ISpectra Technologies
Critical Infrastructure · EU Directive

What is NIS2 Directive?

An EU directive that raises cybersecurity and incident-reporting requirements for essential and important service operators across critical sectors.

Definition

The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s updated cybersecurity law for critical infrastructure, replacing the original 2016 NIS Directive. It significantly widens the range of covered sectors, tightens security and incident-reporting requirements, and introduces stronger supervision and enforcement — including management accountability and potential fines.

Member states were required to transpose NIS2 into national law by October 2024, so specific obligations are enforced through each country’s implementing legislation.

Key obligations

1

Risk-management measures

Policies, cryptography, access control and supply-chain security.

2

Incident reporting

Early warning within 24 hours, with fuller reports to follow.

3

Governance & accountability

Management bodies approve and oversee the measures.

4

Business continuity

Backups, disaster recovery and crisis management.

5

Supply-chain security

Assess and manage supplier and service-provider risk.

Who needs to comply?

NIS2 applies to medium and large organisations operating in “essential” and “important” sectors — energy, transport, health, digital infrastructure, public administration, manufacturing and more — as defined by each member state’s law.

How ISpectra helps

ISpectra runs your NIS2 readiness program — gap assessment against the risk-management measures, incident-reporting playbooks, supply-chain controls and governance — mapped to ISO 27001 to reuse existing evidence.

Talk to an advisor