NIS2 Directive (II): Cyber Security obligations and their impact on European businesses
The NIS2 Directive significantly expands the scope of cybersecurity obligations for companies and organizations, covering a wide range of industries and sectors across the European Union, regardless of their size (micro, small, medium or large) or whether they are public or private. For this reason, the directive refers to Recommendation 2003/361/EC to define the scope of application.
It’s important to note that some smaller organizations are included, as the directive addresses both highly critical sectors and other critical sectors, where factors such as national security or economic stability are relevant, regardless of company size. Furthermore, it ensures that not only large organizations but also companies that play an essential role in society must comply with strict cybersecurity controls.
You may be wondering: how does this affect me, and how is my organization subject to this regulation?
Impact of the NIS2 Directive on companies by size and sector
This depends on the distinctions established in Annex I and II, based on the criticality, sector, type of service, size, and other variables. Broadly speaking, organizations fall under two categories: essential entities or important entities. It’s worth highlighting that although requirements are strict, partial exemptions apply to SMEs that do not play a critical role in the national or EU-wide security landscape.
Larger companies, depending on their classification, are subject to more frequent audits, tighter deadlines for cyber incident reporting, and a direct professional liability regime for senior management in cybersecurity-related incidents.
■ It’s important to highlight that while SMEs that are part of critical infrastructure or supply chains may generally be required to comply with the directive depending on their sector and risk level, micro and small businesses are usually exempt, unless they provide critical infrastructure or services.

Cybersecurity control measures follow a risk-based approach, requiring organizations to implement technical, organizational, and governance controls, including:

All measures must be proportional, based on risk, size, cost, impact, and severity of the incidents. They must also consider technical aspects and, where applicable, relevant European and international standards.
Proportional measures and the management of significant incidents
Essential entities are subject to greater regulatory scrutiny, including on-site audits, detailed risk assessments, and direct enforcement actions. Meanwhile, important entities must meet the same cybersecurity standards, but with less frequent monitoring and reporting obligations.
In terms of incident management, an incident is considered significant if it has caused or may cause major operational disruptions or economic losses, or if it has affected or may affect other individuals or legal entities by causing material or immaterial damage.
Notification obligations are as follows:

It is worth noting that the 24-hour notification requirement compels organizations to enhance their monitoring and response capabilities, highlighting the need for increased investment in Security Operations Centers (SOCs) and threat intelligence.
■ Smaller organizations may face challenges meeting this requirement, potentially leading to compliance risks and sanctions.
NIS2’s impact on organizations and cybersecurity management
Severe non-compliance penalties include fines of up to €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% of turnover for important entities.
At the same time, C-suite executives and board members can be held personally liable — professional civil liability — for failing to implement cybersecurity measures, and may even be temporarily disqualified from holding leadership roles.
This, in turn, aligns cybersecurity with corporate governance, forcing executives to prioritize security investment and risk management.
As a result, complying with NIS2 requires a strategic shift in Cyber Security investment management, encouraging greater investment in cyber risk management, advanced security technologies, third- and fourth-party assessments, compliance teams, and Cyber Security talent development.
At first glance, large enterprises are better positioned to absorb these costs. However, smaller companies often face financial pressure and uncertainty due to the need for specialized personnel, cybersecurity infrastructure, and legal services.
That said, the long-term benefits include stronger cyber resilience, reduced risk of financial losses from breaches, and enhanced stakeholder trust.
■ The NIS2 Directive strengthens cyber resilience capabilities and enhances supply chain security while reducing exposure to cyber threats from third countries. The directive influences cybersecurity policy beyond EU borders.
MORE FROM THIS SERIES