NIS2 in plain English: who is in scope and by when
The updated Network and Information Security Directive widens the net considerably. A quick orientation on whether it applies to you and what it expects.
Written by
Eleanor Voss
Governance & Compliance Lead
NIS2 is the European Union's updated cybersecurity directive, and its headline change is scope. Where the original NIS Directive covered a relatively narrow set of operators, NIS2 pulls in many more sectors and, crucially, more mid-sized organisations that previously sat outside this kind of regulation entirely.
Are you in scope?
NIS2 distinguishes between essential and important entities across sectors including energy, transport, banking, health, digital infrastructure, public administration, manufacturing, food, and digital providers. As a rough guide, medium and large organisations in these sectors are likely to be covered. If you are a mid-market business in one of these areas and you assumed cybersecurity regulation was a big-company problem, that assumption is worth revisiting.
What it expects
The obligations centre on risk management measures, incident reporting within defined timeframes, and genuine accountability at management level, with the possibility of significant penalties for non-compliance. The practical work overlaps heavily with good security hygiene: know your risks, protect against them, detect incidents, and have a tested plan to respond and recover.
If NIS2 might apply to you, the sensible first step is a scoping assessment so you know your status and your gaps. Bebco can help you establish both.
Keep reading
More from Bebco Insights
Let's pressure-test your IT
Book a free, no-obligation assessment. We'll review your infrastructure, flag the risks, and show you exactly where Bebco would make a difference.