EU's new cybersecurity directive: NIS 2

Published on
April 18, 2024

The European Union has advanced its cybersecurity with the Network and Information Security (NIS 2) Directive, in effect since January 16, 2023. This update broadens the coverage of security protocols, affecting a wider range of sectors.

The Czech law must incorporate this directive by October 16, 2024, with enforcement expected by the end of this year. Organizations will first need to register with the National Cyber and Information Security Authority (NUKIB) and then meet the new security requirements within a year.

What’s new in NIS 2?

NIS 2 marks a major step-up from NIS 1. NIS 1 targeted essential service operators and digital service providers. NIS 2 broadens its scope to medium and large entities in many other sectors. It brings stricter supervisory actions, detailed risk management and tougher reporting duties. These changes aim to strengthen the cybersecurity framework across the European Union.

Who needs to comply?

The new directive applies to medium and large businesses that employ over 50 employees or have annual revenue over EUR 10 million. It also covers linked and partner enterprises to these businesses without having to fall into the medium-large category.

Also, certain small and micro-sized enterprises, especially those in critical infrastructure or digital services, must comply.

The directive affects primarily the following sectors:

  • public administration
  • energy
  • digital infrastructure
  • transport
  • banking
  • healthcare
  • food production

How to comply?

Companies must take several important steps to comply with NIS 2. Based on its sector and  size, each entity will fall under a regime of higher or lower obligations.

These obligations can be to:

  • perform thorough cyber risk assessments
  • keep cybersecurity at the required levels
  • provide targeted training to enhance security awareness
  • secure management of access and authentication data
  • protect the integrity of IT infrastructure
  • manage and report security incidents
  • establish secure supply chain management practices

Failing to comply can lead to heavy fines, potentially up to 2 % of the worldwide turnover of the entity or 10 million EUR.

In a nutshell

With NIS 2 enforcement expected to start by 2025, companies should begin to evaluate its impact right now. This allows for time to adjust internal processes to meet the new requirements. The directive, together with the DORA (Digital Operational Resilience Act) regulations for financial institutions, represents a significant enhancement in Europe's cybersecurity landscape. Legal advice can help you to ensure compliance and optimize security strategies. Reach out to our experts here.


1. What’s new in NIS 2?

2. Who needs to comply?

3. How to comply?

4. In a nutshell

Get your regular dose of legal know-how

Join our monthly newsletter. We’ll explain legal terms in a way your grandma would understand. Want to know what you are signing up for? Check out our past newsletters here.