NIS2 Directive – Who Does It Concern and How to Implement It?

Even if you missed our previous blog about the details of the latest in cybersecurity, you may have still heard about the NIS2 directive—especially if you work in an organization that relies heavily on digital technology. But let’s remind ourselves once again: what exactly is this directive, and who needs to pay attention to it?

What is the NIS2 Directive and Why Is It Important?

Let’s recap: NIS2 is a new European directive aimed at enhancing cybersecurity—in other words, ensuring that companies and institutions better protect their IT systems and data. The first version of the directive (NIS1) existed since 2016, but proved insufficient—it covered too few sectors, was applied inconsistently across countries, and had requirements that were not precise enough. That’s why NIS2 is significantly stricter, clearer, and broader in scope.

Who Does NIS2 Actually Concern?

NIS2 does not target only large IT companies. On the contrary, it covers a wide range of sectors and organizations, including:

Key sectors:

Energy (power plants, gas, oil)
Water (water supply, sewage)
Healthcare (hospitals, clinics, laboratories)
Transport (air, rail, road, maritime)
Banking and finance
Digital infrastructure (cloud, data centers, DNS)
Public administration and local government bodies

Important sectors:

Postal services
Manufacturing of certain goods (e.g., electronic equipment)
Waste management
And many others

If you have more than 50 employees or an annual revenue exceeding 10 million euros, it is very likely that you fall under the obligations of the NIS2 directive.

What Is Actually Required?

Organizations covered by the directive will need to:

Conduct risk assessments and identify the most vulnerable parts of their systems
Implement organizational and technical security measures—e.g., backups, network protection, user authentication
Have a clear incident response plan—how to react in case of an attack or system breach
Ensure business continuity—even when things go wrong
Educate employees—because human error is often the weakest link
Verify the security of suppliers and partners—because a chain is only as strong as its weakest link
Report incidents to the competent authorities within 24 hours

For most companies, this will require internal reorganization, investment in IT, and continuous system monitoring.

When Does It Come Into Effect?

EU member states, including Croatia, must transpose this directive into their national legislation by October 2024. This means organizations have a limited time to prepare and comply with the new rules. By February 2025, the Croatian authorities had a deadline to notify organizations of their categorization as key or important entities. After that, organizations have one year to align with the new requirements.

How to Prepare?

If you are responsible for IT, security, or management in your organization, now is the right time to:

Check whether you are covered by the directive
Conduct an analysis of your current security level
Start planning and implementing the necessary measures

If you’re not sure how, hire experts who can help you.

The approach doesn’t have to be complicated— with a good strategy and gradual implementation, your organization can become not only compliant but also more resilient to the increasingly frequent threats from the digital world.

In conclusion, NIS2 may sound technical, but behind it all lies a simple idea—to protect the digital space and the data that are today essential for business and society. If you are responsible for IT, security, or management within your company, now is the right time to start preparing.

Request a free compliance assessment!

Find out today if you are ready for the NIS2 directive—and don’t worry, even if you’re not, we will help you get there.