notify general public or targeted groups of people. Talk to us today to learn about our range of crisis response solutions.
Learn How Our Smart Solutions can Help You!
Fill in you personal Data
Learn How Our Smart Solutions can Help You!
Fill in you personal Data