The NIS 2 Directive, part of the European strategy to enhance cybersecurity, introduces stricter rules for companies and organizations considered essential or important. This regulation, which replaces the previous NIS Directive, requires EU member states to implement it by October 2024, with significant implications for both the private and public sectors.

The main novelties of the NIS 2 Directive:
  • Expanded scope: Beyond strategic sectors such as energy, transport, and healthcare, the directive now includes digital service providers, ICT infrastructure, waste management, and other critical areas.
  • Board-level responsibility: Cybersecurity becomes a direct responsibility of boards of directors, who must approve and oversee the measures implemented.
  • Reporting obligations: Significant incidents must be reported within 24 hours, accompanied by a detailed report within 30 days.
  • Advanced security measures: Companies must adopt risk management policies, business continuity, and supply chain protection measures, as well as strengthen cyber hygiene.
Challenges for businesses

Implementing the NIS 2 Directive can be challenging, particularly for small and medium-sized enterprises. Key obstacles include the complexity of the required security measures, the management of IT and OT infrastructures, and the coordination of cyber incident notifications. Nevertheless, the process presents an opportunity to enhance digital resilience and mitigate long-term risks.

How to adapt quickly

To effectively address these requirements, companies can:

  • Conduct a regular risk assessment to identify vulnerabilities.
  • Implement progressive compliance measures, including certifications such as ISO 27001.
  • Leverage government incentives or European funds to mitigate the economic impact of new regulations.
  • Integrate cybersecurity into the corporate strategy, engaging management at all levels.
  • Complying with the NIS 2 Directive is not just a requirement, but a step towards a more secure and resilient management of critical infrastructure, essential to ensure continuity and trust in the European economic and digital context.