NIS2 Directive (II): Cyber Security obligations and their impact on European businesses

June 24, 2025

The NIS2 Directive significantly expands the scope of cybersecurity obligations for companies and organizations, covering a wide range of industries and sectors across the European Union, regardless of their size (micro, small, medium or large) or whether they are public or private. For this reason, the directive refers to Recommendation 2003/361/EC to define the scope of application.

It’s important to note that some smaller organizations are included, as the directive addresses both highly critical sectors and other critical sectors, where factors such as national security or economic stability are relevant, regardless of company size. Furthermore, it ensures that not only large organizations but also companies that play an essential role in society must comply with strict cybersecurity controls.

You may be wondering: how does this affect me, and how is my organization subject to this regulation?

Impact of the NIS2 Directive on companies by size and sector

This depends on the distinctions established in Annex I and II, based on the criticality, sector, type of service, size, and other variables. Broadly speaking, organizations fall under two categories: essential entities or important entities. It’s worth highlighting that although requirements are strict, partial exemptions apply to SMEs that do not play a critical role in the national or EU-wide security landscape.

Larger companies, depending on their classification, are subject to more frequent audits, tighter deadlines for cyber incident reporting, and a direct professional liability regime for senior management in cybersecurity-related incidents.

Cybersecurity control measures follow a risk-based approach, requiring organizations to implement technical, organizational, and governance controls, including:

All measures must be proportional, based on risk, size, cost, impact, and severity of the incidents. They must also consider technical aspects and, where applicable, relevant European and international standards.

Proportional measures and the management of significant incidents

Essential entities are subject to greater regulatory scrutiny, including on-site audits, detailed risk assessments, and direct enforcement actions. Meanwhile, important entities must meet the same cybersecurity standards, but with less frequent monitoring and reporting obligations.

In terms of incident management, an incident is considered significant if it has caused or may cause major operational disruptions or economic losses, or if it has affected or may affect other individuals or legal entities by causing material or immaterial damage.

Notification obligations are as follows:

It is worth noting that the 24-hour notification requirement compels organizations to enhance their monitoring and response capabilities, highlighting the need for increased investment in Security Operations Centers (SOCs) and threat intelligence.

NIS2’s impact on organizations and cybersecurity management

Severe non-compliance penalties include fines of up to €10 million or 2% of global turnover for essential entities, and €7 million or 1.4% of turnover for important entities.

At the same time, C-suite executives and board members can be held personally liable — professional civil liability — for failing to implement cybersecurity measures, and may even be temporarily disqualified from holding leadership roles.

This, in turn, aligns cybersecurity with corporate governance, forcing executives to prioritize security investment and risk management.

As a result, complying with NIS2 requires a strategic shift in Cyber Security investment management, encouraging greater investment in cyber risk management, advanced security technologies, third- and fourth-party assessments, compliance teams, and Cyber Security talent development.

At first glance, large enterprises are better positioned to absorb these costs. However, smaller companies often face financial pressure and uncertainty due to the need for specialized personnel, cybersecurity infrastructure, and legal services.

That said, the long-term benefits include stronger cyber resilience, reduced risk of financial losses from breaches, and enhanced stakeholder trust.

MORE FROM THIS SERIES

NIS2 Directive (I): Rethinking Cyber Security in a complex and hyperconnected context
NIS2 Directive (III): Main obligations, security measures and key requirements
NIS2 Directive (IV): the cost of non-compliance in Cyber Security
Telefónica Tech
Cyber Security
NIS2 Directive (IV): the cost of non-compliance in Cyber Security
July 8, 2025