icone fleche gauche
Return
Compliance

NIS 2 Directive: What you need to know and how to prepare

Find out how the NIS 2 Directive reinforces cybersecurity in the EU and how to anticipate its implementation.

Understanding and complying with the NIS 2 directive

Faced with the increase in cyberattacks and regulatory requirements, the NIS 2 directive is becoming a strategic priority for businesses. Are you ready to face it? Here is a clear and actionable guide to anticipate your obligations.

The NIS 2 directive, introduced by the European Union, marks a decisive turning point in the protection of networks and information systems. This regulation aims not only to strengthen the level of cybersecurity of critical entities, but also to better harmonise measures within the Member States.

However, complying with these new requirements can be a significant challenge for many organizations. This article explains in detail the obligations imposed by the directive, its legislative framework, the entities concerned, as well as the sanctions provided for in case of non-compliance. We will also share practical advice to anticipate new obligations and highlight the advantages that the Egerie platform offers to support you in this transition.

NIS 2 directive: the essentials to remember

  • Harmonized regulations : Essential and important entities must strengthen their governance and risk management to meet common requirements at European level.

  • Dissuasive sanctions : In the event of non-compliance, companies are exposed to fines of up to 10 million euros or 2% of global turnover.

  • An imperative of foresight : Risk assessment and the establishment of incident reporting procedures must be initiated now, without waiting for full transposition into French law.

What is the NIS 2 directive and what is its role?

The NIS 2 directive, English acronym for Network and Information Security Directive, is a European Union initiative designed to improve the resilience of critical sectors in the face of growing cyber threats. In 2024, ANSSI (National Information System Security Agency) Treated 4,386 security events, marking a increase of 15% compared to the previous year, thus underlining the urgent need for better protection of networks and information systems.

The NIS 2 directive aims to establish a common regulatory base in the field of cybersecurity, to strengthen cooperation between Member States, and to require companies to assess their vulnerabilities in order to implement appropriate corrective measures.

Its role is to ensure strengthened protection of critical systems — such as energy infrastructures, financial networks or public services — against cyber threats.

It also addresses the limitations of the NIS 1 directive, in particular its lack of harmonization and coherence at European level.

Timeline and legislative framework for NIS 2 compliance

Presented in 2022, the NIS 2 directive had to be transposed into the national laws of the Member States before 17 October 2024. However, many countries, including France, have fallen behind schedule. In May 2025, the European Commission sent a warning to 19 of the 27 Member States for non-compliance with deadlines.

In France, the bill transposing the directive was presented in October 2024, but its final adoption is only expected in the second half of 2025.

In addition, the directive required each state to draw up a list of essential and important entities before April 17, 2025. Unfortunately, this deadline could not be met in some countries, including France. Faced with these delays, ANSSI encourages organizations not to wait for the adoption of national legislation to begin complying with NIS 2.

The role of ANSSI in the application of the NIS 2 directive in France

In France, the National Agency for Information Systems Security (ANSSI) plays a key role in the implementation of the NIS 2 Directive. She acts like a reference actor, by guiding the entities concerned through resources, concrete recommendations and targeted support towards compliance.

Its field of action has been strengthened: ANSSI is now authorized to carry out mandatory audits, to impose corrective measures, and to impose sanctions in the event of non-compliance with the requirements.

5 tips for successful NIS 2 compliance

The NIS 2 directive introduces major cybersecurity requirements. To stay in compliance and avoid regulatory haste, it's best to be prepared now. Here are the five key steps to effectively start your transition.

1. Identify if your business is affected

First of all, determine if your organization falls within the scope of the directive. Two criteria should be examined:

  • Your sector of activity

  • The size of your structure

NIS 2 distinguishes between two types of entities:

  • The essential entities, whose activities are vital for society

  • Important entities, with a structuring economic or technological role

For an informed decision, rely on official documents or consult experts. The specifics of each type of entity are detailed later in the article.

2. Put cybersecurity measures in place now

Do not wait for national transposition: the more you anticipate, the more ready you will be. Here are the priority actions to be initiated:

  • Risk management: identify and prioritize vulnerabilities to better address them.
  • Cybersecurity governance: Define clear responsibilities, internal policies, and crisis response scenarios
  • Incident reporting: develop protocols to report any major incidents affecting your systems in order to respond quickly to critical issues.

Certain obligations, such as incident reporting, will be applicable as soon as the law comes into force. Anticipating them means avoiding the tension of your teams in the face of cyber threats.

3. Follow ANSSI's communications closely, and facilitate their implementation with Egerie

ANSSI regularly publishes guides, alerts and recommendations to help organizations comply with NIS 2. Subscribe to their official channels and stay up to date on regulatory or technical developments.

Thanks to its integrated monitoring and regular updates, The Egerie platform helps you integrate these requirements into your processes with ease.

4. Consult MoneSpacenis to guide you

The platform My Nis2 space, made available by the authorities, centralizes key information: news, regulatory deadlines, sectoral resources...

A good starting point for understanding the framework and expectations of the directive. But to concretely structure your action plan, monitor your risks, and document your compliance on a daily basis, a dedicated solution like Egerie is becoming essential.

5. Anticipate to strengthen your resilience

More than a constraint, NIS 2 is an opportunity. By mobilizing early:

  • You reduce the risks of non-compliance

  • You strengthen your posture in the face of cyber threats

  • You improve your brand image and the trust of your stakeholders

Adopting a proactive posture today means building the resilience of tomorrow.

Who is affected by the NIS 2 Directive?

The NIS 2 directive applies to a wide and varied range of organizations. These entities are grouped into two main categories: essential entities, which are of paramount importance for the functioning of society, and important entities, which play a complementary role in the socio-economic chain.

  1. Essential entities: strategic sectors

Essential entities include organizations operating in critical sectors that, in the event of disruptions, could have serious consequences for society and the economy. These sectors include:

  • Finance and banks: banking infrastructures play a key role in economic stability and the continuity of transactions.
  • Energy: infrastructures in the energy sector, whether electrical or related to oil and gas, require increased security to avoid service interruptions.
  • Health: hospitals and healthcare delivery systems are particularly vulnerable, due to the critical nature of the data manipulated.
  • The public sector: many public administrations must comply with NIS 2 to continue to offer secure services to their users.

These structures must now analyze their information systems to identify weak points that can be exploited by cyberattacks.

  1. Important entities: contribution to global resilience

Major entities operate in varied but no less crucial sectors, although their societal impact is less direct. Here are a few examples of these sectors:

  • Food systems and the supply chain required for them to function.
  • Waste management, essential element in maintaining clean cities and healthy populations.
  • Industrial manufacturing, essential to the economy and trade.

The management teams in these structures must also incorporate the requirements of the directive and establish the processes necessary to Protect yourself from cyber risk.

  1. The integration of subcontractors: a central issue of the NIS 2 Directive

One of the major developments introduced by NIS 2 concerns management of suppliers and subcontractors. Henceforth, any organization involved in the design, maintenance or operation of critical systems is subject to the same cybersecurity obligations as the entities it supports.

This applies in particular to digital service providers, who must ensure a high level of security for the solutions they provide.

This broad approach makes it possible to build collective cyber resilience, by involving all the links in the chain, from contractors to subcontractors. Building a secure and coherent ecosystem is essential to comply with the directive and limit potential attack surfaces.

What are the penalties for non-compliance with NIS 2?

To ensure that businesses take their cybersecurity responsibilities seriously, the NIS 2 directive introduces a particularly dissuasive penalty system.

These measures go well beyond financial fines: they can also affect managers in person, and damage the reputation of non-compliant organizations.

Here is an overview of the main sanctions planned.

Financial sanctions due to non-compliance with the European NIS 2 Directive

For essential entities (EEs), which play a critical role in societal stability, financial sanctions can reach up to 10 million euros or 2% of global annual turnover. This high threshold reflects the severity of the potential consequences of non-compliance in these sectors.

In contrast, significant entities (EIs), although subject to lower requirements, also incur financial penalties. The ceiling for these fines is lower than that of EAs, but remains a deterrent to ensure compliance with the European directive.

Responsibilities of managers

The NIS 2 directive places particular emphasis on the direct involvement of managers in the cybersecurity of their organization.

They are now required to take mandatory training, in order to master their legal obligations and the best practices to be applied to protect critical systems.

In the event of a serious breach, the consequences can be serious: managers may be subject to a temporary ban from exercising executive functions, with a direct impact on their careers and corporate governance.

Other coercive measures of the NIS 2 directive

In addition to individual fines and sanctions, several other measures are included as part of NIS 2.

  • Businesses could be subject to mandatory audits in order to verify the conformity of their practices.
  • The non-conformities found could be published, exposing the organization to a loss of trust with its partners and customers.
  • Finally, compliance orders could be imposed within a strict time frame, with increased penalties in case of failure.

What impact will the NIS 2 Directive have on your business?

Compliance with NIS 2 goes beyond the simple regulatory framework. It is a strategic lever for profoundly transforming the digital governance, risk management and cybersecurity culture of organizations.

The result: lasting benefits in terms of performance, resilience and reputation.

A more structured cybersecurity governance

The directive imposes rigorous governance. This involves:

  • The formalization of internal policies

  • The clear appointment of cybersecurity managers

  • The establishment of monitoring and continuous improvement systems

Cybersecurity is becoming a transversal pillar of the organization, integrated into decision-making processes, human resources and IT projects. This global approach makes it possible to involve all employees — not just technical experts.

A strengthened incident reporting system

NIS 2 requires that any major disturbances be notified within strict deadlines (24 hours for an initial alert, 72 hours for a complete report).
These obligations require:

  • Responsive detection processes

  • Seamless communication with the competent authorities

  • Well-established internal coordination

Objective: improve reactivity in the face of cyberattacks and promote the sharing of information to avoid the repetition of incidents.

A necessary investment in human and technical resources

Compliance involves means:

  • Recruiting or training qualified profiles in cybersecurity

  • Acquisition of robust technological solutions to prevent, detect, and respond to threats

  • Setting up dashboards and monitoring indicators

These investments are not costs incurred, but factors of long-term competitiveness.

A strategic opportunity not to be underestimated

The NIS 2 directive imposes more rigorous cybersecurity governance. Companies must now formalize their internal policies, designate clearly identified managers and set up monitoring mechanisms for continuous improvement. Cybersecurity is no longer limited to the technical tool or the IT service: it is becoming a strategic component of the organization. It is integrated into decision-making processes, IT projects and corporate culture, thus mobilizing all teams.

This transversal approach promotes the involvement of all employees and strengthens the company's capacity to prevent and manage cyber threats in a coordinated and sustainable manner.

Comparison of the NIS 2 Directive with European regulations

The NIS 2 Directive is part of a rapidly evolving European regulatory ecosystem, designed to respond to the increasing complexity of cyber threats. To fully understand its scope, it is useful to place it in relation to other texts in force.

From NIS 1 to NIS 2: a change of scale

Adopted in 2016, the NIS 1 directive laid the groundwork for a common cybersecurity framework. However, its unequal application from one Member State to another has led to significant disparities in the levels of requirements and their practical implementation.

The NIS 2 directive was designed to fill these gaps.. It reinforces the obligations of the entities concerned, broadens the scope of sectors subject to regulation and introduces significantly more dissuasive sanctioning mechanisms. One of its foundations is based on increased cooperation between Member States, in particular through the exchange of information and strengthened coordination at European level.

NIS 2 and DORA: cybersecurity and resilience for the financial sector

The DORA regulation (Digital Operational Resilience Act), althoughfocused specifically on the financial sector, pursues objectives similar to those of the NIS 2 directive. It aims to ensure that banks, insurance companies, and other financial institutions can maintain their operations, even in the event of a major IT incident. DORA thus complements NIS 2 by providing a precise framework for operational resilience specific to this sector. Together, these two devices contribute to strengthening the security of the European digital ecosystem, by protecting both critical infrastructures and the continuity of financial services.

NIS 2 and CRA (Cyber Resilience Act) two complementary approaches to cybersecurity

The CRA, or Cyber Resilience Act, introduces a regulatory framework designed to strengthen the security of digital products, whether they are software, connected devices or equipment that integrates digital components.

Unlike the NIS 2 directive, which focuses on organizational cybersecurity and entity-level risk management, the CRA focuses on the intrinsic robustness of the products themselves. These two texts therefore fully complement each other: NIS 2 protects systems and operations, while the CRA guarantees the reliability of the tools that compose them.

NIS 2 and the CER Directive (Critical Entities Resilience)

The CER Directive aims to strengthen the physical and organizational resilience of critical infrastructures, such as energy, transport, water networks or even space infrastructures.

Its approach differs from that of NIS 2, which focuses primarily on the security of information systems. However, areas of intersection exist: critical entities often have to respond to both numerical requirements (NIS 2) and physical or organizational (CER).

For example, a company from energy sector will have to secure its computer systems while guaranteeing the physical continuity of its operations in the face of various threats (natural disasters, malicious acts, etc.).

The two texts thus complement each other to ensure comprehensive protection of the vital functions of society.

How do you prepare for NIS 2 compliance?

To successfully transition to NIS 2, it is essential to adopt a structured approach based on industry best practices. Here are the four key steps you can take right now.

  1. Conduct an initial audit of your cybersecurity posture

Start by assessing your current maturity level. An audit of your current systems and governance helps identify the differences between your existing practices and the requirements of the NIS 2 Directive. This will allow corrective actions to be prioritized.

La ISO 27001 standard provides an excellent framework for structuring this assessment and laying the foundations for an information security management system.

  1. Define risk management and incident response policies

Put in place clear policies to identify, prioritize, and address cyber risks. Also, prepare responsive procedures for managing incidents and reporting them to the appropriate authorities in a timely manner.

These approaches can be based on the ISO 27005 standard, which provides a proven methodology for managing information security risks.

  1. Train your teams and involve management

Make all your employees, including managers, aware of the obligations of the directive. Training makes it possible to anchor a cybersecurity culture throughout the organization and to ensure better responsiveness in the event of an incident.

  1. Structure your governance and incident reporting processes

Define clear governance: roles, responsibilities, follow-up processes. Ensure that incidents are detected, documented and reported within the required time frame (24 to 72 hours). Again, ISO standards can be used as a basis for documenting and making your processes reliable.

NIS 2 directive: why act without delay?

Anticipating compliance with NIS 2 means both limit risks and seize a strategic transformation opportunity. Here's why it's crucial not to wait until the last minute.

Reducing the risk of sanctions

The directive provides for severe financial sanctions, as well as potential impacts on governance and reputation. By complying early, you will minimize these risks while securing the trust of your stakeholders.

Anticipate the efforts to be made

Complying with NIS 2 involves significant efforts: mobilizing human resources, adapting your tools, structuring your processes. By starting early, you spread these efforts over time and avoid the tensions associated with late preparation.

Strengthen your business continuity

Adopting a solid cybersecurity posture now allows you to better deal with incidents. You protect your assets, your operational flows, and ensure the continuity of your services, even in critical situations.

Taking action today means gaining peace of mind, efficiency, and resilience.

Anticipate with Egerie: manage your NIS 2 compliance with confidence

Faced with the increasing complexity of regulatory requirements, Egerie supports you in complying with the NIS 2 directive thanks to an intuitive, structured and automated platform.

Designed for organizations that want to master their cybersecurity governance, Egerie centralizes and simplifies all your procedures, from risk assessment to the production of evidence of compliance.

Key features:

  • Automated risk mapping : identify, visualize, and prioritize cyber risks dynamically and collaboratively.

  • Contextualized action plans : build plans adapted to your business, monitor their progress, and ensure their alignment with NIS 2 requirements.

  • Real-time dashboards : manage your compliance level with clear indicators that are automatically updated.

➡️ Want to assess your compliance level? Request a free demo now to start this transition with confidence.

FAQ: your questions about the NIS 2 directive

What are the main obligations introduced by NIS 2?

Businesses need to put in place measures such as proactive risk management, monitoring incidents and reporting them to the competent authorities in a timely manner, as well as strengthened governance, including the continuous training of teams.

In the event of a cyberattack, what are the reporting deadlines?

Critical incidents should be:

  • Reported in 24 hours to the competent authorities (ANSSI and CSIRT)
  • Declared with a detailed report under 72 hours.

How does the NIS 2 directive impact subcontractors?

Subcontractors of essential and important entities are also subject to the requirements of the Directive. They must guarantee a level of cybersecurity equivalent to that imposed on their clients.

In summary, anticipating and structuring your NIS 2 compliance procedures with solutions like Egerie is essential to meet the growing challenges of cybersecurity while limiting business interruptions.

How much does it cost to comply with the NIS 2 directive?

The cost of complying with NIS 2 varies depending on the size of the company, its industry, and its current level of readiness. Expenses generally include:

  • Initial audits and variance analyses.
  • Investments in cybersecurity and risk management tools.
  • Training of teams and managers.
  • Strengthening IT infrastructures.

While these costs may seem significant in the short term, they remain significantly lower than the consequences of non-compliance : financial sanctions, reputational damage, business interruption.

Equipping yourself with a solution like Egerie today allows you to optimize investments and effectively manage your compliance efforts.

Is the NIS 2 directive compatible with ISO standards?

Yes. The ISO 27001 (information security management systems) and ISO 27005 (risk management) standards are recognized frameworks for meeting the requirements of the directive, in particular on governance, vulnerability management and action documentation.

Articles

You will love these other items

Compliance audit: a lever for governance and performance
What is a compliance audit, its types, conduct and report. A governance and cybersecurity lever for organizations.
Compliance
Discover
Risk Manager: a key player in corporate risk management
Why is the Risk Manager's role strategic? Missions, skills, salary and the place of cyber risk in the governance of organizations.
Cyber Risk Management
Discover
CISO: a key role in corporate security and governance
Discover the CISO: responsibilities, career, salary, evolution. A key role in cyber risk management, compliance and corporate governance.
Governance
Discover
icone fleche gauche
icone fleche droite
Discover our platform

Lorem Ipsum dolor sit amet, consectetur adipiscing elit, sed do eiusmod temporincididunt ut labore and Dolore Magna aliqua.

Request a demo