Skip to main content
Marsh logo

Article

NIS 2 Directive: Raising the cybersecurity bar

Discover the NIS 2 Directive, the EU's cybersecurity regulation aimed at strengthening resilience across critical sectors. Learn key provisions and compliance steps.

12/02/2025 · 3 minute read

The ever-growing reliance on digital infrastructure has made cybersecurity a top priority for organisations across Europe. To address emerging threats and vulnerabilities, the European Union (EU) has adopted the Network and Information Systems Directive (NIS) 2 Directive, a revised and expanded framework aimed at strengthening the cybersecurity of critical and essential entities.

Building on the original NIS Directive, NIS 2 introduces stricter requirements, broader coverage, and enhanced enforcement measures to create a more resilient digital ecosystem across member states.

What is the NIS 2 Directive?

The NIS 2 Directive is the EU’s flagship regulation for managing cybersecurity risks in critical sectors. It replaces the original NIS Directive (2016) and reflects lessons learned from its implementation, as well as the evolving threat landscape.

NIS 2 establishes mandatory cybersecurity measures for various sectors and entities, ensuring a harmonized approach to risk management, incident reporting, and resilience across the EU.

Key provisions of NIS 2

The NIS2 Directive introduces several enhancements compared to its predecessor:

  • Broader scope: NIS 2 applies to additional sectors, including healthcare, waste management, manufacturing, and digital providers. It also covers medium and large-sized businesses, ensuring more entities are accountable for cybersecurity.
    Annexes 1 and 2 identify the sectors with high criticality and other criticalities, respectively. The classification at a company level will depend on sector, activity, and size.
  • Stricter governance requirements: Organisations must designate a cybersecurity officer, implement comprehensive risk management policies, and ensure that leadership is directly involved in cybersecurity governance.
  • Enhanced incident reporting: 
    • Notification within 24 hours: Entities must report significant cyber incidents to relevant authorities within 24 hours.
    • Follow-up reports must include detailed assessments of the incident and mitigation measures.
  • Harmonized penalties: The directive standardises fines across the EU, with penalties reaching €10 million or 2% of global annual turnover, whichever is higher.
  • Supply chain security: NIS 2 emphasises securing the entire supply chain by holding organisations accountable for the cybersecurity practices of their third-party vendors.

Steps to prepare for NIS 2 compliance

To align with the NIS 2 Directive, organisations should take the following actions:

  • Perform a compliance gap analysis: Assess existing cybersecurity practices and identify gaps relative to NIS 2 requirements.
  • Enhance governance structures: Appoint a dedicated cybersecurity officer and establish clear roles and responsibilities for cyber risk management.
  • Strengthen incident detection and reporting: Implement advanced threat detection tools and ensure compliance with the 24-hour reporting window.
  • Secure supply chains: Collaborate with third-party vendors to ensure they meet NIS 2 standards, reducing systemic risks.
  • Invest in staff training: Provide ongoing cybersecurity training for employees, particularly those in critical roles, to improve organisational resilience.
  • Engage with authorities: Build relationships with national cybersecurity agencies to streamline compliance and incident response processes.

Conclusion

The NIS 2 Directive represents a significant step forward in the EU’s efforts to create a unified, resilient approach to cybersecurity. By setting higher standards for risk management, governance, and supply chain security, the directive aims to protect critical infrastructure and ensure the stability of important European services in an increasingly digital world.

Organisations that take proactive steps to comply with NIS 2 will not only mitigate risks but also position themselves as trusted leaders in their industries. With deadlines for implementation approaching, now is the time to act — and to build a more secure and sustainable digital future.

To learn more contact a Marsh representative.

Contact us

The article is for information purposes only. Marsh makes no representation or warranty as to its accuracy. Marsh shall have no obligation to update the article and shall have no liability to any party arising out of this document or any matter contained herein. Any statements concerning actuarial, tax, accounting, labour, or legal matters are based solely on our experience as insurance brokers and risk consultants and are not to be relied upon as actuarial, tax, accounting, labour, or legal advice, for which clients should consult their own professional advisers. Any analysis and information are subject to inherent uncertainty, and the article could be materially affected if any underlying assumptions, conditions, information, or factors are inaccurate or incomplete or should change. Although Marsh may provide advice and recommendations, all decisions regarding the measures should be adopted are the ultimate responsibility of the client.