What is NIS2? A simple guide to the EU’s new cybersecurity law

The digital world keeps changing, and so do the risks. To help protect essential services and businesses, the European Union has introduced NIS2, a new law that strengthens cybersecurity across Europe.

So, what exactly is NIS2? And how does it affect your organisation? Here’s a quick explanation.

What does NIS2 mean?

NIS2 stands for Network and Information Security Directive 2. It’s an updated version of the EU’s first cybersecurity law (the NIS Directive from 2016).

The goal of NIS2 is to make Europe’s digital infrastructure more secure and resilient by setting clear rules for how organisations handle cybersecurity. It applies to many types of organisations, such as:

• Energy and transport providers
• Water, food production and distribution
• Healthcare services
• Digital infrastructure and cloud providers
• Manufacturers of critical products

Why was NIS2 created?

The original NIS Directive was a good start, but cyber threats have become more frequent and complex. NIS2 was introduced to:

• Strengthen cybersecurity across all EU member states
• Improve cooperation between countries
• Increase accountability for company management
• Ensure incidents are handled and reported quickly
  
  

In short, it’s all about ensuring that vital services operate safely and without disruption.

What does NIS2 require?

Organisations covered by NIS2 must take specific actions to protect their systems and data, such as:

• Managing cybersecurity risks
• Implementing technical and organisational security measures
• Reporting serious incidents within tight deadlines
• Making management responsible for cybersecurity decisions
  
  

Failing to comply could result in fines of up to €10 million or 2% of annual turnover.

When does NIS2 apply?

The deadline for EU countries to implement NIS2 into national law was 17 October 2024. Some have completed this, while others missed the deadline and may not comply until late 2025.

Countries that have adopted NIS2 (national laws in place):

Belgium, Croatia, Cyprus, Czech Republic (in force 1 Nov 2025), Denmark, Finland, France, Greece, Hungary, Italy, Latvia, Lithuania, Malta, Romania, Slovakia, Slovenia.

What if your country hasn’t passed a law yet?

NIS2 is an EU directive, so enforcement happens through each country’s national law. If your country hasn’t finished, authorities can still face EU infringement action, and your organisation should prepare anyway, especially if you operate across borders or in countries that already implemented NIS2.

Tip: Begin aligning with NIS2 controls – risk management, incident reporting, and supply-chain security – to prepare for upcoming national regulations.

How to get ready for NIS2

Here are a few good first steps:

1. Check if NIS2 applies to your organisation.
2. Review your current cybersecurity policies and controls.
3. Make management aware of their legal responsibilities.
4. Prepare a plan for incident response and reporting.
   
   

Compliance might sound complex, but with the right tools and guidance, it doesn’t have to be. You can read more about how to get compliant with NIS2 here.

Final thoughts

NIS2 is more than just following rules, it’s about protecting your organisation, your customers, and your reputation in today’s interconnected environment.

At Trustlinks, we believe compliance should be simple and accessible. We help organisations stay confident, compliant, and in control. Do you need help understanding your NIS2 obligations? Trustlinks helps you navigate EU compliance with ease and confidence.

Explore the Trustlinks compliance platform here!