NIS2 (Directive EU 2022/2555) is the European Union’s flagship cybersecurity law, in force since 17 October 2024, replacing the original 2016 NIS Directive. It dramatically widens the scope of who must meet baseline cybersecurity obligations, raises the bar on incident reporting, and makes senior management personally accountable. If your organization operates in the EU, sells to EU customers, or sits in the supply chain of a covered entity, NIS2 likely reaches you — including many Israeli companies.
Who must comply
NIS2 covers 18 critical sectors and distinguishes “essential” entities (such as energy, transport, banking, health, water, and digital infrastructure) from “important” entities (including manufacturing, food, waste, and digital providers). As a rule of thumb, medium and large organizations — roughly those above 50 employees and EUR 10 million in revenue in covered sectors — are in scope. Crucially, the supply-chain provisions mean even non-EU vendors can be pulled in contractually by their EU customers.
The core obligations
Article 21 requires at least ten minimum risk-management measures, including risk analysis, incident handling, business continuity, supply-chain security, access control, encryption, and multi-factor authentication. Article 23 sets a strict reporting timeline — an early warning within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, and a final report within one month. Article 20 makes management bodies directly responsible for approving and overseeing these measures, with personal liability that can include temporary bans from management functions.
Deadlines and penalties
Enforcement is now live. Most in-scope entities were expected to register on national portals in early 2026, with the first formal compliance audit targeted for 30 June 2026. Penalties are GDPR-scale: up to EUR 10 million or 2% of global turnover for essential entities, and EUR 7 million or 1.4% for important entities.
The ISO 27001 shortcut
Much of NIS2 overlaps with ISO 27001, so organizations pursuing both at once save significant effort, and an existing certification demonstrates maturity to regulators. Persist Security helps organizations close NIS2 gaps through our governance, risk and compliance (GRC) service, supported by security assessments and a managed SOC that satisfies the monitoring and reporting requirements. Contact us for a NIS2 readiness review.
