NIS2

NIS2 (Directive (EU) 2022/2555) is the EU directive for a high common level of cybersecurity. It can also affect Swiss companies if they have an EU establishment or sit in the supply chain of a regulated EU company.

NIS2 is the revised EU directive on network and information security and replaced the original 2016 NIS Directive. It obliges companies across 18 critical sectors to take cybersecurity measures and follow common reporting rules. Note: This article is a general overview, not legal advice.

When does NIS2 apply to a Swiss company?

Because Switzerland is not part of the EU, NIS2 does not apply directly to companies based in Switzerland. They are still affected if they run an establishment in the EU or sit in the supply chain of a NIS2-regulated EU company. Regulated operators have to manage the security of their suppliers and typically pass the requirements down by contract (Directive (EU) 2022/2555).

What obligations does NIS2 impose?

NIS2 requires appropriate risk-management measures, including access control, encryption, supply-chain security, and contingency plans. For significant security incidents it sets a staged reporting regime: an early warning within 24 hours, a more detailed notification within 72 hours, and a final report within one month (Directive (EU) 2022/2555).

What penalties apply?

NIS2 distinguishes between “essential” and “important” entities. Essential entities face fines of up to EUR 10 million or 2% of worldwide annual turnover, important entities up to EUR 7 million or 1.4% (Directive (EU) 2022/2555).

Sources

• EUR-Lex: Directive (EU) 2022/2555 (NIS2), full text
• European Commission: NIS2 Directive