The NIS2 Directive aims to strengthen and harmonize cybersecurity across the EU. For private-sector organizations, it removes the old distinction between Digital Service Providers and Operators of Essential Services.
Entities are now classified as “essential” or “important” based on factors such as size, sector, and societal impact. This new classification reflects each entity’s role in maintaining the resilience of critical infrastructure and services.
Here’s the key update you might have missed:
While NIS2 generally avoids sector-specific requirements, it requires the European Commission to adopt implementing acts that set out specific requirements for certain digital services. In October 2024, the European Commission published an implementing act that:
- Focuses on incident reporting (Article 23)
- Includes a 28-page Annex detailing mandatory cybersecurity risk-management measures (Article 21)
The act provides much more precision on how NIS2 compliance must be achieved. This leaves less room for interpretation and sets a higher bar for compliance.
Why this matters to Digital Service Providers
The implementing act introduces a sector-specific prescriptive layer within NIS2’s risk-based framework. Unlike the directive, it is directly applicable in all EU Member States – no national transposition required. The new rules for Digital Service Providers are already in force. With NIS2 now transposed in several Member States, this is the perfect time to reassess your compliance posture.
Ready to take the next step?
Compliance starts with clarity. We can help you answer three critical questions:
✅ Where are you now?
✅ How far are you from compliance?
✅ What do you need to do to get there?
Once the path is clear, we work with you to turn plans into action. We support your organization in implementing the roadmap and driving the changes needed to meet NIS2 requirements with confidence.
Don’t wait until compliance becomes a risk. Schedule a call with our experts and find out where you stand!
