NIS 2
The new EU cybersecurity directive sets high requirements for the protection of network and information systems of operators of essential services and digital service providers.
Your security is our priority
NIS is the first EU directive aimed at increasing cybersecurity across the Union. NIS 2 expands the scope and obligations for private and public providers of essential services—in response to the growing threat, not least from third parties.
18
Sectors in scope
Essential and important entities in the EU.
24h
Early warning
Deadline for initial incident notification.
10M€
Maximum sanctions
Up to 2% of global turnover for non-compliance.
// 01
Sectors in scope of NIS 2
SEC // 01
Energy
Electricity, oil, and gas.
SEC // 02
Transport
Air, rail, water, and road.
SEC // 03
Healthcare
Hospitals, private clinics, and healthcare providers.
SEC // 04
Water
Drinking water supply and distribution.
SEC // 05
Financial market infrastructure
Trading venues and central counterparties.
SEC // 06
Banking
Credit institutions.
SEC // 07
Digital infrastructure
IXPs, DNS, TLD registries, and cloud computing services.
SEC // 08
Critical supply chains
Suppliers with access to essential services.
// 02
Obligations under NIS 2
To strengthen the internal market and reduce vulnerability, NIS 2 requires a systematic, risk-based approach and incident reporting.
01
Systematic and risk-based approach
Managing information security as a continuous process, rather than a one-time project.
02
Annual risk assessment
An annual analysis of business risks and an action plan with appropriate measures.
03
Proportional measures
Technical and organizational controls corresponding to the risk profile.
04
Breach prevention
Minimizing the impact of incidents affecting networks and systems.
05
Incident reporting
Prompt notification of incidents with significant consequences.
// 03
How CyPro can help
CyPro's Audit and Business Consulting Department assesses your level of compliance and helps you implement the necessary measures. Key areas for improvement:
Strategic planning and cybersecurity budgeting programs.
ISO/IEC 27001
Employee awareness programs.
Training
Risk analysis and security policies.
Policies
Technical security (network, access control).
Protection
Cryptography and data encryption policies.
AES · TLS
Procedures for incident reporting.
24/72 h
// 03
Frequently Asked Questions
-
Which organizations fall under the scope of the NIS2 Directive?
NIS2 covers medium and large enterprises (over 50 employees or over 10 million EUR in annual turnover) in 18 critical and important sectors — energy, transport, banking, health, water supply, digital infrastructure, public administration, manufacturing, chemical industry, food industry, digital service providers, and others. Small organizations may also fall under the scope if they are the sole provider of a critical service in a Member State.
-
What is the deadline for reporting an incident under NIS2?
The Directive requires three-stage reporting to the competent authority (in Bulgaria — E-Government Agency/CERT): an initial early warning within 24 hours of becoming aware of a significant incident, an intermediate report within 72 hours with an initial assessment, and a final report within one month with a detailed analysis and measures taken.
-
What are the fines for non-compliance with NIS2?
For essential entities, fines can reach up to 10,000,000 EUR or 2% of total global annual turnover (whichever is higher). For important entities, it is up to 7,000,000 EUR or 1.4% of turnover. Furthermore, the Directive introduces personal liability for management, including the possibility of temporary suspension of managers for serious violations.
-
What technical and organizational measures does NIS2 require?
Article 21 requires a minimum of 10 measures: risk analysis and information security policies, incident handling, business continuity and disaster recovery, supply chain security, security in network and information system acquisition/development/maintenance, assessment of effectiveness, basic cyber hygiene practices and training, cryptography, access control and asset management, multi-factor authentication, and secure communications.
-
How does CyPro help with NIS2 compliance?
We perform a gap analysis against NIS2 requirements, create a compliance roadmap, implement missing technical and organizational measures, build an incident management process with a 24/72-hour SLA, assist with registration before the competent authority, and provide ongoing support with audits, training, and supplier assessments.
