The NIS2 Directive introduces new, stricter cybersecurity rules across the EU. It expands the powers of ENISA, mandates more frequent reporting, and affects government, businesses, and providers of critical services, including domain infrastructure. Penalties are set to be comparable to GDPR, so it pays to prepare early.
What is NIS2 and who it applies to
NIS1 operates here through the Cybersecurity Act; NIS2 already applies at the EU level and is awaiting full national implementation. The practical setup here will be handled by the national authority, with details still to be finalized. Jurisdiction, similar to GDPR, will be tied to the place of establishment and the provision of services in the EU.
ENISA is to manage new databases of affected entities, into which organizations may be categorized by sector. A new requirement is to report changes to basic data (for example, name or company ID number (IČO)) within two weeks. In some sectors, such as domain infrastructure, the scope applies regardless of company size, and public administration is included as well, including smaller local governments. Sanctions are to be strict and comparable to GDPR.
New obligations: training, incident reporting, and policy
NIS2 introduces mandatory professional training for members of management bodies, who may bear direct responsibility for compliance. In some countries there is also criminal liability, which increases pressure to set up processes properly. Methodologies for employee training can also be expected so that basic security habits are not just a formal requirement.
The incident reporting regime is also changing: a rapid initial notification within 24 hours is expected, a follow-up within 72 hours, and a subsequent final report. The definition of a "significant incident" is, however, still broad and awaits clarification through methodologies. The security policy must cover risk management, including incident response, encryption, and supply chain security. Organizations should prepare processes so they can respond to the time limits as well as content requirements.
Specifics for domains and what lies ahead
For the domain infrastructure area, specific requirements for client verification are being added, which will require coordination with registrars. Over two thousand of them operate in Slovakia and are the direct "gateway" to clients, while the registry itself is yet another layer. The rules can therefore significantly affect procedures for registering and managing domains.
At the EU level, frameworks for handling cyber crises and a network of liaison organizations are taking shape to improve coordination. Member states will be able to require the use of certified ICT products, services, or processes, with details to be delivered by European Commission implementing acts. Until these rules are put into practice, a "vacuum" remains — it is sensible to follow the authorities' guidance, keep records up to date, set up incident management processes, and prepare training. The strict penalties are already a clear signal that delaying may not pay off.
