NIS2 in one paragraph
NIS2 (Network and Information Security Directive) is the EU-wide directive making cybersecurity mandatory for important and essential entities. It has applied in member states since October 2024 and covers many more sectors than the old NIS1 - energy, health, banking, telecoms, IT providers, mid-to-large manufacturers, public administration. Switzerland has similar requirements via sector rules and the ISG.
Important: NIS2 makes top management personally accountable. That also means training employees is no longer optional - it is a duty.
Awareness obligation is real
Employees must be trained regularly - not just once. That is what this training exists for.
Notification within 24 hours
An initial report of a significant incident is due within 24 hours to the competent authority. Fast internal reporting is the prerequisite.
Supply chain is your security
NIS2 explicitly requires you to address risk from service providers, suppliers, IT vendors. Whoever you integrate, you integrate risk too.
What does NIS2 mean for your daily work?
Most NIS2 requirements feel familiar because they're what IT security should already do. NIS2 makes them binding:
What you'll notice
- Regular training: At least yearly, ideally quarterly with phishing simulations.
- MFA everywhere: Where it isn't on, it gets turned on. Including accounts you consider "unimportant".
- Clear reporting paths: There's a defined contact for incidents, with an expectation of speed.
- Asset inventory: What you use is recorded - devices, software, external services. Shadow IT ("tools I found myself") gets rolled back.
- Backup tests: Backups are not only made but also tested for restorability.
What you can do
- Report incidents immediately - an hour of delay can put the 24-hour deadline at risk.
- Reduce shadow IT - every tool not in IT's inventory is uncovered risk.
- Don't work around MFA - "disabled for convenience" is now a compliance violation too.
- Take security training seriously - it's the company's duty, not just IT's.
The key measures at a glance
NIS2 requires at least these ten points ([Art. 21]):
- Risk management and security policies
- Incident handling
- Business continuity & backup
- Supply-chain security
- Security in procurement, development, maintenance
- Effectiveness assessment of measures
- Cyber hygiene & awareness training
- Use of cryptography
- Personnel security, access control, asset management
- MFA, secure voice/video/text communication, emergency communication
Point 7 is exactly why you're doing this training.
Notification - the 24/72/30 schema
For a significant incident:
- 24 hours: Early warning to the national authority
- 72 hours: Detailed notification with assessment
- 1 month: Final report
For you as an employee, this means: fast internal reporting is the prerequisite for meeting any of those deadlines.
- Suspected ransomware or encryption incidents
- Unauthorized account access
- Data loss (also potential)
- Extended outages of critical systems
- Loss of a device with business data
Even if you're not sure it's truly "significant": report. Let others make that call.
Personal liability of leadership - what it means
NIS2 provides that management can be personally liable if security duties are violated. Two consequences for you:
- More support for security investments: Management has a genuine interest in security working.
- More expectation from employees: Management may rightly expect everyone to take training seriously and follow the rules.
The simple rule
NIS2 is not "an IT thing". It distributes responsibility to every employee. Three reflexes - report, use MFA, no shadow IT - carry most of the load.