This is an example of a simple banner

NIS2: What the Directive Changes for Companies in 2026

Cybersecurity is no longer just an IT specialist’s job. With NIS2, the European Union imposes a common security baseline on tens of thousands of companies. Do you think a Swiss company escapes the nis2 directive? That is a misreading. The supply chain, subsidiaries and contracts catch up with you very quickly.

Table of Contents

security team in a soc monitoring nis2 directive compliance

NIS2: what exactly are we talking about?

NIS2 is the short name of Directive (EU) 2022/2555. It was adopted on 14 December 2022. Its goal: to raise the common level of cybersecurity across the entire Union. Indeed, it replaces the first NIS directive of 2016, which was deemed too limited against current threats.

The nis2 directive entered into force in January 2023. Member States then had until 17 October 2024 to transpose it into national law. Since 18 October 2024, the former NIS1 directive has been repealed. In other words, the new regime now applies through the national laws of each Union country.

Moreover, NIS2 significantly broadens its scope. The European Commission now lists eighteen critical sectors covered by the text. Furthermore, it strengthens risk management rules, notification obligations and enforcement powers. This is a change of scale, not a simple adjustment.

Who is concerned: essential and important entities

The directive classifies organisations into two broad categories. On one side, essential entities. On the other, important entities. This classification depends on the sector, the type of service provided and the size of the company. As a rule, it is the medium-sized and large entities in critical sectors that fall within the scope.

The covered sectors are broad. They go well beyond traditional infrastructure such as energy or transport. Here are some examples of areas targeted by NIS2:

  • Energy, transport, banking and financial market infrastructure
  • Health, drinking water and wastewater
  • Digital infrastructure and digital service providers
  • Public administration and the space sector
  • Waste management, manufacturing of critical products, agri-food sector
  • Postal and courier services, public electronic communication networks

However, the logic of NIS2 does not stop at these two categories. Indeed, the directive insists on supply chain security. A concerned company must therefore assess the risks linked to its suppliers and service providers. It is precisely through this mechanism that the reach of the text extends beyond the borders of the Union.

governance and compliance meeting on nis2 company obligations

The new obligations imposed on companies

NIS2 imposes a set of concrete obligations. They rest on three pillars: risk management, incident notification and governance. Each of these pillars requires resources, processes and evidence. Let us review them.

Cybersecurity risk management

Essential and important entities must adopt appropriate technical and organisational measures. The directive follows a so-called “all-hazards” approach. It covers cyberattacks as well as technical failures, human errors or physical incidents. In short, the aim is to protect the availability, integrity and confidentiality of data.

Recital 79 of the text explicitly cites the ISO/IEC 27000 family of standards as a reference. This point is crucial. It shows that implementing an Information Security Management System is directly aligned with the expectations of the directive. We will come back to this later.

Incident notification

The notification pace is strict. Article 23 of the directive sets a precise timeline for any significant incident. Here are the milestones to remember:

  • An early warning within 24 hours of becoming aware of the incident.
  • A full incident notification within 72 hours, with an initial assessment of the severity.
  • A final report no later than one month after the incident notification.

These deadlines are short. Consequently, a concerned company must prepare its procedures in advance. Improvising a report in the middle of a crisis is not a viable option. You need clear roles, an identified point of contact and ready documentation.

Management accountability

This is one of the major contributions of NIS2. Article 20 places cybersecurity at board level. Management bodies must approve the risk management measures. Furthermore, they must oversee their implementation. Finally, members of the management body are required to follow appropriate training.

Penalties and management accountability

The NIS2 penalty regime is dissuasive. It is calibrated differently depending on the category of the entity. Article 34 requires Member States to provide for maximum fines of at least the amounts below. In practice, the bill can be heavy in the event of a breach of Articles 21 or 23.

Category Required maximum fine (fixed amount) Turnover-based alternative
Essential entities approx. CHF 9.3 million (at least EUR 10 000 000) or at least 2% of annual worldwide turnover
Important entities approx. CHF 6.5 million (at least EUR 7 000 000) or at least 1.4% of annual worldwide turnover

The rule applies whichever of the two options is higher. Thus, for a large group, the percentage of turnover can far exceed the fixed threshold. However, the financial penalty is not the only risk. Executives can be held personally liable for breaches. Reputation, customer trust and business continuity are also at stake.

risk mapping for nis2 compliance within a company

The concrete impact for Swiss companies

Switzerland is not part of the European Union. A quick conclusion would therefore be to say that NIS2 does not concern it. This conclusion is wrong. In reality, several mechanisms catch up with Swiss companies. Let us look at which ones.

Subsidiaries established in the Union

A Swiss company that owns a subsidiary or an establishment in a Union country may fall directly under NIS2. If that subsidiary operates in a covered sector and exceeds the size thresholds, it must comply with the local regime. Consequently, the Swiss parent company must steer this compliance from Switzerland.

The supply chain effect

This is the most powerful mechanism. NIS2 requires concerned entities to secure their supply chain. They must therefore demand a certain level of security from their suppliers. Now, many Swiss subcontractors and service providers work for European clients.

In practice, this translates into contractual clauses. Your European clients will ask you for security guarantees. They may require audits, attestations or certification. In short, even without being legally subject to NIS2, you will feel its requirements through contracts. Ignoring this point means risking the loss of markets.

Digital service providers

Some Swiss companies provide digital services on a European scale. Cloud, hosting, online marketplace, search engine: these activities are in the spotlight. Depending on the location of their activities and users, they may have to designate a representative in the Union. A case-by-case analysis is essential.

NIS2, the nFADP and Swiss law: where do we stand?

Switzerland has its own framework. The new Federal Act on Data Protection, the nFADP, entered into force in 2023. It governs the processing of personal data and imposes security and notification obligations in the event of a breach. However, the nFADP does not cover exactly the same scope as NIS2. It targets data protection, not the overall resilience of critical systems.

On the cybersecurity side, Switzerland has taken an important step. Since 1 April 2025, an obligation to report cyberattacks against critical infrastructure has been in force. The Federal Council took this decision on 7 March 2025. The operators concerned must now report incidents to the Federal Office for Cybersecurity.

This Swiss mechanism comes close to the spirit of NIS2, without being a copy. Both texts converge on the same idea: the security of critical systems is a collective responsibility. For a company active on both sides of the border, both logics must therefore be satisfied in parallel. This is where a shared framework becomes valuable.

Recommended training

ISO 27001 Lead Implementer

Ref. ISO-27001LI

Learn to deploy an Information Security Management System aligned with NIS2 requirements and prepare your organisation for the certification audit.

Duration: 5 days
Level: Intermediate
Location: Geneva / Lausanne / Remote

Discover the course →

How to achieve compliance with an ISO 27001 ISMS

The good news: you do not have to reinvent the wheel. A recognised framework already answers most NIS2 requirements. That framework is the ISO/IEC 27001 standard and its Information Security Management System, the ISMS. The directive itself refers to this family of standards.

An ISMS structures security as a continuous process, not as a one-off project. It rests on risk analysis, treatment measures, monitoring and constant improvement. Here is how this approach answers the directive’s expectations point by point:

  • Risk management: the ISMS requires a formal and documented risk analysis.
  • Security measures: the standard provides a catalogue of organisational and technical controls.
  • Incident notification: the ISMS defines incident detection and response procedures.
  • Governance: management commits formally and steers the system.
  • Supply chain: supplier relationships are framed by precise requirements.

In concrete terms, compliance unfolds in stages. First, you define the scope and context of your organisation. Then, you carry out the risk analysis and select the measures. Next, you deploy these measures and train your teams. Finally, you monitor, audit and improve continuously.

This is exactly what an ISO 27001 Lead Implementer training teaches. You learn to plan, deploy and manage an ISMS compliant with the ISO 27001:2022 version. This skill answers a concrete business need. It also demonstrates to European clients that your company takes security seriously.

To go deeper into the official framework, several public resources carry authority. The full text of the directive is available on EUR-Lex. The European Commission details the scope on its dedicated NIS2 portal. On the Swiss side, the Federal Office for Cybersecurity details the reporting obligation.

it team securing infrastructure for nis2 switzerland compliance

Recommended training

ISO 27001 Lead Implementer

Ref. ISO-27001LI

Master the end-to-end implementation of an ISMS and anticipate the requirements of the nis2 directive for your European clients and partners.

Duration: 5 days
Level: Intermediate
Location: Geneva / Lausanne / Remote

Discover the course →

Conclusion

NIS2 changes the game for cybersecurity in Europe. The directive broadens its scope, tightens obligations and holds leaders accountable. Financial penalties are now dissuasive. However, the essential point is not the fear of a fine. It is the building of a genuine security culture.

For Swiss companies, vigilance is required. Subsidiaries in the Union, supply chain effect, contractual requirements: the channels of exposure are numerous. Furthermore, Switzerland is strengthening its own framework, with the nFADP and the obligation to report cyberattacks against critical infrastructure. Preparing today means protecting your markets of tomorrow.

The most solid approach remains setting up an ISMS aligned with ISO 27001. It meets NIS2 requirements while reassuring your partners. Investing in internal skills is therefore a strategic choice. It is the best way to turn a regulatory constraint into a competitive advantage.

FAQ

Does NIS2 apply directly to Swiss companies?
The directive applies in European Union countries. However, a Swiss company may be subject to it through a subsidiary established in the Union. It may also feel its requirements through contracts, via its European clients and the supply chain effect.

What is the difference between an essential entity and an important entity?
The classification depends on the sector, the service provided and the size of the organisation. Both categories share the same core obligations. In contrast, the supervision regime and the fine ceiling differ, with a higher level for essential entities.

What are the incident notification deadlines?
Article 23 of the directive provides for an early warning within 24 hours, a full notification within 72 hours, then a final report no later than one month after the incident notification. These short deadlines require procedures prepared in advance.

Is an ISO 27001 certification enough to be NIS2 compliant?
The ISO 27001 standard covers the vast majority of the directive’s requirements, which itself refers to the ISO/IEC 27000 family. A well-designed ISMS is a very solid basis. You must nonetheless check the local transposition obligations in each country concerned.

What does a company risk in the event of non-compliance?
Essential entities face fines of up to approximately CHF 9.3 million (at least EUR 10 000 000 under the directive) or 2% of annual worldwide turnover, whichever is higher. For important entities, the cap is approximately CHF 6.5 million (at least EUR 7 000 000) or 1.4%. Executives can also be held personally liable.

Facebook
Twitter
LinkedIn
Email
About the author

ITTA is the leader in IT training and project management solutions and services in French-speaking Switzerland.

Our latest posts

Subscribe to the newsletter

Confirmed training courses

Consult our confirmed trainings and sessions

SC-200T00
Intermédiaire
4
jours
Présentiel, Virtuel
Dès CHF 3'000.-
COM-203
Avancé
5
jours
Présentiel, Virtuel
Dès CHF 3'750.-
PL-300T00
Intermédiaire
3
jours
Présentiel, Virtuel
Dès CHF 2'350.-
SQL-01
Fondamental
3
jours
Présentiel, Virtuel
Dès CHF 2'150.-

Contact

ITTA
Route des jeunes 35
1227 Carouge, Suisse

Opening hours

Monday to Friday
8:30 AM to 6:00 PM
Tel. 058 307 73 00

Contact-us

ITTA
Route des jeunes 35
1227 Carouge, Suisse

Make a request

Contact

ITTA
Route des jeunes 35
1227 Carouge, Suisse

Opening hours

Monday to Friday, from 8:30 am to 06:00 pm.

Contact us

Your request