NIS2 Directive - Essential for Your Business
The NIS2 directive has a major impact on SME businesses. What do you need to know, does it apply to you, and how do you prepare?
The NIS2 directive is the new European cybersecurity legislation that has major consequences for far more businesses than you might think. As an SME entrepreneur, you may also be affected - directly or indirectly.
What is the NIS2 directive?
NIS stands for Network and Information Security. NIS2 is the successor to the first NIS directive from 2016 and is considerably stricter.
| Aspect | NIS1 (2016) |
|---|---|
| Sectors | Limited (energy, transport) |
| Company size | Large companies |
| Fines | Relatively low |
| Liability | Organisation |
| Reporting obligation | General |
Why is NIS2 needed?
Cyber attacks are increasing every year, both in number and severity.
+38%
more attacks
in 2024 vs 2023
EUR 50,000+
average damage
SME ransomware
21
days
average downtime
Does NIS2 apply to you?
This is the crucial question. NIS2 distinguishes between two categories.
Essential entities
| Sector | Examples |
|---|---|
| Energy | Electricity, gas, oil |
| Transport | Aviation, rail, water |
| Banking | Banks, payment services |
| Healthcare | Hospitals, labs |
| Digital infrastructure | Data centres, DNS, TLDs |
Important entities
| Sector | Examples |
|---|---|
| Post and couriers | Parcel services |
| Waste management | Waste processors |
| Food | Production and distribution |
| Manufacturing | Medical devices, machinery |
| Digital services | IT managers, MSPs, cloud |
What about SMEs?
What do you need to arrange for NIS2?
The directive does not prescribe specific technical measures, but rather “appropriate and proportionate” security measures.
Risk analysis and policy
Know your risks, base policy on them
Incident handling
Procedures for detection, analysis, reporting within 24 hours
Business continuity
Backups, disaster recovery, crisis management
Supply chain security
Set requirements for and assess suppliers
Technical measures
MFA, encryption, access management, vulnerability management
Awareness and training
Train employees and directors
Technical measures in detail
Read more about multi-factor authentication.
The fines are no joke
EUR 10M
maximum fine
essential entities
2%
of turnover
alternative maximum
EUR 7M
maximum fine
important entities
| Category | Maximum fine |
|---|---|
| Essential entities | EUR 10M or 2% global turnover |
| Important entities | EUR 7M or 1.4% turnover |
| Repeated violations | Cumulatively higher |
How do you prepare?
Determine if NIS2 applies to you
Check sector, size, and whether clients fall under NIS2
Conduct a baseline assessment
What measures do you already have? Where are the gaps?
Create a plan
Prioritise based on risk and impact
Implement in phases
Start with the basics: MFA, backups, awareness
Organise governance
Assign responsibility, involve management
Stay up to date
Plan periodic reviews and audits
Quick wins to get started
The link with other regulations
NIS2 does not stand alone. It relates to other regulations.
| Regulation | Overlap with NIS2 |
|---|---|
| GDPR | Privacy and security overlap |
| DORA | Financial sector |
| ISO 27001 | Information security |
| BIO | Government |
What does this mean for you as an SME entrepreneur?
Need help?
At Barion, we help SME businesses with NIS2 preparation. From assessment to implementation, from training to continuous monitoring.
Barion Team
IT specialists making complex technology understandable for SME entrepreneurs.
Need help with your IT?
Our IT specialists are happy to help. Get in touch for a free consultation.
