NIS2 is the EU directive that replaces the original NIS Directive of 2016. National transpositions were due by October 2024, and the scope is much broader than the previous regime: many medium-sized companies in sectors like digital infrastructure, manufacturing, food, postal services, and managed IT now fall in scope where they did not before.
If your company is in scope, you have to demonstrate four things to your national supervisory authority. Cybersecurity governance, including a board accountable for security decisions. Documented risk management aligned to the size and risk profile of the business. Incident reporting within 24 hours of awareness, with a follow-up at 72 hours. And meaningful oversight of suppliers and managed service providers.
NIS2 does not specify which controls to implement, but ISO 27001 is the framework most organisations use to satisfy the substantive requirements. Companies that already operate an ISMS have less to do; companies that have never formalised security have a real programme to build. The fines (up to 10 million euros or 2% of global turnover for essential entities) are designed to make the deadline real.