EU cyber security regulations

NIS2 Directive

The EU’s new NIS2 Directive is requiring an increasing number of European organizations to systematically prepare for cyber threats. A cyber threat refers to a potential situation, event, or action that could harm or disrupt network and information systems.

The NIS2 enhances organizations' resilience against cyber threats

The main objective of the NIS2 Directive is to strengthen and harmonize the level of cyber security in the critical sectors which includes both private and public sectors.

Member States must adopt the measures necessary to comply with the NIS2 Directive. Their application begins on October 18, 2024.

We assist you in complying with the requirements of the NIS2 Directive.

Read more about Insta's NIS2 Assessment

NIS2-directive  I Insta

NIS2 in brief

The NIS2 Directive, which entered into force in January 2023, replaces the previous NIS1 Directive and sets out harmonized cyber security risk management measures, reporting obligations, and supervisory measures for organizations. Each EU member state must adopt the measures necessary to comply with the NIS2 Directive into national legislation by October 2024. In Finland, the measures will be implemented with new Act on the Cyber Security.

Insta Security Operations Center

Who does the NIS2 apply to?

The NIS2 Directive expands the scope compared to the preceding NIS1 Directive, broadly covering private and public sector entities. Generally, the NIS2 Directive applies to large and medium sized organizations operating in the critical sectors defined in the directive. In addition, the directive includes more detailed definitions of covered entities, and within some sectors, small and micro-enterprises also fall within the scope of the directive.

Cyber security computer and hands

Obligations and Sanctions

The NIS2 Directive includes requirements for concerned member states and organizations. It obliges organizations to implement technical, operational, and organizational measures to improve cyber security and, among other things, report significant incidents within 24 hours of becoming aware of them.

Sanctions for non-compliance with obligations can be up to €10 million or 2% of the entity’s annual global turnover, whichever is higher. Nationally, the maximum sanctions may also be set higher than this.

Obligations of the NIS2

Insta Icon together coworkers

Management Responsibility

The organization’s management is responsible for approving and overseeing the implemented cyber security risk management measures. Management can be held liable if the organization fails to comply with the NIS2 Directive. Management must also participate in training on cyber security risks and risk management.

Cyber Security Risk Management Measures

Organizations must implement measures to manage cyber risks posed to the security of the network and information systems they use in their operations and service offerings, as well as to prevent and minimize the impact of incidents. A risk-based approach should be used when assessing the level of risk management measures.

A blue icon with hands holding a tablet and adjusting its view controls.


Organizations must give the supervisory authority an early warning of significant incidents within 24 hours of becoming aware of them and provide more detailed incident notification within 72 hours. Additionally, a final report must be submitted to the authority no later than one month after the incident notification is submitted. If necessary, organizations must also inform the recipients of their services of significant incidents and cyber threats.

How Can Insta Help?

Organizations should start implementing necessary measures now, as the new obligations of the NIS2 Directive must be complied with from October 2024 onwards.

Insta has extensive expertise in cyber security, and we are happy to assist your organization on the path to compliance with the NIS2 requirements. We can assist in determining whether your organization falls within the scope of the new regulation, plan measures to meet the requirements, and participate in implementing those measures.

Our services support in compliance with NIS2 requirements

Your organization gets started in complying with the NIS2 directive with Insta's NIS2 Assessment, where Insta provides a status of the current cyber security risk management measures and a prioritized list of areas for improvement. In addition to this, Insta offers a wide range of other services to help organizations meet the obligations of the NIS2 Directive, such as cyber security consultation, crisis and cyber exercises, Secure Development Lifecycle (SDL) service, Insta Safelink VPN solution, and Insta Key Vault service. In addition, Insta's SOC service helps meet requirements by monitoring organizations' IT and OT environments 24/7 and enabling compliance with reporting obligations.

Read more about Insta's NIS2 AssessmentRead more about our cyber security solutions

Stay on top of the industry trends and subscribe to our newsletter

The most important news, inspiring articles, and up-to-date insights from our experts across various industries and information about our upcoming events.

Accept the terms and conditions. We handle your information responsibly.
Please review our privacy policy.