The NIS2 Directive is here. What now?

On February 6th, the Portuguese Council of Ministers approved the draft law for the new cybersecurity framework, known as NIS2. This EU directive aims to strengthen Member States’ public cybersecurity policies. by:

• Enhancing the resilience and robustness of IT systems in businesses and public entities;
• Increasing regulatory oversight of cybersecurity policies;
• Expanding corporate and institutional obligations regarding the protection of their operations, databases, and systems.

This is a period of significant uncertainty for businesses in Portugal and across the EU. Companies must quickly and precisely comply with new requirements to avoid falling behind or facing penalties.

It is therefore essential to clearly define what NIS2 entails, its scope of application, its key obligations, and the consequences of non-compliance.

Who is affected by NIS2?

Compared to the original NIS Directive adopted in 2016, NIS2 broadens its scope to cover a greater number of organisations.

Under the new framework, entities are required to comply with cybersecurity regulations, particularly if they operate in sectors deemed critical to society and the economy.

Organisations subject to NIS2 are divided into two categories:

Essential Sectors, industries where disruption could have severe consequences for public safety and societal stability, including:

• Energy (electricity, gas, oil, hydrogen)
• Transport (air, rail, maritime, road)
• Healthcare (hospitals, healthcare providers, essential medicine manufacturers)
• Water supply and distribution
• Wastewater management
• Digital infrastructure (DNS providers, data centres, trust services)
• Public administration (government bodies and critical public services)
• Space sector (satellite operators and critical space infrastructure)

Important Sectors, that while not as critical as the Essential Sectors, these industries are still vital for economic stability and digital security:

• Postal and courier services
• Food industry (production, processing, and distribution)
• Chemical production, manufacturing, and distribution
• Manufacturing (medical devices, electronics, machinery, automotive, etc.)
• Digital services (online platforms, search engines, cloud computing)
• Financial sector (banks, financial markets, insurance)

Is your organisation affected by NIS2?

Your organisation falls under the scope of NIS2 if:

• It has 250 or more employees and/or an annual turnover exceeding €50 million;
• It operates in an Essential or Important Sector and its activity is considered critical for society or national security, regardless of its size;
• It provides services within the EU, even if headquartered outside the EU;
• It is a small or medium-sized enterprise (SME) playing a key role in the supply chain of critical infrastructure.

This strict regulatory approach ensures that entities with the highest impact on digital security and essential services in Portugal comply with cybersecurity requirements.

What are your organisation’s obligations under NIS2?

If your organisation falls under NIS2, it must report significant cybersecurity incidents to the National Cybersecurity Centre (CNCS) in stages:

• Within 24 hours: An initial notification must be submitted, including a preliminary impact assessment.
• Within 72 hours: A detailed report must be provided, outlining the cause, consequences, and mitigation measures taken.
• Within one month: If the incident had a significant impact, a final report may be required to ensure proper follow-up and corrective actions.

However, compliance with NIS2 goes beyond incident reporting. Organisations must also implement robust technical, organisational, and operational measures to meet the highest cybersecurity standards.

This means:

• Investing in effective risk management policies to prevent and mitigate threats;
• Deploying preventive security measures to reinforce system protection;
• Establishing incident response protocols for rapid and effective reactions;
• Implementing business continuity strategies to minimise the impact of cyberattacks.

What are the penalties for non-compliance?

The new cybersecurity framework introduces stricter penalties than its predecessor. These include:

• Non-Monetary Corrective Measures, such as compliance orders, binding instructions, mandatory security audits, and customer notification requirements.
• Administrative Fines, with clear distinctions between sectors:
  • Up to €10 million or 2% of global annual turnover for Essential Sector entities.
  • Up to €7 million or 1.4% of global annual turnover for Important Sector entities.
• Criminal Sanctions for Management, which hold company executives personally accountable for cybersecurity failings.

With this new regulatory framework, authorities in EU Member States can impose public disclosures of non-compliance, issue official statements naming responsible individuals, and even temporarily ban executives from holding management positions in cases of repeated violations.

Timestamp: Your Trusted NIS2 Compliance Partner

NIS2 compliance is not just a legal requirement – it’s an opportunity to enhance your organisation’s cybersecurity.

At Timestamp, we bring over 20 years of cybersecurity expertise, a team of 50+ senior specialists, and top-tier technology partnerships to ensure a secure and seamless digital transformation.

Our proven methodology integrates NIS2 requirements with best industry practices, guaranteeing a smooth and comprehensive transition to the new cybersecurity paradigm.

Learn how Timestamp can support your organisation: https://www.timestampgroup.com/en/offer/privacy-and-digital-security-en