cyberunity | cyberbytes issue 3/25 – the who, what, when, and why: nis 2 directive (directive (eu) 2022/2555)

cyberbytes issue 3/25 – The Who, What, When, and Why: NIS 2 Directive (Directive (EU) 2022/2555)

27.06.2025

5 min.

Created using OpenAI’s DALL·E (2025)

In a Nutshell:

NIS 2 is a major update to the EU’s 2016 Networks and Information Security Directive (NIS 1). It broadens the range of affected organisations, imposes stricter and more detailed cybersecurity obligations, sets clearer reporting rules, and introduces tougher enforcement. All medium and large entities in essential and important sectors across the EU are subject to the already elapsed compliance-/transposition-deadline of October 2024. Despite Switzerland’s non-EU status, Swiss entities are still subject to NIS 2’s provision – either indirectly by virtue of their EU-based clients, or directly through increasingly aligned local legislation like the ISG and other upcoming KRITIS-related laws and ordinances.

Who (does NIS 2 impact)?

Broader Scope: While NIS 1 focused mainly on critical infrastructure sectors (energy, transport, banking, healthcare, etc.), NIS 2 now includes additional sectors such as public administration, waste and wastewater management, food production and distribution, postal and courier services, space, and digital services (e.g., social platforms, data centres, cloud computing).

Size Cap Rule: NIS 2 introduces a clear size cap – all medium-sized and large entities (generally those with more than 50 employees or an annual turnover above €10 million) in the aforementioned sectors fall under its scope. It should be noted that certain service providers (like DNS, trust services, domain name registration) are included regardless of size due to their criticality.

Essential vs. Important Entities: Entities are now categorized as „essential“ (e.g., energy, healthcare, finance, public administration) and „important“ (e.g., manufacturing, postal, food, digital services), each with tailored requirements and oversight.

Swiss Entities: Subsidiaries or branches of Swiss companies located in the EU fall directly under NIS 2 obligations. Similarly, Swiss companies offering products or services to the EU market, participating in EU supply chains, or who act as suppliers to EU critical infrastructure or digital service providers may be required to meet NIS 2 standards by their European partners.

Finally, sectors newly covered by NIS 2, such as manufacturing, healthcare, digital infrastructure, finance, and even Alpine tourism-related infrastructure, are increasingly regulated in Switzerland through aligned laws (e.g., ISG, upcoming KRITIS laws and ordinances).

What (does NIS 2 entail)?

Stricter Security Requirements: NIS 2 mandates more comprehensive and risk-based cybersecurity measures than NIS 1, including technical, operational, and organisational controls. Entities must implement information security management systems (ISMS), supply chain security, vulnerability management, and regular cybersecurity training.

Incident Reporting: The directive introduces clearer and stricter incident reporting obligations than NIS 1. Entities must report significant incidents to authorities within 24 hours (early warning), follow up with a detailed report within 72 hours, and submit a final report upon resolution of the incident.

Governance and Accountability: NIS 2 places accountability directly on top management, who must ensure compliance and may face personal liability for failures and non-compliance.

Supply Chain Security: For the first time, NIS 2 explicitly addresses supply chain and supplier relationship security, recognising the interconnected nature of modern business.

Stronger Enforcement: Under NIS 2, national authorities have greater powers to supervise, audit, and enforce compliance, with the ability to impose substantial fines for non-compliance.

When (did these changes come into force)?

Directive in Force: NIS 2 entered into force on January 16, 2023.

Transposition Deadline: Unlike EU regulations, EU directives do not apply automatically. Instead, they set goals that every Member State must achieve, leaving each country with an obligation to pass its own national laws to implement the directive. The deadline for EU Member States to transpose NIS 2 into national law was October 17, 2024.

Some countries may have had a transition period (e.g., up to March 2025 in Germany) for full implementation, but most obligations began from October 2024. As of mid-2025, most EU Member States have yet to meet this deadline. As shown in the table below, many European countries have not yet issued a national law for the implementation of the NIS 2 directive.

https://www.enisa.europa.eu/topics/state-of-cybersecurity-in-the-eu/cybersecurity-policies/nis-directive-2

This delay has created a patchwork of obligations across the EU. Some countries (like Belgium and Italy) have enforceable laws, whereas others (like Germany and France) are still in the legislative process, resulting in uncertainty when it comes to cross-border compliance.

Until a country transposes NIS 2 into its national law, its provisions are not legally enforceable in that country. Despite the lack of national laws, multinational organisations are advised to prepare for NIS 2 and comply with its provisions based on the text of the directive itself, laws in countries where NIS 2 has already been transposed (e.g., Belgium, Italy), and anticipated national laws in countries where drafts are still being discussed.

Swiss Context: As mentioned, Swiss entities who do business in the EU may already be subject to the provisions of the NIS 2 directive and are therefore also subject to the aforementioned deadlines. However, Switzerland is also proactively aligning its own legislation through revisions to the Information Security Act (see our previous cyberbyte for more info) and upcoming KRITIS-related laws based on NIS 2 principles. The Swiss legislative process is ongoing, with expected implementation of these aligned laws by 2027, including grace periods for compliance.

Why (do these changes matter)?

Addressing Evolving Threats: The digital threat landscape is ever evolving, with cyberattacks increasing in both frequency and sophistication. NIS 2 is designed to address these new risks and close gaps left by the original directive (NIS 1).

Harmonisation and Resilience: By expanding its scope and harmonising requirements across the EU, NIS 2 aims to raise the baseline of cybersecurity, reduce inconsistencies between Member States, and ensure that critical services remain operational even during major incidents.

Protecting Society and the Economy: The directive seeks to protect essential services and infrastructure, ensuring the continuity of vital functions in the face of intensifying cyber threats, and safeguarding the EU’s internal market and digital society.

Consequences: In short, NIS 2 employs a “carrot and stick” approach when it comes to penalties: compliance not only mitigates cyber risks but also safeguards an organisation’s financial stability, operational continuity, and leadership credibility. The threat of multi-million-euro fines, coupled with personal liability for executives, ensures cybersecurity becomes a boardroom priority:

Financial Penalties

- Essential Entities face fines of up to €10 million or 2% of global annual turnover (whichever is higher) for failing to implement required security measures or report incidents.

- Important Entities risk penalties of €7 million or 1.4% of global annual turnover.

- These fines are designed to be “effective, proportionate, and dissuasive,” reflecting the criticality of the sectors involved.

Managerial Accountability

- Personal Liability: Top executives (e.g., CEOs, CISOs who are part of management boards) can be held personally accountable for “gross negligence,” including failure to address known risks or comply with remediation orders.

- Temporary Bans: Managers in Essential Entities may face bans from holding leadership roles for repeated violations.

Non-Monetary Enforcement

- Operational Disruptions: Authorities can suspend business activities, issue binding compliance orders, or appoint monitoring officers to oversee corrective actions.

- Public Naming: Organisations may be forced to publicly disclose violations, damaging stakeholder trust and market reputation.

Reputational and Operational Fallout

- Customer and Partner Distrust: Publicised breaches or compliance failures can lead to customer churn, contract cancellations, and investor hesitation.

- Increased Scrutiny: Non-compliant organisations face frequent audits, mandatory security upgrades, and rushed investments in tools or training, straining resources.

find out more: