June 30, 2025 Cybersecurity

NIS 2 Directive: a coordinated framework to strengthen cybersecurity in Europe

Understanding NIS2 and its impact on European businesses

NIS2 Directive

The NIS2 Directive: the new pillar of cybersecurity in Europe

Cybersecurity in Europe has become a strategic priority. With the entry into force of the NIS2 Directive, the European Union establishes a more ambitious, robust and coordinated framework to protect critical infrastructure and digital services. At SETEK, we explain what this new directive means, who it affects and how to prepare for compliance.

What is the NIS2 Directive and what are its objectives?

The NIS2 Directive (Network and Information Security 2) is the evolution of the first NIS Directive of 2016. Its main objective is to reinforce cybersecurity in Europe through greater regulatory harmonisation, inter-state coordination and stricter requirements for essential and digital sectors.

  • Improve incident response capability.
  • Reduce security gaps in the supply chain.
  • Strengthen organisational resilience against cyber threats.
  • Drive senior management responsibility in digital risk management.

Key changes from the original NIS Directive

  • The number of sectors and entities covered is expanded.
  • Stricter obligations on risk management and incident reporting.
  • Direct responsibility imposed on executive teams.
  • Non-compliance penalties comparable to GDPR.

Which entities must comply with NIS2

  • Essential entities: energy, transport, water, health, banking, digital infrastructure and public services.
  • Important entities: technology, postal and courier, critical manufacturing and digital services (cloud platforms, data centres).

Minimum security and risk management requirements

  • Multi-factor authentication and access management.
  • Updated incident response policies.
  • Continuous supply chain security assessment.
  • Regular staff training and crisis simulations.
  • Encryption and proactive monitoring systems.

Incident reporting obligations

  • Initial report: within 24 hours of detecting a significant incident.
  • Interim report: within the following 72 hours.
  • Final report: within a maximum of one month.

Role of senior management and corporate responsibility

  • Direct involvement in strategic cybersecurity decisions.
  • Personal responsibility for breaches and damages.
  • Specific training in digital risk governance.

Supervision, penalties and compliance mechanisms

Member States must designate national authorities with power to conduct audits, require remediation plans and impose administrative penalties of up to 2% of annual global turnover.

Impact of NIS2 on the supply chain

Companies must assess risks associated with suppliers and third parties, integrating controls such as third-party security audits, binding contractual clauses and joint incident response protocols.

How to prepare for NIS2 transposition and audit

  1. Assess your current situation with a gap analysis against NIS2.
  2. Establish a progressive compliance plan including training and technology.
  3. Designate an internal cybersecurity officer with direct connection to management.
  4. Prepare for internal and external audits.

The NIS2 Directive is not just an obligation but an opportunity to strengthen your organisation against 21st century threats. At SETEK, we are experts in integrating security and IT governance solutions adapted to the European framework. Contact us and take your company’s cybersecurity to the next level.

💬