NIS2 cybersecurity measures for critical sectors in the European Union.
Posted on 2 of January of 2025 .

NIS2: strengthening cybersecurity in critical sectors in the European Union

The NIS2 Directive, officially referred to as Directive (EU) 2022/2555, is the latest step by the EU to strengthen digital security across Europe. Published in December 2022, the NIS2 replaces the 2016 NIS Directive, extending the scope and introducing stricter security measures.

With the increase in cyberattacks in recent years, this legislation reflects the EU's priority in ensuring the resilience of critical infrastructure and essential services, reducing vulnerabilities in supply chains and digital operations. But how does this directive affect organizations?

What is the NIS2 Directive?

NIS2 aims to ensure a high level of cybersecurity in critical sectors, requiring companies to adopt specific measures, such as:

  • Risk management and security policies for information systems;
  • Business continuity and incident response plans;
  • Supply chain security and cybersecurity training;
  • Implementation of practices such as multi-factor authentication and data encryption.

NIS2 is an essential pillar for the European Union's digital security.

Which sectors and entities are covered?

Both public and private entities should assess the impact of NIS2 on their current cybersecurity posture, define a compliance plan, and understand the broader implications of non-compliance. 
NIS2 covers, at European level, more than 100,000 organizations from 18 sectors:
 

sectors covered by NIS2

It covers all medium or large entities (more than 50 employees and a turnover of more than 10 million euros). However, smaller entities may be affected if they classify themselves as "essential entities" or "important entities".

Implementation and key dates

  • By 17 October 2024: Member States must adopt and implement the necessary measures to comply with the directive.
  • By 17 January 2025: Certain types of entities must provide identifying information to the National Cybersecurity Authority.
  • By 17 April 2025: Member States must publish lists of essential and important entities and entities providing domain name registration services.
  • By 17 October 2027: The European Commission will evaluate the functioning of NIS2 and submit a report to the European Parliament and the Council, which should be reviewed every 36 months.

Although the deadline for transposition of NIS2 has passed, Spain and Portugal, as well as 21 other Member States, have yet to incorporate the directive into their national legislation.


As the transposition process is underway, Portuguese and Spanish entities must act immediately to implement the measures required by the directive, ensuring compliance and minimising cybersecurity risks.

How can organizations prepare?

Regardless of the stage of transposition, companies should take a proactive approach to prepare for NIS2:

  • Risk assessment: Identify key security threats and gaps in current policies.
  • Implementation of measures: Establish business continuity policies, secure communication channels and training for employees.
  • Continuous monitoring: Ensure that the measures implemented remain effective and adjusted to the requirements of the legislation.

A strategic step towards digital security

More than a legal obligation, NIS2 is an opportunity for organizations to strengthen their digital infrastructures and increase the confidence of customers and stakeholders.

At Izertis, we recognize technological challenges and are experts in Cybersecurity, helping companies in their digital transformations. Adapt today, to ensure the safety of tomorrow.

Blog

< Go back