NIS2 Directive Implementation

We’re halfway there!

The Directive (EU) 2022/2555, known as NIS2, is the new European regulatory framework for cybersecurity, updating and replacing the original 2016 NIS Directive. The main objective of NIS2 is to strengthen the resilience and security of network and information systems in critical sectors. The directive came into force on January 16, 2023, with mandatory transposition into national legislation by October 17, 2024.

Key Legal References:

• Directive (EU) 2022/2555 of the European Parliament and of the Council https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555
• ENISA – Guidelines on the Implementation of NIS2 https://www.enisa.europa.eu/topics/nis-directive

Scope of Application

NIS2 significantly expands the scope compared to the previous directive, including:

• Essential sectors: energy, transport, healthcare, financial infrastructure.
• Important sectors: postal services, manufacturing of critical equipment, digital service providers.
• ICT service providers and cloud infrastructure operators.

Note: Company size (more than >50 employees and/or turnover above >€10 million) is a key criterion for mandatory compliance.

Main Technical and Organizational Requirements

1. Security risk management
2. Access and identity controls
3. Incident protection
4. Supply chain risk management
5. Incident reporting
6. Operational resilience

Sanctions and Compliance Framework

NIS2 introduces a harmonized penalty regime:

• Up to €10 million or 2% of the global annual turnover
• Mandatory oversight and approval of cybersecurity management by company leadership

How GYALA Supports NIS2 Implementation

As a trusted partner, GYALA offers:

• Compliance assessment: analysis of current alignment with NIS2 requirements
• Managed security services: 24/7 monitoring and threat intelligence
• Incident response plans: development and simulation
• Training and awareness: tailored courses for teams