Published: Last updated:

NIS2: the EU cybersecurity regime for critical and important entities

This article places the regulation in factual context and does not replace legal advice in an individual case. Whether and how NIS2 or the Swiss reporting regime captures a specific organisation depends on the particular constellation and the applicable national law.

Directive (EU) 2022/2555, known as NIS2, is the EU's central legal framework for a high common level of cybersecurity. It obliges certain organisations in critical sectors to manage risk and to report significant security incidents, and it replaces the older NIS1 directive. As EU law, NIS2 does not bind Switzerland directly; a separate Swiss reporting regime applies here regardless.


What it is about

NIS2 is the successor to the first NIS directive from 2016. It pursues the same goal with a markedly broader scope and sharper obligations: a high, common level of cybersecurity across the member states. At its core are three building blocks that run through the entire directive: a defined set of in-scope entities, binding risk-management measures, and a staged obligation to report significant incidents. This page lays out these building blocks factually and explains what they mean for Swiss organisations, without turning an EU directive into Swiss law.

Scope: essential and important entities

NIS2 distinguishes two categories of in-scope organisation. The classification mainly determines the intensity of supervision rather than the protective duties themselves, which are essentially the same for both categories:

  • Essential entities. Organisations in sectors of particularly high criticality, such as energy, transport, banking, health, drinking water, wastewater and digital infrastructure. They are subject to proactive supervision.
  • Important entities. Organisations in further critical sectors, such as postal and courier services, waste management, food, chemicals and digital service providers. They are subject to reactive supervision, that is, a review triggered by cause.

Alongside the sector, size is usually decisive: NIS2 in principle targets medium-sized and large entities in the covered sectors. Micro and small enterprises mostly fall outside it, with exceptions for particularly critical providers. Which organisation falls into which category is decided by the national transposition in each member state, not by the directive alone.

flowchart TD
    A["Organisation in an<br/>EU member state"] --> B{"Sector in the<br/>directive's annex?"}
    B -- "No" --> X["Not in scope of NIS2"]
    B -- "Yes" --> C{"Medium-sized or<br/>large entity?"}
    C -- "No" --> D{"Critical exception?<br/>(e.g. DNS, TLD, trust service)"}
    D -- "No" --> X
    D -- "Yes" --> E
    C -- "Yes" --> E["In scope:<br/>risk management + reporting"]
    E --> F{"Sector of particularly<br/>high criticality?"}
    F -- "Yes" --> G["Essential entity:<br/>proactive supervision"]
    F -- "No" --> H["Important entity:<br/>reactive supervision"]

The decision tree maps the usual order of assessment: first the sector, then size with the exceptions for particularly critical providers, finally the assignment to essential or important entity. The precise boundary follows from the directive text and the national transposition; the tree is a reading aid.

The obligations: risk management and reporting

The same two blocks of duties apply at their core to both categories.

Risk-management measures. In-scope entities must take appropriate and proportionate technical and organisational measures to manage the risks to their network and information systems. The directive sets out a minimum catalogue for this, covering among other things risk analysis and security policies, incident handling, business continuity and recovery, supply-chain security, access control, cryptography, and policies to assess effectiveness. This catalogue largely overlaps with what a management system per ISO 27001 delivers; an existing ISO 27001 certification does not automatically satisfy the NIS2 obligations, but it provides much of the necessary foundation. The technical implementation, from network segmentation to detection, is described by the Security Strategy.

Reporting obligation for significant incidents. NIS2 requires staged reporting of significant security incidents to the competent national authority or the CSIRT. The directive itself sets the staged cadence in Article 23: an initial early warning within 24 hours of becoming aware of the incident, a more detailed incident notification within 72 hours, and a final report within one month. National transposition adds the thresholds and procedural detail. How an organisation detects, classifies and handles such an incident in the first place is covered by Incident Response.

One feature of NIS2 compared with the predecessor directive is the explicit responsibility of management bodies: senior management must approve the risk-management measures, oversee their implementation and can be held accountable for breaches. Cybersecurity thus becomes explicitly a leadership task, not a purely IT matter.

National transposition

NIS2 is a directive, not directly applicable law. It takes effect only through transposition into the national law of the member states. The directive set a transposition deadline of 17 October 2024 for this; from 18 October 2024 the old NIS1 directive was repealed. In practice transposition proceeded at different speeds across the member states, so the applicable detail depends on the respective national law, not on the directive text alone. Anyone needing the exact scope of duties for a particular location must therefore look at the national transposing act.

NIS2 also does not stand alone. For the financial sector, the more specific regulation DORA displaces the general NIS2 obligations within its scope (lex specialis), and for products with digital elements the upcoming Cyber Resilience Act complements the manufacturer perspective. These sister regulations are covered in their own articles; in relation to NIS2 what matters most is that they delimit themselves by the principle of the more specific norm rather than contradicting one another.

What the obligation means for an organisation

For most organisations in scope, NIS2 first acts as a market requirement rather than a direct legal duty: most often it reaches in contractually, as part of the supply chain of an in-scope EU entity that obliges its suppliers to an equivalent security level. Precision matters here, because Switzerland is neither an EU nor an EEA member: NIS2 is EU law and does not apply directly in Switzerland. Nor does a direct NIS2 duty arise simply because a service is delivered in the EU; whether a third-country provider is captured directly depends on the national transposition of the member state concerned and on the directive's jurisdiction rules for specific cross-border digital and service categories.

Strictly separate from this is Switzerland's own reporting regime. With the amendment to the Information Security Act (ISG), since 1 April 2025 a statutory obligation has applied in Switzerland to report cyberattacks on critical infrastructure. Operators of critical infrastructure, for example in energy and drinking-water supply or transport, must report a cyberattack to the Federal Office for Cybersecurity (BACS, formerly NCSC) within 24 hours of discovery. The sanction provisions of the ISG have been in force since 1 October 2025. This regime is independent of NIS2: same thrust, its own legal basis, its own deadlines. Deliberately steering data flows and systems onto sovereign infrastructure simplifies both sides at once.

References


Related topics

  • ISO 27001: the management system that carries most of the NIS2 measures catalogue.
  • Security Strategy: the technical implementation of the risk-management measures.
  • Incident Response: detecting and handling the reportable incidents.
  • DORA: the more specific regulation for the financial sector.
  • Standards: the standards hub with ISO 27001, EU AI Act and more.

Ask AI

These links open external AI services, the conversation and its content are sent to their providers.