The NIS2 Directive (Directive (EU) 2022/2555) is a comprehensive cybersecurity regulation aimed at strengthening the resilience of critical infrastructure across the EU. It expands on the original NIS Directive, widening its scope, imposing stricter security requirements, and enhancing enforcement mechanisms.
NIS2 Directive (Directive (EU) 2022/2555)
The NIS2 Directive replaces NIS1 and strengthens cybersecurity across the EU by imposing stricter requirements for risk management, incident reporting, supply chain security and enforcement. It aims to improve the resilience and security of critical networks and systems, ensuring that organisations are better protected against cyber threats. The directive introduces tougher enforcement mechanisms, including significant fines and personal liability for senior management, to drive compliance and enhance overall cybersecurity preparedness.
Scope of NIS2
NIS2 significantly broadens the sectors and entities that must comply, encompassing "essential" and "important" entities across a wide range of industries. This includes, among other, energy, postal and courier services, healthcare, financial services, ICT, public administration, digital infrastructure, waste management and, notably, supply chain sectors.
The goal is to secure networks and information systems that are vital to public safety, economic stability, and national security.
Supply chain due diligence
In addition to broadened scope, NIS2 introduces stringent supply chain due diligence requirements. Organisations must ensure that their service providers, particularly in critical sectors, meet adequate cybersecurity standards. This obligation means that organisations not only must assess vulnerabilities of their own systems but also vet their third-party vendors and contractors to ensure their security practices and to ensure that they do not create vulnerabilities in the supply chain.
Essential and important entities
NIS2 distinguishes between “essential entities” and “important entities,” based on how critical the entities are to their sector, the services they provide, and their size.
This distinction matters because the regulatory requirements and obligations differ for essential and important entities. However, determining whether a specific organization falls into either category can sometimes be complex. In some cases, the classification of essential entities is left to individual Member States, though they must adhere to criteria outlined in the NIS2 Directive when making these decisions. As a result, organisations need to perform a case-by-case evaluation to establish whether they are classified as essential or important under NIS2.
Enforcement and supervision
Each EU member state, including Cyprus, will establish competent authorities to oversee compliance. These authorities will have the power to conduct audits, issue binding instructions, suspend certifications to provide certain services and enforce penalties.
The level of supervision under the NIS2 directive will depend on whether an organisation is classified as an essential entity or an important entity.
Fines and personal liability of managers
NIS2 introduces hefty fines for non-compliance, up to €10 million or 2% of global annual turnover for essential entities. For important entities, the maximum fine for breaches is the higher of € 7 million or 1.4 % the global annual turnover.
Additionally, the directive emphasises personal liability for managers. Senior management is required to be involved in cybersecurity governance, and failure to implement adequate measures could lead to penalties or legal action against individuals in leadership positions.
Preparation for NIS2
With the NIS2 compliance deadline approaching, organisations must take proactive steps to meet the new standards. Firstly, organisations should understand whether they are covered by the scope of NIS2 directive.
It is also important for the organisations:
Adoption in Cyprus
NIS2 marks a significant shift in how cybersecurity is managed across Europe, and its impact on organizations and their leadership will be profound.
Cyprus, as an EU member state, is required to transpose the NIS2 directive into national law by 17 October 2024. Organisations in Cyprus must prepare by establishing clear internal processes, providing comprehensive training for employees at all levels. It is also crucial that senior management fully understands and embraces their new responsibilities under NIS2, as their involvement will be critical in ensuring compliance and avoiding potential penalties.
For more information, please visit our website microsite on Data Protection & Cyber Law or send your queries to This email address is being protected from spambots. You need JavaScript enabled to view it.">This email address is being protected from spambots. You need JavaScript enabled to view it..
Back to NewsFollow us
1 Kinyra Street, 5th floor
1102 Nicosia
115 Faneromenis Avenue,
Antouanettas Building
6031 Larnaca
12 Platonos Street,
3027 Limassol
4 Nicou Nicolaidi & Kinyra,
2nd floor, 8011 Paphos
164A Georgiou Gourounia,
1st floor, 5289 Paralimni