NIS2 Directive
EU Directive 2022/2555
The Network and Information Security Directive 2 is the most significant expansion of European cybersecurity regulation in a decade. With mandatory requirements spanning risk management,incident response, supply chain security, and governance accountability, NIS2 reshapes compliance obligations across 18 critical sectors within the European Union.
Regulation Overview
The NIS2 Directive (EU Directive 2022/2555), adopted on 14 December 2022, replaces and substantially expands the original NIS Directive of 2016. Where its predecessor applied to a narrow set of operators, NIS2 broadens scope to medium and large enterprises across 18 sectors including energy, transport, banking, healthcare, digital infrastructure, ICT service management, public administration, and manufacturing of critical products.
NIS2 introduces a two-tier classification: essential entities (large enterprises in high-criticality sectors such as energy, banking, and digital infrastructure) and important entities (medium enterprises in the same sectors plus postal services, waste management, chemical manufacturing, and food production). The classification determines supervisory intensity and penalty severity.
Member States were required to transpose the directive into national law by 17 October 2024. National variations in scope definitions, supervisory authority designations, and enforcement approaches create additional compliance complexity for entities operating across multiple EU member states.
Key Requirements
Risk Management Measures
Article 21 mandates an all-hazards approach to cybersecurity risk management. Entities must implement proportionate technical, operational, and organisational measures including risk analysis, incident response handling, business continuity, crisis management, and vulnerability handling and disclosure.
Incident Reporting
Entities must notify the competent authority or CSIRT of any significant incident on a tiered timeline: early warning within 24 hours, incident notification within 72 hours with initial severity and impact assessment, and a final report within one month detailing root cause, mitigation measures, and cross-border impact.
Supply Chain Security
Article 21(2)(d) requires entities to address supply chain security in relationships with direct suppliers and service providers. This encompasses supplier risk assessment, contractual security requirements, third-party security posture monitoring, and ICT supply chain risk management across the full product and service lifecycle.
Governance Obligations
Article 20 requires management bodies to approve cybersecurity risk-management measures, oversee their implementation, and accept liability for infringements. Members must undergo training to identify risks and assess cybersecurity practices, establishing personal accountability at the board level.
Information Sharing
NIS2 facilitates voluntary cybersecurity information sharing between entities, including cyber threat intelligence, indicators of compromise, tactics and procedures, and alerts. Entities may participate in information-sharing arrangements to foster collaborative threat detection and incident response across the EU.
Multi-Factor Authentication
Article 21(2)(j) mandates multi-factor authentication or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems as minimum technical controls for all in-scope entities.
Implementation Timeline
The NIS2 Directive entered into force on 16 January 2023, with transposition into national law required by 17 October 2024. From 18 October 2024, entities within scope must comply with requirements as implemented through national legislation. Several Member States adopted their national legislation on varying timelines, creating a phased enforcement landscape.
The European Commission may adopt implementing acts specifying technical and methodological requirements for DNS service providers, cloud computing providers, data centre operators, CDN providers, managed service and managed security service providers, online marketplaces, search engines, and social networking platforms. Entities in these categories should monitor adoption of sector-specific requirements.
Supervisory authorities have begun compliance assessments of essential entities under proactive supervision. Important entities are subject to reactive supervision, triggered by evidence of non-compliance or incident reports, though authorities retain discretion for proactive supervision where warranted.
Penalty Framework
Up to €10M or 2% of Global Turnover
Administrative fines of up to €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Authorities may also impose binding instructions, security measure mandates, public disclosure of non-compliance, temporary suspension of certifications, and temporary bans on management body members exercising managerial functions.
Up to €7M or 1.4% of Global Turnover
Administrative fines of up to €7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher. While supervision is reactive rather than proactive, the penalty framework remains substantial. Remedial measures mirror those for essential entities.
Personal Liability for Management
Article 20 extends liability beyond the corporate entity to individual directors, officers, and senior managers with authority over cybersecurity governance. For Private Equity-backed companies andFamily Offices-controlled entities, this creates direct personal risk for board members, fund partners, and family principals in oversight roles.
Advisory Approach
Intarmour delivers NIS2 compliance programmes designed for the governance structures of Private Equity-backed and Family Offices-controlled enterprises, addressing their unique challenges: distributed management structures, rapid portfolio composition changes, and demonstrating compliance across diverse operating companies with varying security maturity.
Implementation follows a structured methodology: scope determination and entity classification, gap analysis, governance framework design, technical control deployment, and ongoing compliance monitoring. For multi-entity portfolios, we design centralised frameworks with entity-specific modules that create economies of scale while respecting each entity's operational context and risk profile.
Every control we implement serves both regulatory and operational objectives, ensuring compliance investment translates into measurable risk reduction — protecting management from personal liability and creating demonstrable value for LP reporting and portfolio company governance.
Ready for institutional-grade
cybersecurity?
Confidential assessments for qualified Private Equity and Family Office entities requiring sovereign defense infrastructure.