NIS2: 5 steps to start with

Introduction

Imagine waking up to find a major hospital’s IT systems locked down, surgeries postponed, and patient data compromised. It’s not science fiction—it’s a stark reality we’ve already witnessed across Europe (like Italy). And your business, whether in digital health, cloud services, or public administration, could be next.

Enter the NIS2 Directive, the European Union’s most ambitious cybersecurity legislation to date. Set to take full effect by January 2025, NIS2 replaces its predecessor (NIS1) and redefines what it means to be secure and compliant by design. (Read more about the implementation deadlines here)

With expanded sector coverage, 24-hour incident reporting, and penalties reaching €10 million, this isn’t just another regulatory update. It’s a wake-up call and a window of opportunity.

In this article, we’ll unpack NIS2 in plain language. You’ll learn what’s changed, what it means for your sector, and how to turn compliance into a competitive advantage.

What is NIS2? Why it matters more than ever

The original NIS Directive (NIS1) was launched in 2016 to boost cybersecurity across essential services. But it quickly became clear: it wasn’t enough.

Cyberattacks evolved. Supply chains grew more digital. And sectors like healthcare and cloud infrastructure weren’t even in scope. Enter NIS2, the EU’s next-generation response.

What makes NIS2 different?

• Expanded scope: From 7 sectors to 18, including digital infrastructure, B2B ICT, healthcare, and public administration.
• Stricter obligations: Mandatory 24-hour incident reporting and harmonised penalties across all EU member states.
• Real accountability: Boards and C-level executives are now responsible for cybersecurity governance.
• SMEs in the spotlight: Medium-sized companies in critical sectors or supply chains are no longer exempt.

Why now? Because the EU wants to build a more secure digital future. And because cyber threats don’t stop at borders, or at big corporations.

If you want to get an overview of the NIS2, make sure to read our blog post!

Who does NIS2 apply to?

NIS2 applies in the following sectors:

• Healthcare
• Energy
• Transport
• Banking and financial market infrastructures
• Drinking and waste water
• Digital infrastructure (e.g., cloud, DNS, data centres)
• Public administration (national, regional, local)
• B2B ICT and managed service providers

The directive classifies businesses as either:

• Essential Entities (EEs) – critical to national and societal functions.
• Important Entities (IEs) – significant for economic and digital continuity.

Even if you're a medium-sized SaaS provider, if your platform supports a hospital, government service, or essential utility, you're likely covered.

💡 Key takeaway: Over 10,000 new organizations will be regulated under NIS2. If your sector wasn’t regulated before, assume it is now.

NIS2 across the EU

It’s important to remember that while NIS2 sets EU-wide standards, each country is responsible for its own national implementation. Member States were expected to adopt the directive into their national laws by the end of 2024, each following its own timeline (for example, Italy and Germany)

The core requirements under NIS2

NIS2 focuses on proactive, continuous cybersecurity. That means organisations must prove they can prevent, detect, respond to, and recover from cyber incidents.

Here’s what’s required:

1. Risk Management

You need technical and organizational safeguards, such as:

• Network and system security
• Access controls and encryption
• Patch management and vulnerability scans
• Supply chain security reviews

2. Incident Reporting

NIS2 introduces a 24-hour deadline for notifying authorities of a “significant incident.” This includes:

• Major service disruptions
• Security breaches with financial or operational impact
• Incidents that affect other organisations downstream

Follow-up reports are due at 72 hours and one month. That’s fast—your team needs to be ready.

Read more about Incident Reporting in our article!

3. Governance and Accountability

Top leadership isn’t off the hook. Boards must:

• Oversee risk management strategy
• Approve cybersecurity policies
• Undergo regular training

Compliance is now a C-level responsibility, not just an IT task.

4. Continuous Compliance

Forget one-time audits. NIS2 demands ongoing reviews, training, and monitoring. It’s a shift in mindset—from checkbox compliance to security as a core business function.

Penalties: What’s at stake?

If you think the EU won’t enforce NIS2, think again.

Non-compliance can result in:

• Fines up to €10 million, or
• 2% of global annual turnover, whichever is higher.

And unlike NIS1, enforcement will be consistent across EU member states, thanks to coordination from ENISA (the EU cybersecurity agency).

💡 No more patchwork rules. If you operate in multiple EU countries, you now face a unified standard—and a single level of expectation.

Your compliance roadmap: Five steps to start with

To avoid scrambling, you need to act now. Here’s a simple five-step roadmap:

1. Conduct a readiness assessment

Map your current cybersecurity posture against NIS2 requirements with our self-assessment. Identify gaps in policies, systems, and incident workflows.

2. Update policies and procedures

Ensure your documentation aligns with the directive, from risk analysis to data recovery to supplier controls.

3. Establish incident response plans

Create clear, tested playbooks for 24-hour notification. Build internal workflows to escalate incidents fast.

4. Train your workforce

From executives to IT to operations—everyone must understand their role in cybersecurity.

5. Engage your supply chain

Your compliance depends on your vendors. Audit and contractually require that suppliers follow NIS2-aligned practices.

NIS2 vs. GDPR: How are they different?

They’re complementary but distinct:

Think of it this way: GDPR protects privacy. NIS2 protects availability and integrity. Both are essential for digital trust.

Looking ahead: The broader impact of NIS2

Why take action now? Because proactive compliance delivers real benefits:

• Market access: Many public and private contracts will require NIS2 proof.
• Investor confidence: Strong cyber governance boosts valuations and M&A appeal.
• Operational resilience: Fewer service outages and faster recovery when attacks hit.
• Brand trust: Clients and customers want evidence of security, not just promises.

The directive is also driving innovation—expect to see a rise in compliance tech, cyber insurance offerings, and risk-assessment automation.

Compliance as your competitive advantage

The NIS2 Directive isn’t just about avoiding fines. It’s a strategic opportunity to build resilience, enhance trust, and lead confidently into Europe’s digital future.

So, where should you start?

✅ Map your compliance status—identify gaps early

✅ Engage your board—make cybersecurity a leadership priority

✅ Prepare your team—train for readiness, not reaction

✅ Align with partners—compliance is a shared responsibility

✅ Automate wisely—use tools to streamline monitoring and reporting

The bottom line: Waiting is not a strategy. The earlier you act, the stronger your position when enforcement begins in 2025.

How Chino.io can help you

Chino.io works as your partner to help you solve all privacy, security, and compliance issues. Our unique combination of regulatory expertise, legal know-how, and technical experience helps eliminate compliance risks while saving you money and time.

Book a free consultation and let’s turn NIS2 into your next advantage.