The EU's New Cybersecurity Law Is Coming — Here's What It Means for US Companies

The European Union's Network and Information Security Directive 2 takes effect this year, and it affects more companies than you might think. Even if you are a US company, if you have EU customers, process EU data, or are part of the supply chain for EU-regulated companies, NIS2 applies to you.

What NIS2 Actually Requires

NIS2 expands the scope of cybersecurity regulations significantly. The original NIS directive covered critical infrastructure like energy, transport, and banking. NIS2 adds healthcare, manufacturing, food production, waste management, and digital infrastructure providers. If you are in any of these sectors and serve EU customers, you need to pay attention.

The directive requires organizations to implement appropriate technical and organizational measures to manage cybersecurity risks. This sounds vague, but the specifics are coming through national implementations. Each EU member state is translating NIS2 into local law, and the details matter.

Incident reporting is a major requirement. Organizations must report significant incidents to national authorities within 24-72 hours. The exact timeline depends on the severity and type of incident. This is much faster than many organizations are used to.

Supply chain security is another focus. If you provide services to regulated entities, they will be asking about your security practices. NIS2 makes regulated companies responsible for their supply chain security, which means they will pass requirements down to you.

Does This Apply to You?

Ask three questions. Do you have EU customers? Do you process EU personal data? Are you a supplier to EU-regulated companies? If you answered yes to any of these, NIS2 likely affects you.

The extraterritorial reach is intentional. The EU wants to ensure that anyone handling EU data or serving EU customers meets their security standards. Geographic location of your headquarters does not matter. What matters is whether you touch EU systems or data.

What You Should Do

Understand incident reporting. NIS2 requires reporting significant incidents quickly. Do you have a process for identifying incidents, assessing their significance, and reporting them within the required timeframe? If not, build one now.

Document your security measures. NIS2 requires appropriate technical and organizational measures. Document what you have. Network segmentation, access controls, encryption, monitoring, backups. Know your security posture so you can demonstrate compliance.

Review your supply chain. If you use third-party services, understand their security practices. NIS2 makes you responsible for your supply chain. If a vendor is compromised, you may need to report it.

Talk to legal counsel. NIS2 compliance is complex. The interaction between EU directives, national implementations, and existing regulations like GDPR creates a complicated landscape. Professional advice is worth the cost.

The Bottom Line

NIS2 represents a significant expansion of cybersecurity regulation. The EU is serious about improving security across critical sectors. Non-compliance can result in substantial fines and exclusion from EU markets.

If you do business in Europe, start preparing now. The directive is already in effect, with full enforcement ramping up. Do not wait for a regulator to ask questions. Get ahead of it.