What is the NIS2 Directive?

The NIS2 Directive (Network and Information Security Directive 2) is updated European Union legislation designed to strengthen the cybersecurity resilience of critical and important entities across member states.

Building on the original NIS Directive, NIS2 aims to elevate the overall level of cybersecurity in the EU by harmonizing practices, enforcing stricter compliance rules, and enhancing cooperation between member states, regulatory authorities, and organizations.

The directive officially entered into force, and member states were expected to transpose its provisions into national law by October 17, 2024. In Finland, the national transposition has been slightly delayed, with the new Cybersecurity Act expected to take effect in the spring of 2025.

---

Who does the NIS2 Directive apply to?

NIS2 significantly expands the scope of the original regulation to cover more industries and larger organizations. It applies primarily to medium and large organizations operating in defined critical sectors that meet the following thresholds:

Entity Size	Headcount (FTE)	Annual Turnover	Balance Sheet Total
Large Entities	≥ 250	> €50 Million	> €43 Million
Medium Entities	50–249	> €10 Million	> €10 Million

[!NOTE] Regardless of size, NIS2 may also apply to smaller entities under special circumstances, such as when an entity is the sole provider of a service essential for critical social or economic activities in a member state, or where a service disruption could cause systemic or cross-border impacts.

---

Essential and Important Entities

Entities falling under the scope of NIS2 are classified into two categories: Essential Entities and Important Entities.

1. Essential Entities

This category applies to large companies in highly critical sectors (medium-sized companies in these sectors are classified as Important):

• Energy: Electricity, oil, natural gas, district heating/cooling, hydrogen, and EV charging station operators.
• Transport: Air, rail, water, and road transport.
• Banking & Financial Markets: Credit institutions, trading venue operators, and central counterparties.
• Health: Healthcare providers, reference laboratories, pharmaceutical R&D, and medical device manufacturing.
• Water Supply: Drinking water distribution and wastewater collection/treatment.
• Digital Infrastructure: DNS providers, TLD registries, cloud computing, data centers, CDN networks, and public telecommunications networks/services.
• B2B ICT Services: Managed Service Providers (MSPs) and Managed Security Service Providers (MSSPs).
• Public Administration: Public sector agencies and central government departments.
• Space: Operators of ground-based space infrastructure.

2. Important Entities

This category applies to medium and large companies in the following sectors:

• Postal and Courier Services
• Waste Management (collection, treatment, and disposal of waste)
• Chemicals (manufacturing, production, and distribution)
• Food (industrial production, processing, and wholesale distribution)
• Manufacturing: Medical devices, computers, electronics, electrical equipment, machinery, and motor vehicles.
• Digital Providers: Online marketplaces, search engines, and social media platforms.
• Research Organizations
• Domain Name Registration Services

[!IMPORTANT] Supply Chain Security: NIS2 places heavy emphasis on securing supply chains. Organizations under the scope of the directive must assess the cybersecurity practices of their direct suppliers. If you are an IT supplier or subcontractor to a NIS2-regulated entity, you will be subject to strict security requirements, regardless of whether your company fits the direct criteria of the directive.

---

What are the key requirements of NIS2?

The directive mandates that organizations implement cybersecurity risk management measures and establishes strict reporting obligations.

1. Cybersecurity Risk Management

Organizations must implement a comprehensive security risk management framework covering:

• Policies and Risk Assessments: Written security policies and regular, documented assessments of cyber risks.
• Incident Handling: Incident response procedures to detect, isolate, and mitigate security breaches.
• Business Continuity: Backup management, disaster recovery plans, crisis management, and emergency communications.
• Supply Chain Security: Managing security risks related to suppliers, partners, and vendors.
• Secure Development: Ensuring security in the acquisition, development, and maintenance of network and information systems (security by design).
• Effectiveness Audits: Regularly auditing, measuring, and testing the effectiveness of implemented security controls.
• Cyber Hygiene & Training: Training employees on basic cyber hygiene (e.g., recognizing phishing attempts).
• Cryptography & Encryption: Implementing encryption for data at rest and data in transit where appropriate.
• Access Control: Enforcing the principle of least privilege, multi-factor authentication (MFA), and monitoring privileged accounts.

2. Reporting Obligations for Significant Incidents

In the event of a significant security incident, organizations must notify the relevant authority (in Finland, the NCSC-FI at Traficom) in three stages:

1. Early Warning (24h): Submitted within 24 hours of becoming aware of the incident.
2. Incident Notification (72h): Submitted within 72 hours, providing a detailed assessment and initial severity indications.
3. Final Report (1 month): Submitted within one month, detailing the root cause, severity, and mitigation measures taken.

3. Administrative Fines

Non-compliance with the NIS2 requirements can result in significant financial penalties:

• Essential Entities: Fines of up to €10,000,000 or 2% of the organization’s global annual turnover (whichever is higher).
• Important Entities: Fines of up to €7,000,000 or 1.4% of the organization’s global annual turnover (whichever is higher).

---

How can Tekve help you achieve NIS2 compliance?

Tekve’s experts have hands-on experience in cybersecurity leadership and implementing frameworks like ISO 27001, which closely align with NIS2 requirements.

We help your organization achieve full compliance through a structured, 6-step process:

1. Gap Analysis (Current State Assessment): We assess your current security maturity and identify the gaps between your current practices and NIS2 requirements.
2. Risk Management Implementation: We establish an ongoing, practical risk assessment process to identify, analyze, and prioritize security threats.
3. Security Policies & Documentation: We draft and update your security policies, business continuity plans, and response playbooks.
4. Staff & Management Training: We deliver practical security awareness training to help your staff and leadership recognize modern threats.
5. Supply Chain Risk Management: We evaluate your vendor and subcontractor networks to ensure your supply chain meets the required security standards.
6. Incident Management Setup: We build incident detection, escalation, and reporting workflows to ensure you meet the strict 24h/72h notification windows.