Directive (EU) 2022/2555 COMPLIANCE · ACTIVE

NIS 2

The new EU cybersecurity directive sets high requirements for the protection of network and information systems of operators of essential services and digital service providers.

Your security is our priority

NIS is the first EU directive aimed at increasing cybersecurity across the Union. NIS 2 expands the scope and obligations for private and public providers of essential services—in response to the growing threat, not least from third parties.
18
Sectors in scope
Essential and important entities in the EU.
24h
Early warning
Deadline for initial incident notification.
10M€
Maximum sanctions
Up to 2% of global turnover for non-compliance.
// 01

Sectors in scope of NIS 2

SEC // 01

Energy

Electricity, oil, and gas.
SEC // 02

Transport

Air, rail, water, and road.
SEC // 03

Healthcare

Hospitals, private clinics, and healthcare providers.
SEC // 04

Water

Drinking water supply and distribution.
SEC // 05

Financial market infrastructure

Trading venues and central counterparties.
SEC // 06

Banking

Credit institutions.
SEC // 07

Digital infrastructure

IXPs, DNS, TLD registries, and cloud computing services.
SEC // 08

Critical supply chains

Suppliers with access to essential services.
// 02

Obligations under NIS 2

To strengthen the internal market and reduce vulnerability, NIS 2 requires a systematic, risk-based approach and incident reporting.
01

Systematic and risk-based approach

Managing information security as a continuous process, rather than a one-time project.
02

Annual risk assessment

An annual analysis of business risks and an action plan with appropriate measures.
03

Proportional measures

Technical and organizational controls corresponding to the risk profile.
04

Breach prevention

Minimizing the impact of incidents affecting networks and systems.
05

Incident reporting

Prompt notification of incidents with significant consequences.
// 03

How CyPro can help

CyPro's Audit and Business Consulting Department assesses your level of compliance and helps you implement the necessary measures. Key areas for improvement:
Strategic planning and cybersecurity budgeting programs.
ISO/IEC 27001
Employee awareness programs.
Training
Risk analysis and security policies.
Policies
Technical security (network, access control).
Protection
Cryptography and data encryption policies.
AES · TLS
Procedures for incident reporting.
24/72 h
// 03

Frequently Asked Questions

  • Which organizations fall under the scope of the NIS2 Directive?
    NIS2 covers medium and large enterprises (over 50 employees or over 10 million EUR in annual turnover) in 18 critical and important sectors — energy, transport, banking, health, water supply, digital infrastructure, public administration, manufacturing, chemical industry, food industry, digital service providers, and others. Small organizations may also fall under the scope if they are the sole provider of a critical service in a Member State.
  • What is the deadline for reporting an incident under NIS2?
    The Directive requires three-stage reporting to the competent authority (in Bulgaria — E-Government Agency/CERT): an initial early warning within 24 hours of becoming aware of a significant incident, an intermediate report within 72 hours with an initial assessment, and a final report within one month with a detailed analysis and measures taken.
  • What are the fines for non-compliance with NIS2?
    For essential entities, fines can reach up to 10,000,000 EUR or 2% of total global annual turnover (whichever is higher). For important entities, it is up to 7,000,000 EUR or 1.4% of turnover. Furthermore, the Directive introduces personal liability for management, including the possibility of temporary suspension of managers for serious violations.
  • What technical and organizational measures does NIS2 require?
    Article 21 requires a minimum of 10 measures: risk analysis and information security policies, incident handling, business continuity and disaster recovery, supply chain security, security in network and information system acquisition/development/maintenance, assessment of effectiveness, basic cyber hygiene practices and training, cryptography, access control and asset management, multi-factor authentication, and secure communications.
  • How does CyPro help with NIS2 compliance?
    We perform a gap analysis against NIS2 requirements, create a compliance roadmap, implement missing technical and organizational measures, build an incident management process with a 24/72-hour SLA, assist with registration before the competent authority, and provide ongoing support with audits, training, and supplier assessments.

Book a meeting

Speak with an expert today and get a tailored risk assessment.