5 Key Changes from NIS1 to NIS2

Since January 16, 2023, the directive has been in effect, requiring EU Member States to transpose the directive into their national legislation by October 17, 2024.

However, as of January 2025, only Belgium, Croatia, Hungary, Italy, Latvia, and Lithuania have adopted national legislation to transpose the directive. The European Commission identified that in several Member States including France, Germany, the Netherlands, and Sweden, the draft laws transposing the directive were not yet adopted into law.

This has created a fragmented implementation landscape across the EU, with varying levels of preparedness and compliance.

In countries where the draft laws transposing the directive were not yet adopted into law, there is no legal basis to compel organizations to comply with some of the biggest changes brought by NIS2 over its predecessor, NIS1. This is confirmed by the European Commission, stating that "For a directive to take effect at national level, Member States must adopt a law to transpose it."

However, with the transposition on the horizon, organizations should closely monitor developments at the national level, staying aware of any updates or changes to the transposed legislation.

This additional time allows organizations to understand the key differences between NIS1 and NIS2, thoroughly assess their cybersecurity measures, identify any gaps in compliance, and make the necessary adjustments to align with the new requirements.

1. Scope Expansion

The transition from NIS1 to NIS2 brings significant changes in the scope of entities covered under the directives.

While NIS1 focused primarily on operators of essential services (OES) in critical sectors such as energy, transport, water, banking, financial market infrastructures, health, and digital infrastructure, NIS2 mandates compliance from a wider array of organizations that play critical roles in the digital economy. This includes organizations in the water supply sector, the food supply sector, postal and courier services, the digital infrastructure sector and others.

You can find an overview of additional sectors covered by NIS2 below and the full breakdown of each sector and their subsectors covered by NIS2 in Annex 1, page 64 of the NIS2 directive.

Embracing this expanded scope promotes a more resilient cybersecurity framework across Europe, eliminating weak links created by previously exempted sectors and organizations.

Additionally, the NIS2 Directive categorizes entities into essential entities and important entities with varying levels of supervision and penalization. Essential Entities provide critical services such as energy and healthcare and must follow strict rules because their services greatly affect society. Important Entities, while still crucial, have less impact on daily life and therefore face lighter requirements - though they still need to maintain high cybersecurity standards.

Lastly, NIS2 lowers the size threshold to include more small and medium organizations (SMEs) that play a critical role in these sectors. 

2. Risk Management and Cybersecurity Requirements

While NIS1 already required organizations to implement risk management practices, NIS2 introduced stricter requirements compared to its predecessor. This shift reflects the evolving landscape of cybersecurity threats and the need for organizations to enhance their defenses.

The stricter requirements focus primarily on supply chain security and third-party risks, as these areas have been identified as significant vulnerabilities in the cybersecurity ecosystem.

The directive mandates that organizations:

• Implement Encryption Protocols: Organizations must ensure that sensitive data is encrypted both at rest and in transit, using industry-standard encryption protocols. This will help protect against unauthorized access and data breaches.
• Establish Business Continuity Measures:  Organizations must have business continuity plans in place to ensure the timely recovery of critical systems and data in the event of a cyber incident. This includes regular backups, redundancy measures, and testing of these plans to validate their effectiveness.
• Conduct Regular Assessments: Organizations will be required to conduct regular assessments of their cybersecurity measures, as well as the cybersecurity measures of their suppliers, ensuring that any potential weak links are identified and addressed promptly.
• Improve Employee Awareness: Human error remains one of the leading causes of cyber incidents. NIS 2 emphasizes the importance of employee awareness and training programs to educate staff on best practices for cybersecurity, such as identifying phishing attempts, using strong passwords, and reporting suspicious activities.

By implementing these stricter requirements, NIS2 aims to strengthen the overall cybersecurity posture of organizations operating in critical sectors. These requirements are specifically designed to ensure organizations can effectively respond to and recover from cyber incidents, minimizing potential disruptions to their operations.

It acknowledges that cybersecurity is a collective responsibility, encompassing not only individual organizations but also their suppliers and partners.

3. Incident Reporting

Under NIS2, significant changes have been made to incident reporting mechanisms compared to NIS1.

NIS 2 requires organizations to establish incident response teams and procedures, ensuring a swift and coordinated response to cyber incidents.

Key differences include:

• Expanded Notification Timelines: Entities are now required to report incidents within 24 hours of becoming aware of them, with a follow-up report after 72 hours and a final report within a month. This is a notable shift from the previous timelines under NIS1. Timely reporting is crucial for national authorities as it enables authorities to take necessary actions to mitigate potential threats and protect critical infrastructure. This level of improved information sharing promotes a coordinated approach to cybersecurity challenges.
• Clarified Protocols: The directive emphasizes standardized protocols for incident reporting. Organizations must ensure that their processes align with the new requirements to facilitate swift responses. This includes a NIS2-established central platform where organizations can report incidents, facilitating streamlined information sharing and coordination between stakeholders.

By mandating these changes, NIS2 aims to improve situational awareness and enable timely response to cyber threats. It emphasizes the importance of information sharing and collaboration, recognizing that a collective effort is crucial in mitigating the evolving cybersecurity landscape.

4. Harmonization Across EU Member States

The transition from NIS1 to NIS2 brings significant enhancements in collaboration and consistency among EU member states.

While NIS1 provided more discretion to national authorities to decide which entities fall under its regulations, NIS2 outlines uniform criteria for classifying organizations, reducing fragmentation. 

Additionally, NIS2 mandates improved cooperation frameworks for EU member states, emphasizing the need for member states to work closely together.

A crucial aspect of this directive is the establishment of channels for sharing threat intelligence, enabling organizations to stay informed about emerging cyber threats.

These changes result in a more structured approach to responding to cyber incidents, allowing for timely interventions and resource allocation during critical situations.

5. Enforcement and Penalties

The transition from NIS1 to NIS2 introduces significant changes in the enforcement of the directive, particularly regarding penalties for non-compliance.

Non-compliant entities may face substantial fines, which can greatly affect their financial stability. The fines structure under NIS2 is designed to deter negligence and ensure adherence to cybersecurity protocols, with fines up to €10,000,000 or 2% of the total global revenue for the previous year, which is a significant increase compared to NIS1.

Additionally, company management is now explicitly accountable for overseeing cybersecurity measures, emphasizing their role in ensuring compliance. Executives face potential repercussions for breaches, linking organizational performance directly to individual accountability. As a result, companies may need to adapt their hierarchies, creating dedicated roles focused on cybersecurity governance.

The shift towards greater accountability ensures that key stakeholders remain vigilant and proactive against cyber threats.

Failing to comply with the directive can have severe consequences for organizations. Apart from the significant financial penalties, non-compliant entities may also face reputational damage, loss of customer trust, and potential legal action from affected parties.

These risks include:

• Administrative Fines: The penalties for violating the NIS2 directive can be as high as €10 million or 2% of a company's global annual revenue.
• Enforcement Actions: Authorities can investigate and audit organizations that don't comply. These audits can reveal further security issues, leading to scrutiny, mandatory system upgrades, or business interruptions.
• Reputational Damage: In some cases, companies may be required to publicly announce their non-compliance resulting in reputational damage.
• Operational Disruptions: Failure to implement robust cybersecurity measures increases the risk of data breaches, which can result in service disruption and a loss of revenue.
• Personal Sanctions: In cases of gross negligence, top management may be held personally accountable for security breaches, resulting in temporary bans from managerial roles.

The transition from NIS1 to NIS2  is a necessary step in strengthening cybersecurity across the EU.

The directive's expanded scope and stricter requirements reflect the evolving nature of cyber threats and the need for a proactive approach to safeguard critical infrastructure and essential services.

While there has been a significant delay in the implementation of NIS2 among EU Member States, organizations must take immediate action to assess their current security measures, identify gaps, and implement cybersecurity strategies to ensure compliance with the directive.

Failure to do so can have far-reaching consequences, impacting both the financial viability and reputation of the entity.

To take the next steps to prepare for NIS2 compliance, continue reading or schedule a free consultation to learn more about our complete solution for NIS2 compliance.