What is NIS2?

NIS2 is the EU's updated cybersecurity law — and it changes who is responsible for cybersecurity, what they must do, and what happens when they don't. If your organisation operates in a critical or important sector, compliance is no longer optional. Here is what you need to know.

Who Does NIS2 Apply To?

NIS2 applies to medium and large organisations (50+ employees or €10M+ turnover) in two categories:

⚠️ Essential Entities

Subject to the strictest obligations and proactive supervision. Includes:

  • Energy (electricity, gas, oil, hydrogen)
  • Transport (air, rail, road, water)
  • Banking & financial market infrastructure
  • Healthcare & pharmaceuticals
  • Drinking water & wastewater
  • Digital infrastructure (cloud, DNS, data centres)
  • Central & regional government
  • Space

📋 Important Entities

Subject to similar obligations but reactive supervision. Includes:

  • Postal & courier services
  • Waste management
  • Chemicals
  • Food production & distribution
  • Manufacturing (medical devices, electronics, machinery, vehicles)
  • Digital providers (online marketplaces, search engines, social platforms)
  • Research organisations
Smaller organisations may also be in scope. Size thresholds do not apply if the organisation is deemed critical to society or the economy, is a sole provider of an essential service, or operates critical infrastructure. If you are unsure, assume you are in scope until assessed otherwise.

What NIS2 Requires — Article 21

Article 21 sets out ten mandatory cybersecurity risk-management measures. These are not optional guidelines — they are legal obligations.

🛡 Risk Management

Regular risk assessments of network and information systems. Documented policies for identifying, assessing, and managing cybersecurity risks.

🚨 Incident Handling

Processes for detecting, responding to, and reporting significant incidents. 24-hour initial notification, 72-hour full report to national authorities.

💾 Business Continuity

Backup management, disaster recovery, and crisis management procedures — including tested recovery capabilities for ransomware and other operational disruptions.

🔗 Supply Chain Security

Assessment and management of security risks in relationships with direct suppliers and service providers. Third-party risk management is explicitly required.

🔐 Access Controls

Policies for access management, multi-factor authentication, privileged access control, and zero-trust principles across network and information systems.

🎓 Awareness & Training

Security awareness programmes for all personnel. Employees must be trained to recognise and respond to cybersecurity threats — including phishing and social engineering.

NIS2 Penalties

🚫 Essential Entities

Fines up to €10 million or 2% of global annual turnover — whichever is higher. Plus: temporary management bans, public disclosure of violations, and mandatory compliance audits.

⚠️ Important Entities

Fines up to €7 million or 1.4% of global annual turnover — whichever is higher. Reactive supervision with the same enforcement powers available to authorities.

How Magic Stone helps with NIS2 compliance

NIS2 compliance requires both regulatory expertise and operational security controls. Magic Stone delivers the technical side — ransomware protection, email security, endpoint protection, backup, network security, supply chain risk management, and AI governance — all chosen to satisfy Article 21's requirements directly.

For the compliance assessment, gap analysis, and governance framework, we work in partnership with GRSee — NIS2 compliance specialists.

NIS2 Assessment — find out where you stand →

Your NIS2 Roadmap — from where you are to where you need to be →

Frequently Asked Questions

If you operate in one of the listed sectors and have 50+ employees or €10M+ turnover, you are likely in scope. Some smaller organisations are also in scope if deemed critical. The safest approach is to assume you are in scope and verify — the cost of a scoping assessment is far lower than the cost of non-compliance discovered during enforcement.
NIS2 was adopted in December 2022 with a transposition deadline of October 2024. In the Netherlands, it entered into force in July 2025 through the Cybersecurity Act. Enforcement is active — the compliance clock is running.
Both categories face the same technical and governance obligations under Article 21. The difference is in supervision: essential entities are subject to proactive (ex ante) oversight — authorities can audit them at any time. Important entities face reactive (ex post) supervision — authorities investigate following an incident or complaint. The compliance requirements are effectively identical.
No. NIS2 and GDPR operate in parallel. GDPR governs the protection of personal data. NIS2 governs the security of network and information systems. Most organisations subject to NIS2 are also subject to GDPR. The good news: the security controls required by NIS2 significantly overlap with GDPR's requirement for appropriate technical measures — satisfying one generally advances compliance with the other.
DORA (Digital Operational Resilience Act) applies specifically to financial entities and ICT service providers serving the financial sector. For organisations in scope for both, DORA is considered the lex specialis — it takes precedence over NIS2 for financial sector requirements. The controls largely overlap, so meeting DORA generally satisfies the equivalent NIS2 requirements.
NIS2 requires a three-stage reporting process for significant incidents: an early warning within 24 hours, a full incident notification within 72 hours, and a final report within one month. A "significant incident" is one that causes or could cause severe operational disruption, financial loss, or reputational damage. Failure to report within the required timelines is itself a compliance violation subject to penalties.

Ready to Get NIS2 Compliant?

Book an assessment with Magic Stone. We'll tell you whether you're in scope, what your obligations are, and what a compliance roadmap looks like for your organisation.

Book a NIS2 Assessment

Looking for Sales Assistance or have a General Inquiry?

Got a sales question or a general inquiry? Send us a message and we’ll respond as soon as possible.

Please enable JavaScript in your browser to complete this form.
Checkboxes

By submitting this form you agree to our Privacy Policy and consent to Magic Stone Cyber Security storing and processing your information to respond to your enquiry.

Follow us

This will close in 0 seconds

Scroll to Top