Which companies are subject to the NIS2 Directive?

  The NIS2 Directive (Network and Information Security 2) was adopted at the European Union level on December 27, 2022, replacing the 2016 NIS Directive. Member states, including Romania, were required to transpose this directive into national legislation by October 17, 2024. After this date, affected entities are obligated to implement the necessary measures to ensure compliance with the new requirements.

   An essential aspect of the NIS2 Directive is the introduction of strict deadlines for reporting cybersecurity incidents. According to the new regulations, organizations must submit an initial notification within 24 hours of detecting a cyber incident or threat, followed by additional details within 72 hours. A more detailed report is required one month after a significant incident as part of ongoing monitoring.

   Additionally, the NIS2 Directive establishes sanctions for non-compliance, leaving it to member states to define specific measures. These can include administrative fines of up to €10 million or 2% of total annual turnover for certain violations.

   It is essential for organizations to stay informed and comply with these deadlines to ensure regulatory compliance and avoid potential penalties.

About the NIS2 Directive

1. Energy: Protects critical infrastructure in the electricity, oil, and natural gas sectors from cyberattacks.

2. Transport: Ensures the security of networks and systems in air, rail, maritime, and road transport.

3. Banking Sector: Enforces strict security measures to protect financial data and banking transactions.

4. Financial Market Infrastructure: Secures platforms and systems that support the functioning of financial markets.

5. Healthcare: Safeguards patient data and essential systems in hospitals and medical centers.

6. Drinking Water Supply: Protects critical production and distribution systems against digital intrusions.

7. Wastewater Management: Prevents disruptions in wastewater treatment processes through effective cybersecurity measures.

8. Digital Infrastructure: Ensures the security of data centers, communication networks, and cloud computing services.

9. Digital Service Providers: Secures online platforms and search engines against cyber vulnerabilities.

10. Public Administration: Protects government and local authority networks and critical data.

11. Essential Manufacturing Service Providers: Safeguards the production of critical equipment and sensitive technologies from cyber threats.