NIS2 Directive: New Cybersecurity Obligations for Businesses

The NIS2 (Network and Information Security 2) directive came into effect in 2024, with national transposition in 2025. It significantly expands the scope of businesses subject to cybersecurity obligations. Are you affected? What are your obligations? How can you achieve compliance?

Secure Your Email

NIS2: What Is It?

NIS2 is the revision of the European NIS directive (2016) on the security of networks and information systems. Adopted in December 2022, it must be transposed into each Member State\'s national law.

The goal: to strengthen the EU\'s cyber resilience in the face of increasing cyberattacks. The original NIS directive only covered a limited number of critical sectors. NIS2 significantly broadens the scope.

Who Is Affected?

NIS2 distinguishes between two categories of entities:

Essential Entities

Historically critical sectors:

Energy (electricity, gas, oil)
Transport (air, rail, maritime, road)
Banking and financial market infrastructure
Healthcare (hospitals, laboratories, medical device manufacturers)
Drinking water and wastewater
Digital infrastructure (DNS, data centers, cloud providers)
Public administration
Space

Important Entities

Newly covered sectors:

Postal and courier services
Waste management
Chemicals (manufacturing and distribution)
Food (production and distribution)
Manufacturing (medical devices, electronics, machinery)
Digital service providers (marketplaces, search engines, social networks)
Research

Size Criteria

Within these sectors, NIS2 applies to businesses based on their size:

Large enterprises (>250 employees or revenue >€50M): covered
Medium enterprises (50-250 employees or revenue €10-50M): covered
Small enterprises (<50 employees and revenue <€10M): generally exempt, with exceptions

Watch for Exceptions

Some small businesses are covered if they are critical suppliers to an essential entity, if they provide trust services (electronic signatures), or if they operate in certain specific sectors (DNS, telecoms).

What Are the Obligations?

Covered entities must implement cyber risk management measures and comply with notification obligations.

Mandatory Security Measures

The directive mandates minimum measures:

Risk analysis and security policies
Incident management: detection, response, notification
Business continuity: backups, disaster recovery
Supply chain security: supplier assessment
Network and system security: acquisition, development, maintenance
Effectiveness assessment of security measures
Cyber hygiene: training, awareness
Encryption and access control
Multi-factor or continuous authentication
Secure communications in emergency situations

Notification Obligations

In case of a significant incident:

Early warning: within 24 hours of detection
Incident notification: within 72 hours
Final report: within one month of notification

Notifications are made to the competent national authority (ANSSI in France).

Management Liability

A major change: executives are personally responsible for compliance. They must approve security measures and undergo cybersecurity training.

Penalties

NIS2 provides for significant penalties:

Essential entities: up to €10 million or 2% of global turnover
Important entities: up to €7 million or 1.4% of global turnover

Executives can also be personally sanctioned (disqualification from office, fines).

What NIS2 Means for Your Email

Email is often the primary vector for cyberattacks. NIS2 effectively strengthens security requirements for this critical tool.

Enhanced Authentication

The directive explicitly mentions multi-factor authentication. For your email, this means:

Enable 2FA on all email accounts
Prefer robust methods (TOTP, physical keys) over SMS
Enforce 2FA, not just offer it

Communication Encryption

Encryption is mentioned as a baseline measure. Your email must use:

TLS for all exchanges (in transit)
Encryption at rest on servers
Optionally: end-to-end encryption for the most sensitive communications

Supply Chain Security

You must assess the security of your suppliers, including your email hosting provider. Questions to ask:

Where is the data hosted?
What security certifications do they hold?
How do they handle incidents?
Are they themselves NIS2 compliant?

Infomaniak and NIS2

Infomaniak, as a cloud host and digital service provider, is itself subject to NIS2. Its data centers are ISO 27001 certified, its security processes are audited, and the company can provide the attestations needed for your compliance audits.

Action Plan for SMEs

If you\'re affected by NIS2, here are the key compliance steps.

1. Assess Your Exposure

Are you in a covered sector? Do you exceed the size thresholds? Are you a supplier to an essential entity? This first step determines your obligations.

2. Map Your Systems

Identify your critical information systems: email, ERP, website, customer databases. Assess their current security level.

3. Conduct a Risk Analysis

Identify threats (phishing, ransomware, intrusion), vulnerabilities (weak passwords, unpatched systems), and potential impacts.

4. Implement Technical Measures

Enable 2FA everywhere
Update systems
Back up regularly
Train users
Secure email

5. Document

Write your security policies, incident management procedures, and business continuity plan. Documentation is essential to demonstrate compliance.

6. Prepare for Notification

Set up an incident detection and notification process. Identify who to contact, how, and within what timeframes.

Conclusion

NIS2 marks a turning point in European cyber regulation. Thousands of businesses that were previously unaffected must now structure their approach to IT security.

While the investment may seem substantial, it\'s also an opportunity to genuinely strengthen your resilience. Cyberattacks cost far more than compliance.

Start by securing your foundational building blocks: email, identities, backups. With a trusted hosting provider like Infomaniak, you lay the groundwork for a compliant and secure infrastructure.