What is NIS2 and how does it affect SMEs?

Do you know if your company complies with current cybersecurity regulations? The NIS2 Directive is transforming cybersecurity requirements in the European Union. If you are part of strategic sectors or work with mission-critical companies, this regulation may mean new obligations for your business. In this article, we explain everything you need to know about NIS2, from which companies are affected to its main requirements and how to comply.

What is the NIS2 directive?

The NIS2 Directive is an update of the first NIS Directive, adopted in 2016, and seeks to strengthen cybersecurity in Europe. It aims to ensure the resilience of information systems and networks in key sectors, promoting the protection of critical infrastructures against cyber threats. With this new regulation, the EU broadens the scope and tightens the requirements for companies considered essential or important.

What types of entities are subject to the NIS2 directive?

The NIS2 affects two types of entities: essential and important. The criteria for classifying a company in one of these categories depends on its sector, the number of employees and its relevance to the economy and society.

Essential entities

These organizations play a critical role in key sectors such as:

  • Energy: electricity, gas and oil supply.

  • Transportation: management of railway networks, airports and ports.

  • Health: hospitals, clinics, health centers and emergency medical management systems.

  • Water: drinking water treatment and distribution.

  • Digital infrastructures: data centers, cloud service providers and telecommunications networks.

  • Other: banking, space.

 

Important entities

They include companies that, although not critical, have a relevant impact on the economy or on the provision of services:

  • Postal and courier services.

  • Manufacture of essential products, such as foodstuffs or medicines.

  • Waste management and recycling services.

  • Manufacture of digital products, such as electronic devices.

  • Manufacture, production and distribution of chemical substances and mixtures.

  • Research organizations.

  • Digital service providers.

 

And are SMEs obliged to comply with it?

Although many SMEs are not directly classified as essential or important, if they are part of the supply chain of these entities, they may be required to comply with NIS2. This includes those that manage critical data, technology services or are directly dependent on critical infrastructure.

 

When does the directive come into force?

The NIS2 Directive came into force on January 16, 2023. Member States had until October 17, 2024 to transpose it into their national legislation. This means that, as of that date, affected companies must comply with the new requirements.

NIS2 Key Requirements

The NIS2 regulation introduces several obligations to ensure stricter cybersecurity management. These are the main requirements that companies must comply with:

  • Incident management: implement measures including audits, training and controls to mitigate cyber risks. This can range from protection software to internal security policies.

  • Development of continuity plans: includes the planning and implementation of backups and their respective recovery in the event of an incident.

  • Supply chain collaboration: ensure that all partner companies comply with security standards, especially if they handle sensitive information.

  • Evaluation policies and procedures: allows the performance of the measures adopted to be evaluated through frequent audits and tests.

  • Training and cyber hygiene: awareness and continuous learning for the company in order to acquire skills and test them through simulations.

  • Cryptography and information encryption: implementing encryption for information protection, including testing and training.

  • Incident notification: companies must report any significant cybersecurity incident to the authorities within a set maximum timeframe, ensuring a rapid and coordinated response.

  • Assign responsibilities: appoint cybersecurity officers within the organization, ensuring that the measures implemented are effective and comply with standards.

The NIS2 Directive sets a new standard in cybersecurity for businesses in Europe. While it may seem challenging for SMEs, it is an opportunity to strengthen security and confidence in your operations. Preparing for this regulation not only ensures legal compliance, but also protects your business against growing digital threats.

At Gloferawe have ProCibera multilayered cybersecurity solution managed by experts, designed to help SMEs to comply with NIS2. Find out more about how we can simplify this process for your company. HERE!

Do you have doubts about how it affects or how to implement measures to comply with NIS2 in your company? Contact us today for free personalized advice. Call us at +34 900 600 300 or write to us at hola@glofera.com. We’re here to help you comply with regulations and protect your business!

Share the news

Related Posts

Bluesnarfing: The silent attack via Bluetooth connection

Bluesnarfing: The silent attack via Bluetooth connection

18 de June de 2025
Voice Hacking: When your voice no longer belongs to you

Voice Hacking: When your voice no longer belongs to you

11 de June de 2025
Hackers and their Hats: Heroes or Villains of the Digital World?

Hackers and their Hats: Heroes or Villains of the Digital World?

4 de June de 2025
Glofera-logo

Proximity technology consultancy formed by professionals with a track record of over 20 years of experience in the field of Cybersecurity and Telecommunications Telecommunications.

The most read…

Contact us at

Página web de Glofera