What is the NIS2 Directive and why is it important?

The NIS2 Directive is the EU’s updated cybersecurity legislation designed to enhance baseline security standards across member states and protect against disruptive cyber incidents. It introduces stricter requirements and broader applicability than the original directive to address the growing sophistication of modern cyber threats. Compliance is now an urgent priority for organizations to ensure operational stability and avoid significant regulatory penalties.

Which organizations fall under the scope of NIS2?

NIS2 affects a wide range of organizations categorized as either essential or important entities across 18 critical sectors, including energy, health, transport, and digital infrastructure. It also encompasses sectors like manufacturing, food production, and postal services if they meet specific size and turnover thresholds. Furthermore, supply chain and ICT providers may face increased scrutiny through strengthened third-party risk management requirements.

What are the mandatory cybersecurity measures under NIS2?

Organizations must implement robust risk management, formal incident reporting procedures, and comprehensive business continuity plans to maintain services during a crisis. The directive also mandates strengthening network security through access controls and encryption while enforcing strict oversight of supply chain risks. Additionally, there is a heavy focus on governance, executive accountability, and mandatory security awareness training for all personnel.

What are the penalties for NIS2 non-compliance?

Failure to adhere to NIS2 obligations poses substantial risks, including severe reputational damage and heavy financial penalties enforced by national authorities. Organizations can face maximum fines of up to €10 million or 2% of their total global annual turnover, whichever is higher. These stricter enforcement measures are designed to ensure that cybersecurity is managed as a top-level corporate governance priority.

How does NIS2 relate to other regulations like DORA or GDPR?

NIS2 is designed to integrate with existing frameworks like GDPR and DORA to create a cohesive regulatory strategy across the European Union. For financial entities, DORA generally takes precedence as the specific legislation for operational resilience, though NIS2 remains the broader baseline. Mapping these obligations to established controls like ISO 27001 helps organizations minimize duplication and align their compliance efforts efficiently.

What are the benefits of achieving NIS2 compliance?

Beyond avoiding fines, achieving compliance significantly enhances an organization's cyber resilience and reduces the likelihood of successful data breaches. Demonstrable adherence to these standards builds long-term trust with customers, partners, and regulators, establishing a competitive advantage in the market. It also helps future-proof the business against emerging threats through proactive risk management and the implementation of robust security architectures.

NIS2 compliance & implementation for critical and regulated sectors

Understand whether your organisation falls under NIS2 and what you must implement to comply.

Strengthening organisational resilience under NIS2

NIS2 introduces stricter, formalised cybersecurity obligations with broad applicability across sectors. The combination of expanded scope and defined governance requirements makes compliance complex for many organisations.

Leverage our experience across DORA, ISO 27001, NIST, PCI DSS, the Cyber Resilience Act, and SOC 2 to meet these new obligations with clarity and control.

Request a NIS2 scoping call

New to NIS2? Start here

Key NIS2 objectives

Implementing effective risk management measures

Ensuring corporate and personal accountability

Establishing transparent security reporting in case of incidents

Developing a business continuity plan in case of cyber incidents

critical sectors covered by NIS2

€10M

or 2% of annual turnover – max fine for non-compliance

+150K

companies affected by NIS2

Work with an NIS2 consultancy partner experienced in regulated sectors

NIS2 mandates formal governance, operational security controls, and executive accountability. You need a consultancy with regulated-sector experience, technical depth, and the ability to deliver practical remediation guidance.

Critical infrastructure and regulated sector delivery

We have delivered security programmes in high-criticality sectors directly impacted by NIS2. This means we understand operational resilience, supply chain scrutiny, and regulatory oversight in practice.

Cross-framework expertise (DORA, ISO 27001, NIST, SOC 2)

Most organisations already operate within established frameworks. We map NIS2 obligations to ISO 27001, NIST, and DORA controls to minimise duplication and align compliance efforts efficiently.

Senior-led engagements

NIS2 introduces executive accountability. All work is led by our own senior consultants who understand governance structures, board reporting, and regulator-facing documentation.

Board and executive advisory support

We support leadership teams in understanding personal accountability under NIS2, including governance responsibilities, risk oversight, and supervisory engagement.

All certifications conferred upon AMR CyberSecurity Limited remain valid under its current legal entity. The SOC 2 attestation applies to Infinum only.

NIS2 compliance & implementation services

NIS2 scope determination & gap assessment

NIS2 implementation & control uplift

Gaps are identified and we provide hands-on support to implement and formalise required measures.

Development of required documentation (policies, reporting procedures, asset inventories, etc.)
Design and engineering of security architectures across IT and OT environments
Definition, implementation, and testing of technical and organisational controls
Vulnerability management programmes tailored to your risk profile
Security awareness and executive accountability support

Incident reporting & response preparedness

NIS2 introduces strict reporting timelines, including early warning within 24 hours. We help you establish structured incident detection, escalation, and reporting workflows aligned to Article 23 obligations.

Incident classification frameworks
Reporting templates and communication protocols
CSIRT and competent authority reporting readiness
Crisis management alignment
Tabletop exercises and response testing

Executive accountability & governance alignment

NIS2 places direct accountability on management. We help leadership teams formalise governance structures, clarify responsibilities, and demonstrate active oversight.

Executive briefing on NIS2 obligations and liability
Governance and accountability structuring
Board-level cybersecurity reporting and risk integration
Regulatory inspection and supervisory readiness support
Management training on NIS2 oversight

Ongoing advisory & regulatory support

NIS2 compliance is not a one-off exercise, so we provide flexible advisory support tailored to regulated environments.

Step-by-step compliance roadmap aligned to your risk profile
Cross-functional alignment between engineering, IT, security, and legal teams
Scalable support for large enterprises, supply chain providers, or SMEs
Remote or on-site engagement, depending on operational needs

The information above will be stored only for business purposes. Check our Privacy Policy for more info.

Getting started with Network and Information Systems Directive 2

Navigating the complex landscape of cybersecurity regulations can be a daunting task for any organization. The Network and Information Systems Directive (NIS2), enacted by the European Union, represents a significant escalation in these requirements, demanding robust security strategies and compliance measures from a broad range of entities.

What is the NIS2 Directive and why it matters now

The NIS2 Directive (Network and Information Security Directive 2) is the EU’s updated and expanded cyber security legislation, aiming to enhance the baseline cybersecurity standards across the EU member states against disruptive cyber incidents. With cyber threats becoming more sophisticated and prevalent, NIS2 introduces stricter requirements for a wider array of entities, making compliance an urgent priority.

Minimum cybersecurity measures under NIS2

NIS2 mandates a comprehensive approach to security and risk management. It requires organizations to implement a range of technical, operational, and organizational security measures designed to prevent and minimize the impact of cybersecurity incidents. Key pillars include:

Robust risk management measures

Adopting a proactive approach to risk management, identifying and assessing vulnerabilities within their networks and information systems, and implementing appropriate security measures.

Comprehensive incident reporting and handling

Establishing clear procedures for detecting, assessing, and reporting incidents to relevant authorities, alongside developing robust incident response capabilities.

Business continuity and crisis management

Developing and maintaining plans for incident handling, disaster recovery, business continuity, and crisis management to maintain essential services and minimize disruption.

Supply chain & third-party risk management

Implementing measures to ensure the security of their own supply chains and manage cyber threats associated with third-party providers and suppliers.

Strengthening network & information system security

Establishing access control, authentication, data encryption, and network segmentation measures, and secure software development practices.

Governance, accountability, and personnel training

Ensuring adequate training and awareness programs for personnel and management to foster a strong security culture and understand accountability in maintaining security.  Failure to adhere poses substantial risks, including hefty financial penalties and severe reputational damage. Our expert NIS2 compliance services are designed to provide your organization and digital infrastructure with the comprehensive support and strategic guidance needed to not only meet these obligations but also to fortify your cyber security posture against evolving cyber threats.

Who does NIS2 affect? Scope and applicability

NIS2 significantly broadens the scope of entities covered, categorizing organizations into “essential” and “important” entities. It encompasses sectors such as energy, transport, banking, health, digital infrastructure, public administration, and even certain manufacturing industries. If your organization operates within the European Union or provides services to EU-based entities in these or related sectors, NIS2 likely applies to you.

Essential entities

High criticality sectors such as energy, transport, health, digital infrastructure, public administration, water, and space. If designated essential under national law, you are subject to stricter supervision and higher penalties. We help you implement defensible controls, governance structures, and reporting mechanisms. Note: Financial entities are primarily governed by the Digital Operational Resilience Act (DORA), which is lex specialis. While listed under NIS2 Annex I, DORA generally takes precedence for in-scope financial organisations.

Important entities

Manufacturing, food, digital providers, postal services, research, chemicals, and waste management. If your organisation meets the size and sector thresholds defined by your member state, you may fall within scope. We clarify applicability and structure proportionate compliance measures.

Supply chain & ICT providers

Even if not directly in scope, suppliers to essential or important entities face increased scrutiny. NIS2 strengthens third-party risk requirements and contractual security obligations. We help you prepare for supplier assurance reviews, audits, and security due diligence.

Your path to NIS2 compliance

Enhanced cyber resilience, operational stability, and competitive advantage

Achieving NIS2 compliance significantly enhances your cyber resilience, reducing the likelihood and impact of disruptive events, thereby ensuring operational stability. Furthermore, demonstrable adherence to NIS2 builds trust with customers, partners, and regulators, establishing a competitive advantage in the market.

Integration with broader regulatory compliance

Our services ensure your NIS2 efforts are integrated with existing compliance obligations like General Data Protection Regulation (GDPR), Digital Operational Resilience Act (DORA), and Critical Entities Resilience Directive (CER), creating a cohesive regulatory strategy.

Future proofing your cybersecurity posture

By adopting robust security measures and proactive risk management, you can future-proof your organization against emerging cyber threats.

Why choose expert services for your NIS2 journey?

Choosing us means partnering with a team of seasoned cybersecurity and compliance professionals dedicated to your success. With years of experience within regulatory compliance, we offer a pragmatic, risk-based approach, simplifying complexity and transforming regulatory burdens into strategic advantages. Our expert services offer a clear, strategic path to fortify your defenses, meet regulatory demands, and ensure operational continuity. We provide the support, frameworks, and security measures necessary to navigate this critical landscape confidently.

READ ABOUT CYBERSECURITY

View all

Cybersecurity

NIS2 and DORA, the Power Couple of EU Cybersecurity Legislation

Cybersecurity

How Do Phishing Simulations Contribute to Enterprise Security?

Cybersecurity

Scope, Test, Report – Penetration Testing Steps Explained

Cybersecurity

Why Penetration Testing Is Important for Your Business