NIS2 and cybersecurity

What exactly does the NIS2 directive have in store for your company? And who will it apply to and from when on?

Despite many unanswered questions, there is no reason to panic. But: it is definitely a good idea to check the state of cybersecurity in your organization as soon as possible.

NIS2 Cyber security

Cyber security in a nutshell

Cybersecurity affects many companies and is a constant hot topic for the time being

Just as we deal with and respect the principles of safety at work and fire protection, we should expand our knowledge to include the principles of cybersecurity.
Cybersecurity today is no longer just about firewalls and antivirus programs, but also about setting up processes and rules and responding quickly to current threats.

This is not just about IT, but also about the behavior of employees and suppliers, especially in an emergency. So we all have a responsibility for data security, not only in our professional duties but also in our personal lives.

NIS2 - what does that exactly mean ?

= Directive of the European Parliament...

...and of the Council on measures to ensure a high common level of cybersecurity.


NIS2 is intended to provide the foundations of cybersecurity for a broader range of organizations than NIS1 did. This will improve the cybersecurity of EU member states.


  • Strengthening cooperation between the EU and the respective national supervisory authority.
  • Implementation by (economic) actors, depending on industry and size


  • More powers for the supervisory authority, e.g
  • in the form of warnings, measures or audits of organizations
  • Increase in fines for non-compliance

National cybersecurity strategy

  • Adopt a national cybersecurity strategy
  • Expansion of regulated services, i.e. increasing the number of organizations subject to obligations
  • Introducing security measures for regulated services

Does NIS2 affect you?

The requirements of the NIS2 Directive are nothing new in the cybersecurity field. If your organization falls under the Cybersecurity Act or you have an information security management system, the changes will be limited for you.
However, if cybersecurity is new to your organization, then it will take more effort for you to meet the new obligations.

Time frame

Importantly, the NIS2 Directive does not impose any direct obligations on companies themselves. Although NIS2 came into force on January 16, 2023, it states that member states have 21 months to incorporate the requirements of the directive into their local legislation - unlike DORA, for example.

By the end of this period, there should be a change to the cybersecurity law, which will then be implemented by the actors.
It is tempting to conclude that there is still enough time and that cybersecurity is not an issue that needs to be addressed. But the opposite is true.

Responsible organizations deal with this on an ongoing basis and do not wait for new legislation.

NIS2 in Austria

The Cybersecurity Directive is therefore intended to improve resilience and incident response in the public and private sectors in the EU. In Austria, this applies to large “essential” companies in these areas - and therefore also to many of our customers:

  • energy
  • Traffic
  • Banking
  • Financial market
  • Health
  • Drinking water
  • sewage
  • Management of ICT services
  • space

ORBIT conclusion

Unfortunately, cyber incidents are on the rise and no company can guarantee that the next incident will not affect them.

It is therefore important that all security measures, mandatory or not, have one goal: to protect your company's data and business, and therefore your customers.
So take care of cybersecurity now, regardless of legislation - either on your own or with the help of experts. And above all: protect your data, whether on local servers or, even better, in the cloud.

Start your individual journey with ORBIT.