NIS2 Is Live: What American Companies Operating in Europe Must Do
The European Unions NIS2 Directive went into effect on October 18, 2024, and if your American company provides services in Europe, you cant ignore it. This isnt just another compliance checkbox. Its the most sweeping cybersecurity regulation the EU has ever enacted, expanding coverage from roughly 1,000 entities under the original NIS directive to over 100,000 organizations. The penalties for noncompliance reach up to 10 million euros or 2% of global annual turnover, whichever is higher.
Living and working across Europe, Ive watched organizations scramble to understand whether NIS2 applies to them and what exactly they need to do about it. The confusion is understandable. Each EU member state is transposing the directive into national law slightly differently, and as of mid 2025, some countries still havent finished that process. But waiting for perfect clarity isnt an option. The directive is active, enforcement is coming, and American companies with European operations need to act now.
NIS2 applies to any organization that provides services in the EU, regardless of where its headquartered. If youre an American company operating in European markets, you are potentially in scope.
Does NIS2 Apply to Your Organization?
Three criteria determine whether NIS2 applies to you. First, location of service: you provide services or carry out activities within any EU member state. This applies regardless of whether your company is headquartered in the US. Second, size: your organization employs more than 50 people or has annual turnover exceeding 10 million euros. Third, sector: you operate in one of the 18 sectors the directive covers.
If you meet all three criteria, youre in scope. But theres a catch. Member states can designate smaller entities as subject to NIS2 if their services are deemed critical to national or regional security, public safety, or public health. Some countries are interpreting the directive more broadly than others. Germany, for instance, has historically taken an expansive view of cybersecurity regulation.
Heres the critical point for American companies: if youre not established in the EU but provide services within the EU, you must designate a representative in one of the member states where you operate. That representative becomes your point of contact for regulatory authorities. If you fail to designate a representative, any member state where you provide services can take enforcement action directly against you.
The 18 Sectors Covered by NIS2
NIS2 divides covered organizations into two categories: essential entities in highly critical sectors and important entities in other critical sectors. Both face the same cybersecurity requirements, but essential entities face stricter supervision and higher penalties.
Postal and courier services (national postal services, large courier companies) · Waste management (collection, treatment, disposal) · Chemical manufacturing (production and distribution) · Food production (processing plants, major distributors) · Manufacturing (medical devices, computers, electronics, machinery, motor vehicles) · Digital providers (online marketplaces, search engines, social networking platforms) · Research organizations (universities, research institutions)
American tech companies take note: if you operate cloud services, data centers, or managed security services for European customers, youre almost certainly in scope. The same applies to American pharmaceutical companies, medical device manufacturers, and any manufacturing operation with significant European presence.
The 10 Mandatory Security Measures
NIS2 doesnt leave security requirements vague. The directive specifies ten minimum measures that all covered organizations must implement. These requirements follow an all hazards approach, meaning you need to address both digital and physical threats to your information systems.
If youre familiar with frameworks like ISO 27001, youll recognize many of these requirements. ENISA estimates that ISO 27001 covers roughly 70% of NIS2 requirements, which is a good starting point but not sufficient on its own. The gaps primarily involve mandatory incident reporting timelines and expanded supply chain security requirements.
Incident Reporting Requirements
NIS2 imposes strict incident reporting timelines that differ significantly from what American companies may be used to under US regulations. When a significant security incident occurs, you have three mandatory reporting windows:
Within 24 hours: Submit an early warning to the relevant national authority. This initial notification must indicate whether the incident is suspected to be caused by unlawful or malicious activity and whether it could have cross border impact. You dont need complete information yet, just enough to flag the situation.
Within 72 hours: Provide a more detailed incident notification including an initial assessment of severity, impact, and indicators of compromise where available. This timeline aligns with GDPR breach notification requirements, so organizations already compliant with GDPR have some process infrastructure to build on.
Within one month: Submit a final report with detailed description of the incident, its root cause, mitigation measures applied, and cross border impact if any. This comprehensive report becomes part of the regulatory record.
From my consulting work, the 24 hour window is what catches organizations off guard. Most incident response plans assume you have days to assess a situation before external notification. NIS2 requires you to notify authorities while youre still figuring out what happened. Build this into your incident response procedures now, before you need them.
Management Liability: The Part That Gets Attention
NIS2 introduces something American executives need to take seriously: personal liability for management bodies. The directive explicitly states that management is responsible for approving and overseeing cybersecurity risk management measures. If your organization fails to comply, individual executives can be held accountable.
The directive also mandates that management bodies must undergo cybersecurity training and ensure similar training is offered to employees. This isnt a suggestion. Its a compliance requirement. Organizations need documented evidence that their leadership understands cybersecurity risks and that staff receive appropriate awareness training.
For essential entities found in violation, national authorities can temporarily prohibit executives from exercising managerial functions. Thats a significant escalation beyond financial penalties and something that should focus attention at the board level.
Penalties for Noncompliance
The financial penalties under NIS2 are substantial and vary based on entity classification:
Essential entities: Up to 10 million euros or 2% of total worldwide annual turnover, whichever is higher. In the most severe cases, fines can reach 20 million euros or 4% of global turnover.
Important entities: Up to 7 million euros or 1.4% of total worldwide annual turnover, whichever is higher.
Beyond fines, national authorities can order organizations to suspend or restrict activities to protect network and information system security. For American companies, this could mean losing the ability to operate in European markets until compliance issues are resolved.
Your Action Plan for NIS2 Compliance
If youve determined that NIS2 applies to your organization, heres what you need to do:
Designate an EU representative if youre not established in the EU. This representative will be your contact point for national authorities and must be located in a member state where you provide services.
Conduct a gap analysis comparing your current security posture against the ten mandatory measures. If you already maintain ISO 27001 certification, you have a head start, but youll still have gaps to address around incident reporting and supply chain requirements.
Update incident response procedures to accommodate the 24 hour early warning requirement. Identify who has authority to notify regulators and ensure they can act quickly when needed.
Assess your supply chain and implement security requirements for suppliers. NIS2 makes you responsible for ensuring your suppliers and service providers meet appropriate security standards.
Train your executives on cybersecurity risks and their responsibilities under NIS2. Document this training as evidence of compliance.
Register with national authorities in the member states where you operate. The registration deadline was January 17, 2025, but late registration is better than no registration.
Monitor member state variations. Each EU country is transposing NIS2 into national law with slight variations. Some countries like Germany and Belgium have already completed transposition. Others are still finalizing their legislation. If you operate in multiple EU countries, you may need to track requirements across several jurisdictions. The European Commission maintains a sector specific guidance approach that can help you understand how requirements apply to your particular industry.
Key Dates to Remember
October 18, 2024: NIS2 entered into force, replacing NIS1. Organizations should already be working toward compliance.
January 17, 2025: Registration deadline for essential and important entities with national authorities.
April 17, 2025: Member states required to deliver lists of essential and important entities to the European Commission.
October 2025: Full organizational compliance expected (18 months from transposition deadline).
October 17, 2027: First three year review of NIS2 functioning by the European Commission.