Get ready for
NIS2
What is the NIS2 Directive?
The Network and Information Security Directive (NIS2) is the EU’s updated cybersecurity law, designed to increase digital resilience across essential and important sectors. It sets stricter security requirements, faster incident reporting timelines and introduces significant penalties for non-compliance.
For many small and medium sized companies, NIS2 represents a major shift. It requires documented policies, structured processes, clear responsibilities and ongoing risk and supplier management. NIS2 entered into force at EU level in January 2023, and the deadline for Member States to transpose the Directive into national law was 17 October 2024. Organisations must now be able to demonstrate compliance as local laws are being rolled out across Europe.
Who must comply with NIS2?
NIS2 applies to essential and important entities across the EU. This includes companies in sectors such as:
- Energy, transport, water, waste
- Healthcare
- Digital infrastructure & cloud services
- IT service management
- Public administration
- Food production and supply
A significant number of small and medium sized companies fall under NIS2 because they provide critical digital services or support the supply chains of larger, regulated organisations.
NIS2 affects suppliers and smaller companies too
Even companies not directly classified under NIS2 can still be impacted. Because NIS2 places strong emphasis on supply-chain security, larger organisations must manage cybersecurity risks in their suppliers and service providers. As a result, many smaller businesses will be asked to demonstrate structured processes, documented controls and basic risk management.
Trustlinks is designed to make this easy. It helps suppliers show NIS2-aligned practices in a clear and organised way, making it easier to meet customer expectations and stay competitive without needing a dedicated compliance team.
What NIS2 requires
- Risk assessment and security policies
- Incident detection and response
- Business continuity and crisis management
- Supply-chain and supplier risk management
- Secure network and system architecture
- Multi-factor authentication and access control
- Vulnerability handling and patch management
- Staff training and cyber awareness
Organisations must report major incidents within strict timelines: an early warning within 24 hours, a more detailed incident notification within 72 hours, and a final report no later than one month after the incident.
Compliance, clarity and control
The EU’s cybersecurity agency reports that many organisations in NIS2 sectors still show significant gaps in maturity and readiness. With rising threats and stricter rules, structured compliance tools are no longer optional, but essential.
Estimates suggest the number of EU entities with cybersecurity obligations will rise from around 20,000 to roughly 300,000 under NIS2.
The global average cost of a data breach reached about €4.5 million in 2024.
More than 2,200 cyberattacks occur every day worldwide — roughly one attack every 39 seconds.
The challenge for organisations
For companies, especially small and medium-sized, NIS2 compliance creates immediate obstacles:
- No dedicated compliance or security team
- Limited time to understand detailed legal requirements
- Scattered documents and unclear responsibilities
- Difficulty assessing risks or managing suppliers
- No existing framework for reporting obligations
- Pressure from customers who demand proof of compliance for reporting obligations
- Serious financial consequences for non-compliance, with fines of up to €10 million or 2% of global annual turnover for essential entities.
Achieve NIS2 compliance with Trustlinks
Trustlinks translates complex NIS2 requirements into clear, practical steps.
Start with a clear, structured, and intuitive setup aligned with NIS2 requirements, including predefined controls, policy templates and documentation guidance.
This helps your company to get started quickly without needing deep compliance expertise. No guessing, everything is laid out in a clear, logical flow so your team knows exactly where to begin.
Get ready for NIS2
If you have questions about Trustlinks or want to explore how our platform supports your NIS2 compliance work, contact us and our team will be happy to help.
Frequently asked questions about NIS2 compliance
What is the NIS2 Directive and why does it matter?
NIS2 is the EU’s updated cybersecurity directive designed to strengthen digital resilience across essential and important sectors. It introduces stricter security controls, supply-chain oversight, incident reporting deadlines and penalties for non-compliance. Any organisation in a regulated sector, or supplying one, should understand its requirements.
Who must comply with NIS2?
NIS2 applies to medium and large organisations in sectors such as energy, transport, healthcare, digital services, finance and public administration. Smaller companies may also be affected indirectly if they provide services to entities covered by the directive, as supply-chain cybersecurity is now a key requirement.
What are the main NIS2 compliance requirements?
NIS2 requires organisations to implement cybersecurity risk management, incident detection and reporting, access control, encryption, business continuity, supplier risk monitoring, and regular training. Organisations must document their processes and demonstrate compliance to regulators when requested.
What happens if my organisation is not compliant with NIS2?
Non-compliance can result in regulatory investigations, mandatory corrective actions, reputational risk and administrative fines. For essential entities, fines can reach up to €10 million or 2% of global annual turnover, while important entities may face fines of up to €7 million or 1.4% of global annual turnover.
Management may be held accountable for failing to implement appropriate cybersecurity measures. Strong compliance also reduces the risk of cyber incidents and service disruptions.
How does Trustlinks help organisations meet NIS2 requirements?
Trustlinks provides a guided compliance framework with predefined workflows, documentation templates, evidence storage, supplier management tools and step-by-step guidance. This helps organisations understand requirements, implement controls efficiently and demonstrate compliance transparently.
Does NIS2 require specific documentation?
Yes. Organisations must maintain clear evidence of cybersecurity controls, incident response plans, risk assessments, supplier evaluations and reporting procedures. Trustlinks centralises all documentation in one place, making it easy to update and demonstrate compliance.
Do small organisations need to worry about NIS2?
Even if not directly regulated, small companies often need to meet NIS2-related security expectations when working with larger partners. Many enterprises now request proof of cybersecurity measures from suppliers. Trustlinks makes this process simple and structured.
