The NIS2 Law now covers a broader set of entities, categorised as "essential" or "important". This classification is generally based on a size-cap rule, including medium and large enterprises in designated critical sectors, including energy and digital infrastructure providers, public utilities, healthcare institutions and government services. However, size is irrelevant for certain key types of entities providing vital digital services, like trust service providers, cloud computing and data centres.

The NIS2 Law imposes several crucial obligations on covered entities, designed to boost overall cyber resilience:

• Enhanced security provisions: Organisations are required to implement state-of-the-art risk management and security measures, including encryption practices, supply-chain security protocols, and robust incident response frameworks.
• Strict incident reporting requirements: Affected entities must formally report “significant cybersecurity incidents” within precise timelines, such as an initial notification within six hours and a full notification within 72 hours.
• Supervision and enforcement: National authorities are empowered to supervise compliance through measures like information requests and inspections.
• Penalties: To enforce compliance, the legislation introduces administrative fines for noncompliance, which can reach up to €10 million or 2 per cent of global annual turnover, for essential entities and €7 million or 1.4 per cent for important entities, whichever is higher.

Strengthened governance framework

The NIS2 Law formalises governance structures, including the roles and responsibilities of national authorities tasked with cybersecurity oversight. It also establishes single points of contact for incident reporting and sets up enhanced cooperation mechanisms with EU agencies such as ENISA (European Union Agency for Cybersecurity).

Encouraging proactive industry measures

With mandatory compliance now expanded to additional sectors, organisations across diverse industries are motivated to proactively review and improve their cybersecurity practices. The standardised guidelines foster a culture of accountability, reducing vulnerabilities across the board.

All entities subject to the provisions of the new law need to act swiftly to ensure compliance. Key actions include:

• Conducting a compliance audit: Assess current cybersecurity measures against the law’s new requirements.
• Enhancing risk management: Implement supply chain risk assessments, encryption protocols, and incident response plans.
• Strengthening employee training: Offer regular cybersecurity training for staff and leadership teams to build preparedness.
• Consider representation: If your entity is not established in the EU but offers services here, ensure you have designated a representative.

Navigating the complexities of new cybersecurity legislation can be challenging. Our team is here to assist you in understanding whether your entity falls within the scope of the amended law, assessing your current compliance level, and developing or updating the necessary policies and procedures to meet the new requirements.

The NIS2 Directive can be found here.

The NIS2 Law can be found here (in Greek).