NIS2: Complete Compliance Guide for 2025

The NIS2 (Network and Information Security 2) directive represents a major change in European cybersecurity regulation. Here is your practical guide to compliance.

Who Is Affected?

Essential Entities

• Energy (electricity, oil, gas)
• Transport (air, rail, maritime)
• Healthcare
• Digital infrastructure
• Drinking water and wastewater

Important Entities

• Postal services
• Waste management
• Chemical manufacturing
• Food production
• Digital providers

Size Criteria: More than 50 employees OR revenue > €10M

Main Obligations

1. Cyber Governance

• Management Responsibility: Leaders are personally responsible
• Mandatory Training: Awareness program for all
• Risk Management: Structured and documented approach

2. Technical Security Measures

• System and network security
• Incident management
• Business continuity and crisis management
• Supply chain security
• Encryption and authentication

3. Incident Notification

• Early Warning: 24 hours to report an incident
• Initial Report: 72 hours with technical details
• Final Report: 1 month with complete analysis

Compliance Roadmap

Phase 1: Assessment (Month 1-2)

1. Verify your eligibility
2. Identify compliance gaps
3. Assess current risks
4. Budget necessary investments

Phase 2: Planning (Month 3-4)

1. Define cyber governance
2. Appoint a NIS2 officer
3. Create a steering committee
4. Establish a roadmap

Phase 3: Implementation (Month 5-10)

1. Deploy technical measures
2. Update policies and procedures
3. Train teams
4. Test systems

Phase 4: Validation (Month 11-12)

1. Internal compliance audit
2. Incident response tests
3. Final documentation
4. Certification if applicable

NIS2 Checklist in 25 Points

Governance (5 points)

• [ ] Management involved and trained
• [ ] NIS2 officer appointed
• [ ] Security policy approved
• [ ] Cyber budget allocated
• [ ] Quarterly reviews planned

Risk Management (5 points)

• [ ] Annual risk analysis
• [ ] Up-to-date risk register
• [ ] Treatment plans defined
• [ ] Risk indicators monitored
• [ ] Regular reporting to management

Technical Measures (10 points)

• [ ] Complete asset inventory
• [ ] Network segmentation implemented
• [ ] MFA on all accesses
• [ ] EDR/XDR deployed
• [ ] Sensitive data encryption
• [ ] Backups tested monthly
• [ ] Patch management < 30 days
• [ ] 24/7 monitoring active
• [ ] DLP in place
• [ ] SIEM configured

Incident Response (3 points)

• [ ] Response plan documented
• [ ] Intervention team trained
• [ ] Quarterly crisis exercises

Continuity (2 points)

• [ ] BCP/DRP tested annually
• [ ] RTO/RPO defined and met

Penalties for Non-Compliance

• Essential entities: Up to €10M or 2% of global revenue
• Important entities: Up to €7M or 1.4% of global revenue
• Personal sanctions: Possible for negligent executives

Conclusion

NIS2 is not just a regulatory constraint, it's an opportunity to strengthen your cyber-resilience. Compliant organizations will be better protected and more competitive.

Need support for NIS2? Schedule a free audit