Who is subject to the NIS2 directive and what does its implementation mean in practice?
The NIS2 Directive introduces stricter requirements for cybersecurity and expands the scope of obligated entities to include many public and private organizations across essential and important sectors. In this article, learn who is covered by the directive, what the organizational obligations are, and what implementation entails in practice – from risk assessment and technical protection measures to incident reporting and potential penalties.
The NIS2 Directive marks a significant step forward in strengthening cybersecurity within the European Union. It builds upon the original NIS (Network and Information Security) Directive adopted in 2016—the first EU-wide legal framework focused on cybersecurity. The goal of the new directive, coming into force in early 2025, is to bolster the resilience of network and information systems against increasingly frequent and sophisticated cyber threats, particularly in sectors vital to societal and economic stability.
What Does NIS2 introduce?
Unlike its predecessor, NIS2 expands the list of obligated entities and imposes stricter requirements on organizations managing critical infrastructure or providing essential services. The directive classifies entities into two main categories:
1. Essential Entities
These include both public and private organizations operating in the following sectors:
- Energy (electricity, oil, gas)
- Transport (air, rail, maritime, road)
- Banking and financial market infrastructure
- Healthcare (including hospitals and private clinics)
- Drinking water supply and wastewater management
- Digital infrastructure
- ICT service management (e.g. data centers, cloud services)
- Space sector
- Public sector (national and local government bodies)
2. Important Entities
These are organizations that, while not directly critical, play a significant role in the daily functioning of society. This category includes:
- Postal and delivery services
- Production and distribution of chemicals
- Waste management
- Manufacturing of machinery, medical devices, and electronic equipment
- Provision of digital services (e.g. search engines, social media, e-commerce)
- Food production, processing, and distribution
- Scientific research and educational institutions
Criteria for Inclusion Under the NIS2 Directive
Beyond sector-specific inclusion, NIS2 sets quantitative thresholds to determine the obligation to comply:
- Essential Entities: More than 250 employees, annual turnover above €50 million, and assets exceeding €43 million.
- Important Entities: More than 50 employees or annual turnover above €10 million.
However, it's important to note that size is not the sole criterion—smaller entities may still be subject to the directive if deemed important for national or public security.
What does NIS2 implementation mean in practice?
Organizations covered by the NIS2 Directive must fulfill a wide range of obligations to ensure a high level of cybersecurity:
✅ Risk Assessment and Incident Management
- Establishment of an Information Security Management System (ISMS)
- Regular risk analysis and system security assessments
- Documentation and management of cybersecurity incidents
✅ Security Measures and Recovery Plans
- Access control for information and systems
- Detection and prevention of cyberattacks
- Business continuity and incident recovery planning
✅ Management Responsibility
- Senior management holds direct accountability for cybersecurity
- Employee training and ongoing compliance monitoring
- Internal audits and security reviews
✅ Incident Reporting Obligations
- Initial notification of significant incidents within 24 hours
- Detailed report within 72 hours
- Final report after incident investigation is complete
- Reports must be submitted to the Croatian Personal Data Protection Agency (AZOP) and the National Cybersecurity Center (NCSC-HR)
✅ Inspections and Penalties
- Regulatory audits and inspections will be conducted
- Non-compliance may result in fines up to €10 million or 2% of the annual global turnover, whichever is higher
Why is it important to prepare in time?
NIS2 not only imposes legal obligations but also encourages organizations to adopt a strategic approach to cyber resilience. Cybersecurity is no longer just a technical issue—it’s a critical business concern. Timely preparation enhances trust among customers, partners, and the wider market.
If you would like to learn more about how your organization can comply with the NIS2 Directive or need support implementing security measures—feel free to contact us.
Our team is here to help.
