NIS-2 Directive 30 000 Companies Must Revise Cybersecurity EU AI Act Rules
- The European Union’s NIS-2 Directive requires approximately 30,000 companies to re-evaluate and strengthen their cybersecurity frameworks, according to a report by Börse Express.
- The NIS-2 Directive, formally known as the Network and Information Security Regulation, was adopted in 2022 and becomes fully applicable in 2024.
- Under NIS-2, companies in sectors deemed “essential” face the most stringent requirements.
The European Union’s NIS-2 Directive requires approximately 30,000 companies to re-evaluate and strengthen their cybersecurity frameworks, according to a report by Börse Express. The regulation, which expands on the 2016 NIS Directive, mandates stricter compliance measures for businesses across critical sectors, including energy, transport, and digital infrastructure. The update aims to address evolving cyber threats and align with the EU’s broader digital security strategy, including the recently implemented AI Act.
The NIS-2 Directive, formally known as the Network and Information Security Regulation, was adopted in 2022 and becomes fully applicable in 2024. It introduces mandatory cybersecurity risk assessments, incident reporting obligations, and enhanced cooperation mechanisms between member states. The regulation targets not only large enterprises but also smaller businesses that provide essential services, reflecting concerns about systemic vulnerabilities in the digital ecosystem.
What Industries Are Most Affected?
Under NIS-2, companies in sectors deemed “essential” face the most stringent requirements. These include energy providers, water utilities, healthcare institutions, and transport operators. The directive also extends to digital service providers, such as cloud computing firms and online marketplaces, which were previously excluded from the original NIS framework. Börse Express reported that over 30,000 businesses in Germany alone are now subject to these rules, though the exact count varies by member state.

The European Union Agency for Cybersecurity (ENISA) has emphasized that the updated regulation addresses gaps in the 2016 version, particularly in monitoring emerging threats like ransomware and supply chain attacks. “NIS-2 represents a proactive shift toward resilience,” said an ENISA spokesperson. “It ensures that organizations are not only prepared for known risks but also equipped to adapt to future challenges.”
How Does NIS-2 Differ From the Original Directive?
The original NIS Directive, adopted in 2016, focused on ensuring minimum cybersecurity standards for operators of essential services and digital service providers. However, critics argued it lacked enforcement mechanisms and failed to account for the rapid evolution of cyber threats. NIS-2 addresses these shortcomings by introducing binding measures, such as regular audits and mandatory incident reporting within 24 hours of detection.

Additionally, NIS-2 expands the scope of covered entities. While the first directive applied to around 1,000 organizations, the updated version covers over 150,000 businesses across the EU. This expansion reflects the growing reliance on digital infrastructure and the increased risk of cascading failures in interconnected systems. For example, a cyberattack on a cloud service provider could disrupt multiple sectors, from finance to healthcare, prompting the need for more comprehensive oversight.
What Are the Implications for Businesses?
Compliance with NIS-2 requires businesses to invest in cybersecurity infrastructure, staff training, and incident response planning. The European Commission has estimated that the regulation could cost affected companies up to €15 billion in implementation costs, though it also anticipates long-term benefits through reduced cyber incident risks. Smaller businesses, in particular, face challenges in allocating resources for compliance, raising concerns about uneven enforcement across the EU.
“The scale of this regulation is unprecedented,” said a representative from the European Business and Industry Club (BIAC). “While the intent is laudable, the complexity of compliance could strain smaller firms that lack dedicated cybersecurity teams.” To mitigate this, the EU has launched guidance programs and funding initiatives to support businesses in meeting NIS-2 requirements.
How Does NIS-2 Interact With the EU AI Act?
The NIS-2 Directive overlaps with the EU’s AI Act, which regulates the development and deployment of artificial intelligence systems. Both frameworks aim to enhance digital safety but approach the issue from different angles. While NIS-2 focuses on protecting infrastructure from cyber threats, the AI Act addresses risks posed by AI systems,
