Back to guides

What is NIS2 and does it apply to my company?

NIS2 is EU legislation on network and information security that puts obligations on thousands of companies the older rules never reached. This guide covers what the directive is, who falls under it, what it requires and how to find out whether it applies to your company.

This article is general guidance, not legal advice.

NIS2 in short

NIS2 (EU directive 2022/2555) is the second version of the European directive on the security of network and information systems. It replaces the original NIS directive from 2016 and goes much further: more sectors are covered, the requirements are more detailed and the penalties heavier. The directive is EEA-relevant and is implemented in Icelandic law.

The goal is simple: companies and institutions that society depends on must take cybersecurity seriously, not just in the IT department but at board level and across the whole staff.

Does NIS2 apply to my company?

The main rule is that NIS2 covers medium-sized and larger companies, generally those with more than 50 employees or over 10 million euros in annual turnover, operating in specific sectors. The sectors fall into two groups:

  • Essential entities: energy, transport, banking and financial services, healthcare, drinking water and wastewater, digital infrastructure, public administration and space.
  • Important entities: postal and courier services, waste management, chemicals, food production, manufacturing of certain goods, digital providers such as cloud services and online marketplaces, and research.

Even if your company isn't directly covered

Small companies outside these sectors are often exempt from the directive itself. But the requirements travel down the supply chain: a company under NIS2 is responsible for the security of its suppliers and subcontractors, and sends them security questionnaires. "What security training do your staff receive?" has become a standard question in tenders and contract negotiations, including for companies not directly covered.

What NIS2 requires

The directive imposes three main kinds of obligations:

  • Risk management (Article 21): documented security measures, including incident response, supply-chain security, access control, multi-factor authentication, encryption, and specifically basic cyber hygiene and cybersecurity training for staff.
  • Management accountability (Article 20): the board approves the security measures, oversees them and undergoes training itself. Managers can be held personally liable for neglect.
  • Incident reporting (Article 23): significant incidents must be reported to the supervisory authority with an early warning within 24 hours and a fuller notification within 72 hours.

What happens if you don't comply

The penalties are substantial. For essential entities, fines can reach 10 million euros or 2% of total worldwide annual turnover, whichever is higher. For important entities, up to 7 million euros or 1.4% of turnover. Supervisors can also order remediation, and managers can be held personally liable.

Where to start

Four realistic first steps: check whether your company is covered (sector and size), get the board involved because that's where the accountability sits, get the basic measures in place (multi-factor authentication, backups, updates, an incident plan), and start regular, documented security training for staff. The training obligation is the easiest one to satisfy immediately, and it delivers the most in practice because most attacks target people.

Frequently asked questions

What is NIS2?
NIS2 is an EU directive (2022/2555) on network and information security. It obliges companies in specific sectors to manage cybersecurity risk, train staff, report significant incidents, and makes management accountable for compliance. It is EEA-relevant and implemented in Icelandic law.
Does NIS2 apply to my company?
Generally yes if your company has more than 50 employees or over 10 million euros in annual turnover and operates in sectors such as energy, transport, finance, healthcare, digital infrastructure, food, manufacturing or cloud services. Smaller companies still feel the requirements through customers who are covered.
What does NIS2 require for staff training?
Article 21 lists cybersecurity training for staff as part of the mandatory risk-management measures, and under Article 20 the board itself undergoes training. In practice that means regular, documented training you can prove to auditors and supervisors.
What are the penalties for breaching NIS2?
Fines can reach 10 million euros or 2% of worldwide turnover for essential entities, and 7 million euros or 1.4% for important entities. Managers can additionally be held personally liable.

The training obligation is the easiest first step

Varhugi satisfies the NIS2 training requirement with short monthly modules in Icelandic, automatic certificates and a one-click audit report.