NIS 2: A New Era of Cybersecurity in the EU and What It Means for Businesses

In a world where cyberattacks are becoming increasingly sophisticated and digitalization is present across nearly all sectors, the European Union has decided to raise security standards to an unprecedented level. The NIS 2 Directive, adopted in 2022 and required to be implemented into national legislation by 2024, is one of the EU’s most significant initiatives in strengthening cyber resilience. It replaces the previous NIS Directive, expanding its scope and imposing clearer, stricter obligations on both public and private operators.

What is NIS 2 and why was it introduced?

The NIS 2 Directive aims to enhance the overall level of cybersecurity across the European Union. In recent years, ransomware attacks, data breaches, and threats targeting critical infrastructures have disrupted essential services — from hospitals and energy providers to transportation companies and digital services.NIS 2 responds to these challenges by establishing clearer and more rigorous rules on:

• risk management,

• incident prevention and response,

• rapid reporting of security incidents,

• management accountability in cybersecurity.
  

Who must comply with NIS 2?

Compared to the initial directive, NIS 2 significantly broadens the range of entities that fall under its scope. Companies are classified into two groups:

1. Essential entities, such as:

• energy, water, transport, and healthcare providers;

• digital infrastructure and critical IT service operators;

• central public authorities.

2. Important entities, such as:

• waste management companies,

• postal and courier services,

• manufacturers of critical products,

• digital service providers (cloud, data centers, etc.).

In practice, many companies in Romania — including those from sectors previously unregulated — will now need to comply.

Key obligations under NIS 2

To reduce cybersecurity risks, companies must implement a set of mandatory measures, including:

• information security and risk management policies,

• technical measures such as multifactor authentication, encryption, monitoring, and detection,

• cybersecurity assessment of supply chains,

• management accountability, including possible personal liability,

• reporting major incidents within 24 hours,

• periodic audits and compliance checks.

These requirements are not just formalities; they are designed to ensure that organizations can continue to operate even when facing complex cyberattacks.

What are the consequences of non-compliance?

The directive provides for significant penalties, similar to those under the GDPR. Depending on the category of the entity, organizations may face:

• fines up to €10 million, or

• up to 2% of the global annual turnover,

whichever is higher.

Moreover, company executives may be held personally accountable, including through temporary suspension from management duties.

How can companies in Romania prepare?

For many organizations, achieving compliance with NIS 2 requires a comprehensive strategy involving both technical teams and top management.

Recommended steps include:

1. Conducting a compliance assessment — identifying applicable requirements and evaluating the current cybersecurity level.

2. Implementing clear policies and procedures aligned with the new rules.

3. Investing in IT security, including modern monitoring and response solutions.

4. Training staff, with a special focus on management.

5. Seeking legal and technical consultancy to align operational practices with regulatory demands
   

NIS 2 is not just a legal obligation, but also an opportunity to strengthen protection and build trust with partners and customers.