Table of contents
- Extended scope
- Notification and incident management obligations
- New standards for risk management
- Management responsibility and stricter penalties
- Challenges and opportunities for member states
The NIS Directive (Network and Information Security) marked a turning point in European cyber security. Its first version, NIS1, was introduced in 2016 with the goal of strengthening the protection of critical systems in EU member states.
However, with the growing complexity of digital threats, an update became necessary: NIS2, approved in 2022, redefines cyber security standards and introduces new measures for risk management. In this article, we will analyze the main differences between NIS1 and NIS2 and what they mean for companies and competent authorities.
Expanded scope
With the introduction of NIS2, the scope of the directive has been significantly broadened, including a larger number of entities and sectors compared to the previous NIS1. This evolution reflects the growing interconnection of systems and the increase in cyber threats, which now affect even sectors traditionally considered less exposed.
Sectors covered by NIS2 vs. NIS1
NIS1 focused on eight critical sectors such as energy, transport, water, healthcare, digital infrastructure, banking, and financial markets. NIS2, however, introduces a broader and more detailed list of strategic sectors and subsectors, including:
- Food and agriculture production
Companies involved in producing, processing, and distributing food, essential for security and sustainability. - Pharmaceutical and biomedical industry
Entities active in the research, development, and production of drugs and medical technologies. - Automotive and chemical sector
Industries producing critical components for transportation and industrial processes. - Electronics and advanced industrial technologies
Companies providing electronic systems and essential technologies for production sectors.
This expansion aims to include not only entities already perceived as critical but also those that could suffer significant impacts in the event of cyber incidents, with potentially severe consequences for economic and social continuity.
Inclusion of medium and large companies
Another significant change is the inclusion of medium and large companies among the entities required to comply with the directive. NIS1 primarily focused on operators of essential services and digital service providers. NIS2, however, imposes obligations on larger companies operating in the specified sectors, regardless of their prior perception of criticality.
This approach acknowledges that many of these companies are integral to the supply chains of critical sectors. An attack on a medium-sized company can have a domino effect, threatening the security of entire infrastructures or systems.
Supply chain and external providers
NIS2 emphasizes the importance of security across the entire supply chain. It is not enough for companies to adopt internal security measures; they must ensure that their suppliers and partners also meet adequate standards. This requirement translates into:
- Supplier due diligence
Verifying that business partners adopt security measures consistent with those required by the directive. - Specific contractual clauses
Including clear obligations regarding risk management and security measures in contracts. - Reviewing existing relationships
Adjusting existing contracts to align with the new regulatory provisions.
This requirement applies not only to providers of essential services but also to technology suppliers, such as digital service providers, who often manage sensitive data or critical systems on behalf of other companies.
Indirect impacts on excluded entities
Even companies formally excluded from NIS2 may find themselves indirectly involved. Organizations required to comply will likely impose security requirements on their business partners to avoid risk exposure.
This cascading mechanism ensures a higher level of security throughout the supply chain but also demands significant adjustments for many businesses.

Notification and incident management obligations
With NIS2, time plays a crucial role in responding to attacks. Unlike NIS1, which allowed more discretion regarding reporting timelines, the new directive establishes that cyber incidents must be reported to the competent authorities within 24 hours. Subsequently, the following are required:
- Updates within 72 hours;
- A final incident management report within one month.
This new structure is designed to ensure more timely and effective incident management, minimizing potential damage.
New standards for risk management
Another innovative aspect of NIS2 is its emphasis on risk management. Companies are now required to:
- Implement measures proportional to their specific vulnerabilities;
- Use advanced tools, such as multi-factor authentication, to strengthen defenses.
This approach promotes tailored security, optimizing resources without unnecessary waste. The directive also encourages risk management across the entire supply chain, imposing stricter controls on suppliers.
Management responsibility and stricter penalties
NIS2 introduces new obligations for corporate executives, who are directly responsible for implementing security measures. In the event of non-compliance, penalties of up to 2% of global revenue are foreseen, a much stricter deterrent than under NIS1. This aims to incentivize greater attention to security at the executive level.
Challenges and opportunities for member states
The implementation of NIS2 presents various challenges for member states, including:
- Harmonizing rules in multinational contexts;
- Staff training;
- Creating a corporate culture focused on cyber security.
However, compliance with the directive also represents an opportunity. A more robust security system improves the trust of customers and partners, creating a competitive advantage in a market increasingly attentive to cyber security.
In conclusion
The comparison between NIS1 and NIS2 highlights a clear evolution in the European Union’s strategy. The new directive lays the foundation for greater digital resilience, imposing high standards and expanding compliance obligations.
Adapting is not only a regulatory requirement but also a strategic investment to ensure operational continuity and successfully tackle future challenges.
Questions and answers
- What does NIS1 vs. NIS2 mean?
NIS1 and NIS2 represent two European cyber security directives, with the latter updating and expanding the obligations of the former. - What sectors does NIS2 cover compared to NIS1?
NIS2 extends its scope to new sectors like food production, pharmaceuticals, and automotive, in addition to those already included under NIS1. - What are the incident reporting timelines under NIS2?
Incidents must be reported to authorities within 24 hours, with updates within 72 hours. - What role do executives play under NIS2?
Executives are responsible for compliance and face personal penalties in case of non-compliance. - What does NIS2 require of digital service providers?
They must meet higher security standards and ensure risk management across the supply chain. - What security measures are mandatory under NIS2?
Tools like multi-factor authentication and continuity protocols are required. - What penalties does NIS2 impose?
Fines can reach up to 2% of a company’s global revenue for non-compliance. - How does NIS2 address risk management?
It requires tailored measures based on each entity’s specific vulnerabilities. - What changes does NIS2 bring for member states?
States must harmonize regulations and enhance cyber security oversight. - What is the strategic benefit of NIS2?
Strengthened digital resilience builds trust and offers a competitive edge.