NIS Directive 2: the complete guide to preparing for compliance

Effective immediately, the NIS 2 is no longer an option but a strategic necessity. Following on from the NIS (Network and Information Security) Directive, it harmonizes European cybersecurity in the face of increasingly sophisticated threats.

Whether you are an Essential Entity (EE) or an Important Entity (IE), this guide helps you understand the requirements, the sectors affected, and the tools available to transform this legal constraint into a lever for resilience.

From NIS to NIS 2: why the change?

Adopted in July 2016, the NIS Directive aimed to harmonize cybersecurity levels, which were very uneven among Member States at the time. It was based on:

• The designation of competent national authorities (such as ANSSI in France).
• The creation of CSIRTs (Computer Security Incident Response Teams) to manage crises.
• Targeted obligations for ESOs (Essential Service Operators) and DNSs (Digital Service Providers).

While NIS 1 helped to establish a culture of risk awareness, the explosion of cyberattacks and the interdependence of supply chains have rendered this framework insufficient. NIS 2 marks the transition from cybersecurity for "critical sectors" to cybersecurity for the "global market."

The three pillars of the new NIS 2 Directive

1. Expansion of scope: from 19 sectors to more than 35 (now including waste management, postal services, and agri-food).
2. Management responsibility: managers can now be held personally liable in the event of serious breaches of safety obligations.
3. Strict reporting requirements: a major incident requires a timed process (alert within 24 hours, notification within 72 hours, final report within one month).

👉 Discover our catalog of reference frameworks and the NIS 2 framework

Who is affected by NIS 2 compliance?

The historical distinction between OSE and FSN is being replaced by two new categories based on the criticality of the sector and the size of the company:

• Essential Entities (EE): highly critical sectors (energy, transportation, health, banking, public administration).

• Important Entities (IE): critical sectors (postal services, waste management, chemical or electronic manufacturing, digital service providers).

Evenif you are not directly subject to the regulations, your customers may require you to comply with NIS 2 in order to secure their supply chain (Supply Chain Security).

What are the key requirements of NIS 2?

To meet ANSSI and EU standards, organizations must structure their defenses around technical and organizational measures.

• Governance and risk analysis: implementation of robust IT security policies (PSSI) and continuous threat assessment.
• Network and system security: encryption, access management (MFA), and IT hygiene.
• Incident management and CSIRT: detection capabilities and obligation to collaborate with national CSIRTs (Computer Security Incident Response Teams).
• Business Continuity: formalization of disaster recovery plans (DRPs) and crisis management tested regularly.

Which software should you use to manage your NIS 2 compliance?

Given the volume of evidence that must be provided, managing NIS 2 with spreadsheets is a risky proposition. A cyber GRC platform such as Tenacy allows you to:

• Perform a gap analysis: assess the gap between your current posture (based on NIS 1 or ISO 27001) and the new NIS 2 requirements in just one click.
• Centralize evidence: connect your tools (EDR, Vulnerability Scanners) to report compliance evidence in real time.
• Steering by indicators: provide the executive committee with clear dashboards to demonstrate management's commitment, as required by the directive.

👉 To go further...‍

• Infographic – The NIS 2 Directive at a glance‍
• Webinar – How to prepare for NIS 2 in a changing environment?

FAQ – Everything you need to know about the NIS 2 Directive

Where can I find a cybersecurity audit that complies with NIS 2?

Ideally, the audit should be prepared internally through self-assessments. Tenacy helps you structure your evidence file to facilitate the work of qualified auditors (such as PASSI).

What IT tools are recommended to comply with NIS 2?

In addition to protection tools (firewall, EDR, MFA), GRC (Governance, Risk & Compliance) software is essential for orchestrating compliance, managing the risk register, and monitoring the action plans imposed by the directive.

How to manage the 24-hour notification deadlines?

This isthe most critical point. GRC softwareautomates the reportingworkflow and ensures that all preliminary information is ready for early warning.

What are the penalties for non-compliance?

Fines are now dissuasive: up to €10 million or 2% of global annual turnover for Core Entities.

Which services offer a solution for compliance with the NIS 2 Directive?

Tenacyoffers a comprehensive SaaS platform that natively integrates the NIS 2 framework. This allows incident management, risk analysis, and regulatory reporting to be centralized on a single console.

Conclusion: plan ahead to avoid suffering

NIS 2 compliance isn't just a list of boxes to tick; it's an opportunity to strengthen your company's cyber culture in the long term. By automating time-consuming tasks, you enable your CISO to focus on what matters most: defending your digital assets.