The European Union’s NIS 2 Directive (EU 2022/2555) marks a pivotal shift in cybersecurity governance, expanding regulatory obligations to a broader range of sectors and enhancing enforcement mechanisms to address modern cyber threats. The directive, which became effective for member states by October 2024, imposes mandatory cybersecurity risk management and incident reporting obligations on both “essential” and “important” entities. These entities span high-criticality sectors such as energy, transport, banking, and public administration, as well as critical services like digital infrastructure, cloud computing, and postal services. Notably, NIS 2 broadens the scope beyond traditional infrastructure providers to include organizations that may play a less central but still vital role in digital ecosystems [1].
The directive mandates that companies implement robust cybersecurity frameworks, including risk assessments, technical safeguards, and business continuity plans. It also introduces new requirements for supply chain security, emphasizing the need for thorough risk assessments of third-party vendors. Entities are expected to maintain formal vulnerability management…
