The European Union’s new Network and Information Security Directive, known as NIS2, has officially taken effect, introducing stricter cybersecurity obligations for thousands of organisations across the bloc.
Adopted in 2022 and transposed into national law by October 2024, NIS2 expands the scope of its predecessor to cover more industries and impose tougher rules on both “essential” and “important” entities. The goal is to strengthen Europe’s digital resilience amid a rising tide of cyberattacks.
Wider scope, higher standards
The directive applies to sectors including energy, transport, health, public administration, ICT, postal and courier, and waste management. Many medium and large-sized firms now fall under the rules, regardless of whether they were previously regulated.
Organisations must adopt comprehensive risk-management measures, such as multifactor authentication, encryption, backup systems, and supply chain security. Senior management is directly accountable for compliance, with possible personal liability in the event of failures.
Companies are also required to report significant incidents to national authorities within strict deadlines.
Compliance, not certification
Unlike ISO standards, NIS2 does not offer a single EU-wide certificate of compliance. Instead, organisations must demonstrate adherence through documentation, internal policies, or, in some jurisdictions, independent audits.
The European Union Agency for Cybersecurity (ENISA) has issued guidance, but member states have leeway in enforcement. Sanctions for non-compliance range from heavy fines to operational restrictions.
Spotlight on managed print services
The directive’s emphasis on supply chain security is drawing attention to Managed Print Services (MPS).
Printers and multifunction devices, often overlooked in cybersecurity planning, are increasingly connected to corporate networks and can store sensitive information. Experts warn they could become entry points for attackers if left unsecured.
Service providers managing fleets of these devices may now face tougher obligations, including stricter security controls, patch management, encryption, and incident reporting. Clients are expected to demand evidence of compliance from their MPS vendors.
Challenges ahead
Despite the October 2024 deadline, many organisations are still racing to comply, hampered by legacy systems, fragmented supply chains, and uneven guidance from national regulators. The differing national implementations of NIS2 could complicate compliance for cross-border operations.
Still, analysts say the directive marks a clear shift: cybersecurity is now a legal requirement, not just a best practice. For sectors ranging from healthcare to managed print services, the NIS2 era has begun — and with it, a new level of accountability.
