What is NIS2?
NIS2 is the EU's updated cybersecurity law — and it changes who is responsible for cybersecurity, what they must do, and what happens when they don't. If your organisation operates in a critical or important sector, compliance is no longer optional. Here is what you need to know.
Who Does NIS2 Apply To?
NIS2 applies to medium and large organisations (50+ employees or €10M+ turnover) in two categories:
⚠️ Essential Entities
Subject to the strictest obligations and proactive supervision. Includes:
- Energy (electricity, gas, oil, hydrogen)
- Transport (air, rail, road, water)
- Banking & financial market infrastructure
- Healthcare & pharmaceuticals
- Drinking water & wastewater
- Digital infrastructure (cloud, DNS, data centres)
- Central & regional government
- Space
📋 Important Entities
Subject to similar obligations but reactive supervision. Includes:
- Postal & courier services
- Waste management
- Chemicals
- Food production & distribution
- Manufacturing (medical devices, electronics, machinery, vehicles)
- Digital providers (online marketplaces, search engines, social platforms)
- Research organisations
What NIS2 Requires — Article 21
Article 21 sets out ten mandatory cybersecurity risk-management measures. These are not optional guidelines — they are legal obligations.
🛡 Risk Management
Regular risk assessments of network and information systems. Documented policies for identifying, assessing, and managing cybersecurity risks.
🚨 Incident Handling
Processes for detecting, responding to, and reporting significant incidents. 24-hour initial notification, 72-hour full report to national authorities.
💾 Business Continuity
Backup management, disaster recovery, and crisis management procedures — including tested recovery capabilities for ransomware and other operational disruptions.
🔗 Supply Chain Security
Assessment and management of security risks in relationships with direct suppliers and service providers. Third-party risk management is explicitly required.
🔐 Access Controls
Policies for access management, multi-factor authentication, privileged access control, and zero-trust principles across network and information systems.
🎓 Awareness & Training
Security awareness programmes for all personnel. Employees must be trained to recognise and respond to cybersecurity threats — including phishing and social engineering.
NIS2 Penalties
🚫 Essential Entities
Fines up to €10 million or 2% of global annual turnover — whichever is higher. Plus: temporary management bans, public disclosure of violations, and mandatory compliance audits.
⚠️ Important Entities
Fines up to €7 million or 1.4% of global annual turnover — whichever is higher. Reactive supervision with the same enforcement powers available to authorities.
NIS2 compliance requires both regulatory expertise and operational security controls. Magic Stone delivers the technical side — ransomware protection, email security, endpoint protection, backup, network security, supply chain risk management, and AI governance — all chosen to satisfy Article 21's requirements directly.
For the compliance assessment, gap analysis, and governance framework, we work in partnership with GRSee — NIS2 compliance specialists.
NIS2 Assessment — find out where you stand →
Your NIS2 Roadmap — from where you are to where you need to be →
Frequently Asked Questions
Related
Ready to Get NIS2 Compliant?
Book an assessment with Magic Stone. We'll tell you whether you're in scope, what your obligations are, and what a compliance roadmap looks like for your organisation.
Book a NIS2 Assessment