Überblick
As cybersecurity rises to the top of the corporate agenda, businesses face growing pressure to comply with the EU’s evolving regulatory landscape. Whether your company falls directly under EU cybersecurity laws or is indirectly affected through customers, suppliers, or partners, understanding your obligations is critical.
The EU is raising the bar through landmark legislation – most notably the NIS2 Directive, the Directive on the Resilience of Critical Entities (CER), the Cyber Resilience Act (CRA) and the Digital Operational Resilience Act (DORA) – to create a more secure and resilient digital environment across the EU.
These rules affect a wide range of businesses: from producers of food and technology infrastructure and ICT service providers to manufacturers of connected products and operators of critical infrastructure. The risks of non-compliance are significant, including substantial fines, management’s personal liability, operational restrictions, and reputational damage.
Addressing these challenges demands active engagement from leadership teams, the empowerment and education of key stakeholders, and the cultivation of a security-conscious culture that encompasses all employees.
Weitere Informationen
The NIS2 Directive: Tougher Cybersecurity Requirements Across a Broad Range of Industries
The NIS2 Directive, which gradually replaces the original NIS Directive as of 18 October 2024, covers a wide range of entities obligating them to implement strengthened cybersecurity measures and is still in the process of transposition into local law.
The Directive allows all 30 EEA countries to introduce stricter local cybersecurity requirements. It is therefore of essence to understand national specificities and make the informed strategic decisions on how and when to implement them.
Our NIS2 Monitoring Tracker captures the local transposition process (orange: Local NIS2 legislation not yet implemented and green: Local NIS2 legislation implemented and in force) helping your team to put the NIS2 puzzle pieces together.
Discover more details below.
Scope
NIS2 applies to wide range of entities operating across various sectors and industries, including:
- Digital infrastructure (including data center providers, providers of public electronic communications networks, cloud computing service providers),
- ICT service management (managed service/security service providers),
- Digital providers (including providers of online marketplaces and social networking services platforms),
- Manufacturing (e.g., industrial machinery and equipment, motor vehicles, computer, electronic and optical products, chemicals (including production and distribution)),
- Energy,
- Space,
- Transport,
- Health,
- Banking,
- Research,
…and more,
where those entities meet the size thresholds for medium or large enterprises and provide their services or conduct their activities within the EU. In addition, the NIS2 Directive applies to certain types of entities regardless of size, such as those designated as critical entities under the CER Directive.
Indirect impact on suppliers and business partners
Finally, even if your company is not directly regulated under NIS2, it may be indirectly impacted through business relationships with entities that are. This includes various cybersecurity program obligations they will be required to flow down to you as part of securing their supply chain.
Key obligations
Include registration, implementation of cybersecurity risk-management measures, incident reporting, supply chain security, and adoption of governance measures.
Management liability
The NIS2 Directive imposes personal liability on individuals within the management structures of NIS2-covered entities. The national laws transposing NIS2 that have been finalized so far include specific provisions confirming that individuals may have personal liability for violations of NIS2.
Importantly, personal liability extends beyond the board of directors and may apply to any individual acting as a legal representative with the authority to represent the company, to make decisions on its behalf, or exercise control over it. Depending on the local implementation, this may also include members of senior management.
Importance of knowing local requirements
In the local NIS2 transpositions, we have seen several significant local deviations businesses need to look out for.
- In particular, in a registration process (e.g., through platform v direct communication with the authority via email) and special requirements (e.g., some countries require a locally based representatives/points of contact for certain foreign entities).
- When adjusting the incident response processes, businesses must also review local incident reporting requirements (e.g., incident reporting thresholds) as some countries decided to specify these in the secondary legislation.
- Some countries also require cybersecurity risk-management requirements going beyond the NIS2 Directive (e.g., Hungary and Malta) and have introduced mandatory periodic external audits (e.g., Belgium, Hungary and Slovenia).
- In scope, for example, the Slovak implementation of the NIS2 Directive imposes an obligation on entities covered by NIS2 and subject to the Slovakian NIS2 law to provide the Slovak authorities with a list of all particularly significant suppliers involved in the delivery of their services. These listed suppliers then themselves become subject to the Slovakian NIS2 law. This has a significant impact e.g., on digital infrastructure providers (such as cloud providers) that could otherwise qualify for the NIS 2 one-stop shop mechanism and only report to a single EEA regulator, as they also become regulated by the Slovak NIS2 rules. This also increases the risk for those providers who are potentially subject to NIS2 but may not have registered with the local regulator yet.
Enforcement
For essential entities, national authorities have the power to enforce the rules with administrative fines of a maximum of at least EUR 10 000 000 or of a maximum of at least 2 % of the total worldwide annual turnover in the preceding financial year of the undertaking to which the essential entity belongs, whichever is higher.
Jurisdiction
Jurisdiction for enforcing NIS2 compliance, including against individuals responsible for compliance failures, depends on the service provided by the NIS2-covered company provided. As a general rule, NIS2 covered entities will be under the jurisdiction of the member state in which they are established. For certain types of services, there are, however, some specifics:
- For digital services (e.g., online marketplace and social networking services platform) as well as other one-stop-shop services (like data centers, cloud computing providers, etc.), only the jurisdiction of the main establishment will be relevant.
- For telco providers, jurisdiction lies with each EEA Member State where the service is provided (therefore potentially all 30 Member States).
Our team provides comprehensive cybersecurity support, from regulatory compliance with NIS2, DORA, and GDPR to incident response, vendor management, and product-level guidance. Whether you’re navigating policy developments or preparing for cyber threats, we deliver strategic, tailored solutions across the full lifecycle of cyber risk. Connect with our authors to learn how we can support your organization.