NIS 2 Directive: A Guide for Affected Organizations
The EU's NIS 2 Directive requires thousands of organizations across Europe to implement concrete cybersecurity measures. This article explains who is affected, what obligations arise, and how to approach compliance.
What is the NIS 2 Directive?
NIS 2 (Network and Information Security Directive 2) is the revised EU cybersecurity directive that entered into force on 16 January 2023. It replaces the original NIS Directive from 2016 and significantly expands its scope.
The goal is to establish a uniformly high level of cybersecurity across the EU. To achieve this, NIS 2 sets binding minimum requirements for risk management, incident reporting, and technical security measures.
▶︎ Read more: Use Cases of safeREACH
1.666 alerts per second
safeREACH as your powerful emergency notification system with up to 100.000 alerts per minute. Successfully used by multinational corporations, medium-sized companies and public authorities. ISO-certified server infrastructure.
Deadlines and National Implementation
NIS 2 entered into force on 16 January 2023. EU member states were required to transpose the directive into national law by October 2024. Most countries missed this deadline and the European Commission has initiated infringement proceedings against several of them.
Each member state adopts its own national legislation, but the core obligations – the 10 risk management measures, the 24-hour reporting requirement, and management accountability – are defined at EU level and apply uniformly across all member states.
Examples: Germany and Austria
Germany transposed NIS 2 with the NIS2UmsuCG, in force since December 2025. Austria follows with the NISG 2026, expected to apply from October 2026. Both laws reflect the EU minimum requirements without significant additions.
If you are unsure whether NIS 2 has been transposed in your country and when your obligations apply, check with your national cybersecurity authority or legal counsel.
▶︎ Read more: Emergency Notification System vs. Mass Notification System: What's the Difference?
Who does NIS 2 apply to?
NIS 2 distinguishes between two categories of affected entities:
Essential Entities
Large organizations (250+ employees or over €50 million turnover) in highly critical sectors: energy, transport, banking, healthcare, drinking water, digital infrastructure, public administration, and space.
Important Entities
Mid-sized organizations (50+ employees or over €10 million turnover) in additional sectors: postal and courier services, waste management, chemicals, food, manufacturing, digital service providers, and more.
Note:
Across the EU, an estimated 160,000 organizations are affected by NIS 2 – a dramatic expansion compared to the original NIS Directive. Many mid-sized companies are not yet aware that they fall within scope.
▶︎ Read more: Why was it necessary to adapt NIS to NIS 2?
Over 20 years of experience in alerting
IT alerting, fire alerts, alerting company first responders and much more. ISO-certified server infrastructure. Used by SMEs, corporations, authorities and public organizations.
What obligations arise?
Cybersecurity risk management measures (Art. 21 NIS2)
Affected organizations must implement appropriate technical and organizational measures to manage risks to their network and information systems. Art. 21 NIS2 defines a minimum standard across 10 areas of measures.
Incident reporting obligations (Art. 23 NIS2)
Significant security incidents must be reported to the competent national authority within 24 hours. A detailed report follows within 72 hours.
Personal liability of management
NIS 2 introduces direct management accountability: executives are personally responsible for approving and overseeing the implementation of cybersecurity measures. In the event of violations, personal liability applies - and cannot be waived by contract.
▶︎ Read more: IT Alerting and Incident Respons
Art. 21 NIS2: The 10 Measures at a Glance
Art. 21 NIS2 specifies the technical and organizational measures that organizations must implement. Particularly relevant for emergency communication is Measure 9:
Art. 21 (2) lit. j NIS2
"The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate."
This provision is the direct legal basis for deploying an emergency communication system. It explicitly requires secured communication channels that function independently of the regular IT infrastructure.
| Measure under Art. 21 NIS2 | safeREACH contribution |
|---|---|
| 1. Risk analysis & information system security | Incident documentation via audit log |
| 2. Incident handling | Structured alerting process with escalation logic |
| 3. Business continuity | Alerting works independently of internal IT |
| 4. Supply chain security | - |
| 5. Security in acquisition, development and maintenance | - |
| 6. Assessment of cybersecurity risk management effectiveness | Audit log as basis for effectiveness review |
| 7. Basic cyber hygiene and cybersecurity training | - |
| 8. Cryptography and encryption | - |
| 9. Secured emergency communication systems | Core function of safeREACH: secured, independent emergency communication with acknowledgement feature |
| 10. Multi-factor authentication | - |
Note: safeREACH directly addresses 5 of the 10 measure areas. Full NIS 2 compliance additionally requires measures in the areas of cryptography, supply chain security, procurement, cyber hygiene training, and MFA – these fall under other product categories.
▶︎ Read more: IT Outage Notification: How to Alert the Right People Before the Damage Spreads
1.666 alerts per second
safeREACH as your powerful emergency notification system with up to 100.000 alerts per minute. Successfully used by multinational corporations, medium-sized companies and public authorities. ISO-certified server infrastructure.
Fines and Sanctions
NIS 2 introduces substantial penalties depending on the entity category:
- Essential entities: up to €10 million or 2% of global annual turnover (whichever is higher)
- Important entities: up to €7 million or 1.4% of global annual turnover
- Additionally: personal liability of management for non-compliance
▶︎ Read more: What is an emergency notification system? Functions, types and benefits
How do organizations implement NIS 2?
A structured implementation typically follows these steps:
- Scope check: verify sector and organization size against NIS 2 criteria
- Gap analysis: which of the 10 Art. 21 measures are already in place, which are not?
- Prioritization: rank measures by risk and implementation effort
- Technical implementation: e.g. deploying an emergency communication system for Measure 9
- Documentation: all measures must be verifiable - for audits and the 24-hour reporting obligation
- Training: employees and executives must be familiar with the processes
▶︎ Read more: Safety Moments: Brief instructions with a big impact - Guide for safety experts
Emergency Communication as a NIS 2 Measure: safeREACH
For implementing Measure 9 – secured emergency communication systems – organizations rely on dedicated alerting systems that operate independently of regular IT infrastructure.
safeREACH is an emergency notification system with defined escalation logic and fallback levels, operating independently of internal IT infrastructure. Acknowledgements from recipients are documented and recorded in a complete audit log. This audit log also serves as the technical documentation basis for the 24-hour reporting obligation under Art. 23 NIS2.
▶︎ Read more: Everything about the safeREACH Alert App
Over 20 years of experience in alerting
IT alerting, fire alerts, alerting company first responders and much more. ISO-certified server infrastructure. Used by SMEs, corporations, authorities and public organizations.
Conclusion
NIS 2 is no longer an abstract EU regulation. Deadlines vary by member state - most countries are now implementing or have already transposed the directive. Across the EU, an estimated 160,000 organizations face concrete obligations, personal liability risks for management, and significant fines for non-compliance.
The first step is checking whether your organization is in scope. The second is an honest gap analysis against the 10 Art. 21 measures. Acting now allows for a structured implementation - waiting risks both regulatory penalties and real security gaps.
▶︎ Read more: How safeREACH works
Ready to reduce response time in critical situations?
Start using a professional emergency notification system that enables fast alerting, clear escalation paths and full transparency during incidents.
Be prepared before the next disruption occurs.
