NIS2 in 2024: Which companies must comply with the new EU cybersecurity directive?
What is NIS2?
The NIS2 (Network and Information Security Directive 2) is an updated EU directive aimed at enhancing the cyber resilience of critical and important organizations. It replaces the original NIS directive (2016) and significantly expands the range of companies required to comply with its regulations.
Key objectives of NIS2:
- Strengthening cybersecurity standards for businesses and infrastructure
- Tightening requirements for risk management and incident response
- Expanding the scope of organizations subject to the directive
- Increasing oversight and imposing significant penalties for non-compliance
Do you want to receive additional materials for preparation to NIS2? Feel the form and receive useful information and templates that will useful for organization adoption for NIS2
Who Falls Under NIS2?
The directive classifies companies into two main groups:
- Essential Entities – Large companies operating in key sectors.
- Important Entities – Medium and small companies that significantly impact the economy and digital infrastructure.
Criteria:
- Essential Entities – Companies with more than 250 employees and an annual turnover exceeding €50 million.
- Important Entities – Companies with 50 to 250 employees and an annual turnover of €10 million or more.
Even if a company does not meet these thresholds, regulators can manually include it if it operates in a strategically important sector.
1. Companies Directly Affected by NIS2 (Essential and Important Entities)
Essential Entities (Critical Sectors)
These industries must adhere to the strictest cybersecurity regulations:
Energy Sector
- Power plants, grid operators (including renewable energy such as solar and wind)
- Gas companies (extraction, transport, storage, distribution)
- Oil and petrochemical industries
- Nuclear facility operators
Transport and Logistics
- Airlines and airports
- Railway operators and stations
- Seaports and river ports
- Metro and tram networks
- Freight transport (land, sea, air)
Banking and Financial Sector
- Commercial and investment banks
- Stock exchanges
- Payment systems and processing companies
Healthcare
- Hospitals, clinics, and medical centers
- Medical device manufacturers
- Pharmaceutical companies and distributors
- Biotechnology firms
Water Supply and Wastewater Management
- Water supply and purification companies
- Wastewater treatment operators
Digital Infrastructure
- Data centers
- Cloud service providers (SaaS, PaaS, IaaS)
- Internet service providers (ISPs)
- Mobile and fixed telecommunications operators
Public Sector
- Government agencies and institutions
- Municipal administrations
Important Entities (Significant Sectors)
These companies have less strict oversight but are still required to comply with NIS2.
Manufacturing
- Machinery production
- Automotive industry
- Electronics manufacturing
- Food production
IT and Digital Services
- IT outsourcing providers
- Software development, cybersecurity, and digital solutions
- SaaS companies offering business services
Postal and Courier Services
- National and private postal operators
- Large logistics companies (DHL, FedEx, etc.)
Research Institutions
- Universities handling critical data
- Research centers developing digital technologies
- R&D departments of major companies
Telecommunications
- Mobile network operators
- VoIP and IP telephony providers
2. Companies Indirectly Affected by NIS2
NIS2 also impacts companies that are not directly listed but work within the ecosystem of critical entities.
IT Service Providers
- Cybersecurity companies
- Software development for critical systems
- Cloud computing providers
Consulting and Outsourcing Firms
- Financial auditors
- Legal firms working with critical organizations
- IT outsourcing companies
SMEs in the Supply Chain
- Manufacturers of hardware and software for NIS2-regulated companies
- Contractors providing technical maintenance for critical infrastructure
- Startups developing solutions for key industries
FinTech and Blockchain Companies
- Cryptocurrency exchange operators
- Payment service providers
- FinTech startups collaborating with banks
3. Companies That May Be Added Manually
Some organizations are not automatically included under NIS2 but can be added by national regulators if they:
- Have a high degree of digitalization, even if they don’t meet the financial thresholds
- Operate in hybrid industries (e.g., medical startups developing software for hospitals)
- Are subcontractors of major corporations (if their services are deemed critical)
Business Risks Under NIS2
Penalties
- Up to €10 million or 2% of global annual turnover for non-compliance
- €7–10 million for failing to meet risk management obligations
- Personal liability for executives in case of violations
Inspections and Sanctions
- EU regulators gain extended powers to conduct audits
- Possible temporary suspension of operations for repeated violations
Loss of Clients and Contracts
- Non-compliant companies may be excluded from tenders and supply chains of major clients
How to Prepare?
NIS2 significantly expands cybersecurity regulations in the EU. Now, not only large corporations but also SMEs in the supply chain must comply.
If your company operates in IT, finance, energy, transportation, or healthcare, you need to start preparing for NIS2 now.
Steps to Ensure Compliance:
- Audit your current cybersecurity posture – Identify gaps in your NIS2 compliance
- Implement EU cybersecurity standards – Update risk management and data protection processes
- Train your staff – Conduct NIS2 compliance workshops for key employees
- Review your supply chain – Ensure that your partners also meet NIS2 requirements
How InDevLab Can Help
At InDevLab, we provide end-to-end solutions for full NIS2 compliance – from audits and risk assessments to technical implementation and staff training.
We help companies avoid fines and minimize cybersecurity risks.
Want an audit and compliance analysis for your organization? Fill out the form on our website.