What you need to know about the NIS2 Directive: 2025 update

The NIS2 Directive is no longer just a future concern. As of October 2024, it has been fully transposed into national law across the EU. And as of February 28, 2025, affected companies were required to register with national authorities.

If you're working in digital health and haven’t started implementing NIS2, now is the time. Regulators are no longer just issuing guidance—they’re actively monitoring and preparing for audits.

But here's the good news: even if you’re behind, it’s not too late. This guide breaks down what the NIS2 Directive means for digital health startups and SMEs, what actions to prioritize, and how to move forward without panic.

1. Are you “In Scope”? Know your classification

Let’s start with the most important question: Does NIS2 apply to your company?

The directive impacts two main categories:

• Essential Entities – Hospitals, healthcare providers, digital infrastructure, and public health platforms.
• Important Entities – SaaS vendors, EHR platforms, cloud service providers, and software providers supporting essential services.

If you're building or operating a cloud-hosted digital health app, managing EHR systems, offering AI-based diagnostics, or even enabling health data processing—you’re likely in scope.

Even if your company isn’t directly delivering care, if you support someone who does, NIS2 likely applies. That includes B2B software, APIs, infrastructure tools, and third-party services.

💡 Pro tip: Don’t self-assess blindly. Consulting with compliance experts or legal counsel helps avoid misclassification and penalties later.

2. Compliance is no longer optional—It’s ongoing

If you registered as required, the next step is implementation. NIS2 isn’t a one-and-done report—it’s a continuous cybersecurity programme.

By now in your pocket, you should have:

• A documented risk management strategy
• Incident response plans (including how to report within 24–72 hours)
• Business continuity and disaster recovery procedures
• Regular security audits and vulnerability scans
• Assessments for third-party and supply chain risk

And most importantly: You need to document it all. Regulators may request proof at any time, especially during an audit or after an incident.

💡 Helpful tip: Already GDPR-compliant? You’re halfway there. But NIS2 adds new obligations—especially around supply chain security, timely reporting, and governance.

3. Risk Assessments: more than a checkbox exercise

Risk assessments are a pillar of NIS2 compliance. But unlike older models, NIS2 requires real-time awareness and updates.

Here’s what to include in a robust risk assessment:

• What digital systems are critical to your service delivery
• Where your vulnerabilities lie (technical, procedural, human)
• Who your vendors and third-party providers are—and their risk exposure
• How you’ll monitor, mitigate, and respond to those risks

Why does this matter? If your cloud provider, payment processor, or analytics tool is breached, you’re still responsible.

📌 Best practice: Schedule periodic reviews, especially after launching new features or expanding into new markets. Treat your risk assessment like a living document, not a PDF buried in a dusty folder.

4. Executives are personally liable

This is where NIS2 gets personal. For the first time in EU cybersecurity law, executives can be held directly accountable.

Leadership can face fines, legal liability and temporary bans from holding management roles

Cybersecurity is no longer “just IT’s job.” It’s a board-level concern.

That’s why leadership should:

• Assign a NIS2 coordinator or lead
• Involve legal, technical, and operational teams in decision-making
• Monitor compliance dashboards and key risk indicators

✅ Takeaway: Treat NIS2 like any other critical business risk.

5. How to stay compliant (without losing your mind)

Let’s be honest. For most of the companies (especially startups and SMEs), compliance can feel like a never-ending checklist. Especially when you're also worrying about fundraising, hiring, and scaling.

Here’s how to lighten the load:

• Reuse existing work from ISO 27001 or GDPR frameworks
• Use legal-tech platforms to automate compliance documentation and reporting
• Lean on tools you're already using—like SIEMs, MFA, and SSO

Most importantly: don’t go it alone.

Partnering with experts can help you prioritize what matters, avoid redundant work, and stay focused on your product.

It’s not just about avoiding penalties—it’s about building trust with investors, clients, and regulators.

6. What happens next? Audits, fines, and reputation

As of mid-2025, enforcement is ramping up and regulators are shifting from education to action. That means:

• Random or targeted compliance audits
• Requests for documentation, policies, or breach reports
• Public disclosure of non-compliance, damaging your brand and trust
• Financial penalties for violations or delays

You can stay audit-ready by:

• Maintaining a compliance dashboard
• Keeping incident and risk logs current
• Reviewing vendor contracts for shared security obligations

💬 Important: Regulators are not “out to get you”—but they do expect honesty, transparency, and a serious effort. Being proactive and prepared makes a big difference.

The time to act

The NIS2 Directive marks a major shift in how Europe views cybersecurity—especially in sensitive sectors like digital health.

It’s no longer enough to be “secure by design.” You must also be compliant by law—and prove it.

✅ If you're unsure whether NIS2 applies to you, seek expert advice.

✅ If you’ve registered but haven’t fully implemented yet, prioritize your incident response, documentation, and executive engagement.

✅ Make risk management a part of your regular operations.

How Chino.io can help you

Chino.io works as your partner to help you solve all privacy, security, and compliance issues. Our unique combination of regulatory expertise, legal know-how, and technical experience helps eliminate compliance risks while saving you money and time.

Book a free consultation and let’s turn NIS2 into your next advantage.

‍