PolicifyAI
Back to Blog

PolicifyAI

Published March 2026 · 8 min read

Compliance

NIS2 Directive: What It Means for Your Business

The NIS2 Directive significantly expands cybersecurity obligations across the EU.

NIS2 in Plain Terms

The NIS2 Directive is the EU's updated framework for cybersecurity across critical sectors. It replaced the original NIS Directive in October 2024, significantly expanding both the scope of who it applies to and the obligations those entities must meet.

How NIS2 Differs from NIS1

The original Directive covered a narrow set of operators. NIS2 broadens this substantially, adding postal services, waste management, food production, manufacturing, and digital infrastructure. Under NIS2, size thresholds apply directly: medium and large enterprises in covered sectors are in scope by default.

Essential vs Important Entities

  • Essential entities: Energy, transport, banking, healthcare, water, and digital infrastructure. They face proactive supervision including regular audits.
  • Important entities: Postal services, chemicals, food, manufacturing, and digital providers. They face reactive supervision following incidents or complaints.

Cybersecurity Risk Management Measures

NIS2 requires covered entities to implement measures including:

  • Risk analysis and information system security policies
  • Incident handling procedures
  • Business continuity and crisis management plans
  • Supply chain security assessments
  • Multi-factor authentication and encrypted communications
  • Cybersecurity training for all staff

Incident Reporting: The Two-Stage Timeline

  • Early warning within 24 hours of becoming aware of a significant incident
  • Full notification within 72 hours including severity assessment and indicators of compromise
  • Final report within one month covering root cause and remediation

Management Liability

Governing bodies can be held personally liable for cybersecurity failings if they have not approved adequate risk management measures or participated in mandatory security training. This is not delegatable.

Penalties

Essential entities face fines up to €10 million or 2% of global turnover. Important entities face up to €7 million or 1.4% of global turnover. Authorities can also impose temporary bans on individuals holding management positions.

Need a policy for your business?

Generate a legally-formatted, AI-reviewed policy in under 60 seconds.

Generate your policy →
All articles