Does my company need to comply with the NIS2 Directive?

By Carles Latorre on Jul 13, 2026 9:00:03 AM

<span id="hs_cos_wrapper_name" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="text" >Does my company need to comply with the NIS2 Directive?</span>

The NIS2 Directive expands the number of organizations required to implement cybersecurity measures across the European Union. Its goal is to strengthen the protection of essential sectors and improve resilience against increasingly frequent and sophisticated cyber threats.

While many organizations believe this regulation only applies to large corporations or critical infrastructure, the reality is quite different. NIS2 significantly expands the number of companies required to implement cybersecurity measures and, in many cases, also applies to suppliers that are part of the supply chain.

As a result, one of the most common questions among business leaders is: Does my organization need to comply with NIS2?

Which companies must comply with NIS2?

As a general rule, the directive applies to medium-sized and large organizations operating in sectors considered essential or important to the functioning of the economy and society.

Typically, a company is required to comply if it:

  • Has 50 or more employees.
  • Exceeds €10 million in annual revenue or total annual balance sheet assets.
  • Operates in one of the sectors covered by the directive.

However, there are exceptions. Some small businesses may also fall under NIS2 if they provide critical services, are part of the supply chain of an essential organization, or carry out activities that have a significant impact on strategic services.

Which sectors are affected by the NIS2 Directive?

The NIS2 Directive distinguishes between essential sectors and important sectors. Both are required to implement cybersecurity measures, although the level of regulatory oversight may differ.

Essential sectors

Important sectors

 Energy 

Manufacturing

 Transport 

 Food production 

Banking and financial services

Chemical industry

 Healthcare 

Waste management

Drinking water and wastewater

Postal services and logistics

Digital infrastructure

Digital platforms and e-commerce

ICT and cybersecurity service providers

Research centers

Public administration

 

If your organization operates in one of these sectors and meets the size requirements established by the directive, it is advisable to assess whether NIS2 applies to your business.

What does NIS2 require from organizations?

The directive goes far beyond requiring security tools. It requires organizations to implement a risk management strategy capable of preventing, detecting, and responding to cybersecurity incidents.

Key obligations include:

  • Implementing information security policies.
  • Continuously managing technology risks.
  • Protecting the supply chain and assessing suppliers.
  • Establishing business continuity and disaster recovery plans.
  • Managing and reporting security incidents within the required deadlines.
  • Training senior management and involving leadership in cybersecurity 
    governance.

Responsibility no longer rests solely with the IT department. Company leadership is expected to oversee compliance with these requirements.

What happens if a company fails to comply with NIS2?

Failing to comply with NIS2 can have consequences far beyond administrative penalties. The directive provides for fines of up to €10 million or 2% of the organization's total worldwide annual turnover, whichever is higher. In certain cases, senior management may also be held accountable for inadequate cybersecurity risk management.

Beyond financial penalties, organizations that are not adequately prepared significantly increase their risk of suffering cyber incidents capable of disrupting operations, damaging customer and supplier trust, and making it more difficult to meet the cybersecurity requirements imposed by partners throughout the supply chain.

Ultimately, the greatest cost is rarely the fine itself, but the impact a cyberattack can have on business continuity, the organization's reputation, and its ability to continue operating normally.

How can your organization prepare for NIS2?

Complying with NIS2 involves much more than deploying security tools. The process begins by assessing the organization's cybersecurity maturity, identifying risks, and developing a roadmap to progressively meet the directive's requirements.

For many organizations, the first steps include:

  • Assessing the current cybersecurity posture.
  • Identifying vulnerabilities and risks.
  • Reviewing existing security controls.
  • Defining incident response procedures.
  • Continuously monitoring the technology infrastructure.
  • Ensuring the security of suppliers and third parties.

The sooner this process begins, the easier the transition will be and the lower the impact on day-to-day business operations.

Why choose ESED to help you comply with NIS2?

Adapting to the NIS2 Directive requires much more than implementing security tools. It involves assessing the organization's cybersecurity maturity, identifying risks, defining procedures, and implementing the technical and organizational measures required by the regulation.

At ESED, we support organizations throughout the entire NIS2 compliance process. We assess your current situation, identify the applicable requirements, and design a tailored action plan to help you meet regulatory obligations while strengthening your cybersecurity posture.

Our goal is not only to simplify regulatory compliance but also to help every organization build a more secure, resilient, and prepared environment capable of ensuring business continuity in the face of today's cyber threats.

Nueva llamada a la acción