NIS 2 Directive: A comprehensive guide for SMEs to strengthen their Cybersecurity

4 min
July 1, 2024

To tackle the cybercrime affecting the whole of Europe, To tackle the cybercrime affecting the whole of Europe, ENISA - the European Union's cybersecurity agency, has rolled out the NIS (Network and Information Security) Directive.

Published in 2013, the first NIS Directive aimed to develop - on a European scale - a cybersecurity strategy common to member states in order to prevent and react to cyberattacks.

Voted in 2022, the NIS 2 Directive, the second component of this regulation, now establishes a regulatory framework for States. They must comply with the directive in order to increase the European Union's level of cybersecurity.

In France, it is the ANSSI that oversees its transposition into national law.

In this article, you'll find out more about the NIS 2 directive, including its objectives, its transposition for SMEs, and how Bastion can help you ensure compliance.

NIS 2 : Presentation

Objectives and key points of the directive


The main objective of the NIS 2 Directive is to ensure a high common level of cybersecurity in the European Union, and to increase the current level of cybersecurity.

To achieve this, the European Union is now requiring its member states to strengthen their national cybersecurity by incorporating risk management measures in critical sectors into national law. Each member state is required to draw up a national cybersecurity strategy.

The NIS 2 directive also lays down rules for cooperation and information sharing between member states in the field of digital technology and cybersecurity.

Key points

The NIS 2 Directive is structured around 4 axes:

  1. Strengthening national cybersecurity capabilities.
  2. Establishing a framework for voluntary cooperation between EU member states.
  3. The reinforcement by each state of the cybersecurity of "essential service operators".
  4. The obligation for operators to notify incidents affecting the continuity of their essential services.

In addition, the NIS 2 directive applies to eighteen high-critical sectors, including :

  • Transport
  • energy
  • healthcare
  • Digital, banking and financial infrastructures
  • Research organizations

And many more.

For the full list, click here

When will the NIS 2 directive take effect?

As a directive, it is up to each state to adopt its own national strategy for achieving a high level of cybersecurity. It is therefore up to member states to set their own agenda with regard to the NIS 2 directive.

Nevertheless, the directive must be transposed into national law and apply from October 18, 2024 at the latest.

Am I affected by NIS 2?

Take the test! ANSSI has set up a quick questionnaire to determine whether your entity is subject to the NIS 2 directive.

Find out more: here

According to ANSSI, any company operating in a sector defined as "critical" by the European Union and meeting the size criteria will be affected by the NIS 2 directive.

Furthermore, one of the key aspects of the NIS 2 directive is the control of suppliers. While many companies are not directly affected by NIS2, they will have to implement similar security measures via their customers.

Focus on SMEs

The directive and its transposition for small and medium-sized enterprises (SMEs)

To enhance the resilience of French businesses in the face of cyberthreats, the NIS 2 Directive requires companies to comply with regulatory requirements and risk management standards in order to continue operating.

More concretely, VSEs and SMEs will be obliged, for example, to :

  • notify security incidents to the relevant authorities,
  • implement enhanced security measures to protect their information systems,
  • raise their employees' awareness of cybersecurity.

How SMEs can best prepare and stand out from the crowd

To stay one step ahead of the NIS 2 directive and prepare for it in the best possible way, it is the duty of SMEs to upgrade their cybersecurity to be able to protect themselves sustainably against cyberthreats.

In addition to understanding the requirements of the NIS 2 directive, SMEs can adopt comprehensive cybersecurity solutions to comply as quickly as possible and avoid being penalized.

Conclusion - Bastion helps your SME to comply with the NIS 2 directive.

With the national transposition of the NIS 2 directive, many SMBs need to upgrade their cybersecurity to remain compliant.

By October 2024, it is likely that your SME will have to comply with national regulatory requirements, at the risk of no longer being able to do business. Bastion is here to support you every step of the way, looking after your cybersecurity.

We carry out a subsidized initial audit to assess your cybersecurity posture, then support you in implementing a plan to improve your online security to comply with the NIS 2 directive.

I would like Bastion to help me comply with the NIS 2 directive

From securing work environments to training your staff, put your company's security on auto-pilot with Bastion and concentrate on your core business with complete peace of mind.

And it's French!

Discover our latest articles

Start with a

free cyber audit

Evaluate your cyber posture with a cyber assessment received within 24 hours.

Get a Free Audit

Security Score

Your risk level is critical


Phishing risk

Security of your email accounts


Data leaks

Compromised data on the internet


Web vulnerabilities

Risks associated with websites and web applications


By clicking “Accept”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.