{"id":253889,"date":"2026-07-14T17:29:52","date_gmt":"2026-07-14T15:29:52","guid":{"rendered":"https:\/\/www.itta.net\/?p=253889"},"modified":"2026-07-14T17:30:56","modified_gmt":"2026-07-14T15:30:56","slug":"nis2-directive-companies-2026","status":"publish","type":"post","link":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/","title":{"rendered":"NIS2: What the Directive Changes for Companies in 2026"},"content":{"rendered":"<p><em><strong>Cybersecurity is no longer just an IT specialist&#8217;s job.<\/strong> With NIS2, the European Union imposes a common security baseline on tens of thousands of companies. Do you think a Swiss company escapes the nis2 directive? That is a misreading. The supply chain, subsidiaries and contracts catch up with you very quickly.<\/em><\/p>\n<!-- quiz_ia: invalid JSON in quiz_ia_data -->\n<h2 id=\"sommaire\">Table of Contents<\/h2>\n<ul>\n<li><a href=\"#quest-ce-que-nis2\">NIS2: what exactly are we talking about?<\/a><\/li>\n<li><a href=\"#qui-est-concerne\">Who is concerned: essential and important entities<\/a><\/li>\n<li><a href=\"#obligations\">The new obligations imposed on companies<\/a><\/li>\n<li><a href=\"#sanctions\">Penalties and management accountability<\/a><\/li>\n<li><a href=\"#impact-suisse\">The concrete impact for Swiss companies<\/a><\/li>\n<li><a href=\"#droit-suisse\">NIS2, the nFADP and Swiss law: where do we stand?<\/a><\/li>\n<li><a href=\"#conformite\">How to achieve compliance with an ISO 27001 ISMS<\/a><\/li>\n<li><a href=\"#conclusion\">Conclusion<\/a><\/li>\n<li><a href=\"#faq\">FAQ<\/a><\/li>\n<\/ul>\n<p><img decoding=\"async\" src=\"https:\/\/www.itta.net\/wp-content\/uploads\/2026\/07\/nis2-directive-entreprises-2026-1.webp\" alt=\"security team in a soc monitoring nis2 directive compliance\" loading=\"lazy\" style=\"width:100%;height:auto;border-radius:8px;margin:2.75rem 0\" \/><\/p>\n<h2 id=\"quest-ce-que-nis2\">NIS2: what exactly are we talking about?<\/h2>\n<p>NIS2 is the short name of Directive (EU) 2022\/2555. It was adopted on 14 December 2022. Its goal: to raise the common level of cybersecurity across the entire Union. Indeed, it replaces the first NIS directive of 2016, which was deemed too limited against current threats.<\/p>\n<p>The nis2 directive entered into force in January 2023. Member States then had until 17 October 2024 to transpose it into national law. Since 18 October 2024, the former NIS1 directive has been repealed. In other words, the new regime now applies through the national laws of each Union country.<\/p>\n<p>Moreover, NIS2 significantly broadens its scope. The European Commission now lists eighteen critical sectors covered by the text. Furthermore, it strengthens risk management rules, notification obligations and enforcement powers. This is a change of scale, not a simple adjustment.<\/p>\n<h2 id=\"qui-est-concerne\">Who is concerned: essential and important entities<\/h2>\n<p>The directive classifies organisations into two broad categories. On one side, essential entities. On the other, important entities. This classification depends on the sector, the type of service provided and the size of the company. As a rule, it is the medium-sized and large entities in critical sectors that fall within the scope.<\/p>\n<p>The covered sectors are broad. They go well beyond traditional infrastructure such as energy or transport. Here are some examples of areas targeted by NIS2:<\/p>\n<ul>\n<li>Energy, transport, banking and financial market infrastructure<\/li>\n<li>Health, drinking water and wastewater<\/li>\n<li>Digital infrastructure and digital service providers<\/li>\n<li>Public administration and the space sector<\/li>\n<li>Waste management, manufacturing of critical products, agri-food sector<\/li>\n<li>Postal and courier services, public electronic communication networks<\/li>\n<\/ul>\n<p>However, the logic of NIS2 does not stop at these two categories. Indeed, the directive insists on supply chain security. A concerned company must therefore assess the risks linked to its suppliers and service providers. It is precisely through this mechanism that the reach of the text extends beyond the borders of the Union.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.itta.net\/wp-content\/uploads\/2026\/07\/nis2-directive-entreprises-2026-2.webp\" alt=\"governance and compliance meeting on nis2 company obligations\" loading=\"lazy\" style=\"width:100%;height:auto;border-radius:8px;margin:2.75rem 0\" \/><\/p>\n<h2 id=\"obligations\">The new obligations imposed on companies<\/h2>\n<p>NIS2 imposes a set of concrete obligations. They rest on three pillars: risk management, incident notification and governance. Each of these pillars requires resources, processes and evidence. Let us review them.<\/p>\n<h3>Cybersecurity risk management<\/h3>\n<p>Essential and important entities must adopt appropriate technical and organisational measures. The directive follows a so-called &#8220;all-hazards&#8221; approach. It covers cyberattacks as well as technical failures, human errors or physical incidents. In short, the aim is to protect the availability, integrity and confidentiality of data.<\/p>\n<p>Recital 79 of the text explicitly cites the ISO\/IEC 27000 family of standards as a reference. This point is crucial. It shows that implementing an Information Security Management System is directly aligned with the expectations of the directive. We will come back to this later.<\/p>\n<h3>Incident notification<\/h3>\n<p>The notification pace is strict. Article 23 of the directive sets a precise timeline for any significant incident. Here are the milestones to remember:<\/p>\n<ul>\n<li>An early warning within 24 hours of becoming aware of the incident.<\/li>\n<li>A full incident notification within 72 hours, with an initial assessment of the severity.<\/li>\n<li>A final report no later than one month after the incident notification.<\/li>\n<\/ul>\n<p>These deadlines are short. Consequently, a concerned company must prepare its procedures in advance. Improvising a report in the middle of a crisis is not a viable option. You need clear roles, an identified point of contact and ready documentation.<\/p>\n<h3>Management accountability<\/h3>\n<p>This is one of the major contributions of NIS2. Article 20 places cybersecurity at board level. Management bodies must approve the risk management measures. Furthermore, they must oversee their implementation. Finally, members of the management body are required to follow appropriate training.<\/p>\n<h2 id=\"sanctions\">Penalties and management accountability<\/h2>\n<p>The NIS2 penalty regime is dissuasive. It is calibrated differently depending on the category of the entity. Article 34 requires Member States to provide for maximum fines of at least the amounts below. In practice, the bill can be heavy in the event of a breach of Articles 21 or 23.<\/p>\n<div style=\"overflow-x:auto;-webkit-overflow-scrolling:touch;max-width:100%;width:100%;margin:1rem 0 0.5rem 0\">\n<table style=\"width:100%\">\n<thead>\n<tr>\n<th>Category<\/th>\n<th>Required maximum fine (fixed amount)<\/th>\n<th>Turnover-based alternative<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>Essential entities<\/td>\n<td>approx. CHF 9.3 million (at least EUR 10 000 000)<\/td>\n<td>or at least 2% of annual worldwide turnover<\/td>\n<\/tr>\n<tr>\n<td>Important entities<\/td>\n<td>approx. CHF 6.5 million (at least EUR 7 000 000)<\/td>\n<td>or at least 1.4% of annual worldwide turnover<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/div>\n<p>The rule applies whichever of the two options is higher. Thus, for a large group, the percentage of turnover can far exceed the fixed threshold. However, the financial penalty is not the only risk. Executives can be held personally liable for breaches. Reputation, customer trust and business continuity are also at stake.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.itta.net\/wp-content\/uploads\/2026\/07\/nis2-directive-entreprises-2026-3.webp\" alt=\"risk mapping for nis2 compliance within a company\" loading=\"lazy\" style=\"width:100%;height:auto;border-radius:8px;margin:2.75rem 0\" \/><\/p>\n<h2 id=\"impact-suisse\">The concrete impact for Swiss companies<\/h2>\n<p>Switzerland is not part of the European Union. A quick conclusion would therefore be to say that NIS2 does not concern it. This conclusion is wrong. In reality, several mechanisms catch up with Swiss companies. Let us look at which ones.<\/p>\n<h3>Subsidiaries established in the Union<\/h3>\n<p>A Swiss company that owns a subsidiary or an establishment in a Union country may fall directly under NIS2. If that subsidiary operates in a covered sector and exceeds the size thresholds, it must comply with the local regime. Consequently, the Swiss parent company must steer this compliance from Switzerland.<\/p>\n<h3>The supply chain effect<\/h3>\n<p>This is the most powerful mechanism. NIS2 requires concerned entities to secure their supply chain. They must therefore demand a certain level of security from their suppliers. Now, many Swiss subcontractors and service providers work for European clients.<\/p>\n<p>In practice, this translates into contractual clauses. Your European clients will ask you for security guarantees. They may require audits, attestations or certification. In short, even without being legally subject to NIS2, you will feel its requirements through contracts. Ignoring this point means risking the loss of markets.<\/p>\n<h3>Digital service providers<\/h3>\n<p>Some Swiss companies provide digital services on a European scale. Cloud, hosting, online marketplace, search engine: these activities are in the spotlight. Depending on the location of their activities and users, they may have to designate a representative in the Union. A case-by-case analysis is essential.<\/p>\n<h2 id=\"droit-suisse\">NIS2, the nFADP and Swiss law: where do we stand?<\/h2>\n<p>Switzerland has its own framework. The new Federal Act on Data Protection, the nFADP, entered into force in 2023. It governs the processing of personal data and imposes security and notification obligations in the event of a breach. However, the nFADP does not cover exactly the same scope as NIS2. It targets data protection, not the overall resilience of critical systems.<\/p>\n<p>On the cybersecurity side, Switzerland has taken an important step. Since 1 April 2025, an obligation to report cyberattacks against critical infrastructure has been in force. The Federal Council took this decision on 7 March 2025. The operators concerned must now report incidents to the Federal Office for Cybersecurity.<\/p>\n<p>This Swiss mechanism comes close to the spirit of NIS2, without being a copy. Both texts converge on the same idea: the security of critical systems is a collective responsibility. For a company active on both sides of the border, both logics must therefore be satisfied in parallel. This is where a shared framework becomes valuable.<\/p>\n<div style=\"background:linear-gradient(135deg,#f8fcfc 0%,#f0fafa 100%);border-radius:12px;padding:36px 40px;margin:40px 0;font-family:Montserrat,Arial,sans-serif;color:#111;border-left:6px solid #00B0AE;position:relative\">\n<p style=\"font-size:1.1vw;font-weight:600;margin:0 0 6px;color:#00B0AE;line-height:1.3;text-transform:uppercase;letter-spacing:1px\">Recommended training<\/p>\n<p style=\"font-size:1.6vw;font-weight:700;margin:0 0 4px;color:#1a1a2e;line-height:1.3\">ISO 27001 Lead Implementer<\/p>\n<p style=\"font-size:0.9vw;font-weight:600;margin:0 0 14px;color:#888;line-height:1.3\">Ref. ISO-27001LI<\/p>\n<p style=\"font-size:1vw;margin:0 0 16px;color:#444;line-height:1.6\">Learn to deploy an Information Security Management System aligned with NIS2 requirements and prepare your organisation for the certification audit.<\/p>\n<div style=\"display:flex;flex-wrap:wrap;gap:8px 24px;margin:0 0 20px\">\n<span style=\"font-size:0.95vw;color:#444\"><strong style=\"color:#00B0AE\">Duration:<\/strong> 5 days<\/span><br \/>\n<span style=\"font-size:0.95vw;color:#444\"><strong style=\"color:#00B0AE\">Level:<\/strong> Intermediate<\/span><br \/>\n<span style=\"font-size:0.95vw;color:#444\"><strong style=\"color:#00B0AE\">Location:<\/strong> Geneva \/ Lausanne \/ Remote<\/span>\n<\/div>\n<p><a href=\"https:\/\/www.itta.net\/en\/trainings\/it-pro\/audit-and-cybersecurity\/iso-iec-27001-lead-implementer\/\" target=\"_blank\" rel=\"noopener\" style=\"display:inline-block;background:#00B0AE;color:#fff;padding:14px 32px;border-radius:8px;font-size:1.05vw;font-weight:700;text-decoration:none;font-family:Montserrat,Arial,sans-serif\">Discover the course \u2192<\/a>\n<\/div>\n<h2 id=\"conformite\">How to achieve compliance with an ISO 27001 ISMS<\/h2>\n<p>The good news: you do not have to reinvent the wheel. A recognised framework already answers most NIS2 requirements. That framework is the ISO\/IEC 27001 standard and its Information Security Management System, the ISMS. The directive itself refers to this family of standards.<\/p>\n<p>An ISMS structures security as a continuous process, not as a one-off project. It rests on risk analysis, treatment measures, monitoring and constant improvement. Here is how this approach answers the directive&#8217;s expectations point by point:<\/p>\n<ul>\n<li>Risk management: the ISMS requires a formal and documented risk analysis.<\/li>\n<li>Security measures: the standard provides a catalogue of organisational and technical controls.<\/li>\n<li>Incident notification: the ISMS defines incident detection and response procedures.<\/li>\n<li>Governance: management commits formally and steers the system.<\/li>\n<li>Supply chain: supplier relationships are framed by precise requirements.<\/li>\n<\/ul>\n<p>In concrete terms, compliance unfolds in stages. First, you define the scope and context of your organisation. Then, you carry out the risk analysis and select the measures. Next, you deploy these measures and train your teams. Finally, you monitor, audit and improve continuously.<\/p>\n<p>This is exactly what an <a href=\"https:\/\/www.itta.net\/en\/trainings\/it-pro\/audit-and-cybersecurity\/iso-iec-27001-lead-implementer\/\" target=\"_blank\" rel=\"noopener noreferrer\">ISO 27001 Lead Implementer<\/a> training teaches. You learn to plan, deploy and manage an ISMS compliant with the ISO 27001:2022 version. This skill answers a concrete business need. It also demonstrates to European clients that your company takes security seriously.<\/p>\n<p>To go deeper into the official framework, several public resources carry authority. The full text of the directive is available on <a href=\"https:\/\/eur-lex.europa.eu\/legal-content\/EN\/TXT\/?uri=CELEX:32022L2555\" target=\"_blank\" rel=\"noopener noreferrer\">EUR-Lex<\/a>. The European Commission details the scope on its <a href=\"https:\/\/digital-strategy.ec.europa.eu\/en\/policies\/nis2-directive\" target=\"_blank\" rel=\"noopener noreferrer\">dedicated NIS2 portal<\/a>. On the Swiss side, the <a href=\"https:\/\/www.ncsc.admin.ch\/ncsc\/en\/home\/meldepflicht\/meldepflicht-info.html\" target=\"_blank\" rel=\"noopener noreferrer\">Federal Office for Cybersecurity<\/a> details the reporting obligation.<\/p>\n<p><img decoding=\"async\" src=\"https:\/\/www.itta.net\/wp-content\/uploads\/2026\/07\/nis2-directive-entreprises-2026-4.webp\" alt=\"it team securing infrastructure for nis2 switzerland compliance\" loading=\"lazy\" style=\"width:100%;height:auto;border-radius:8px;margin:2.75rem 0\" \/><\/p>\n<div style=\"background:linear-gradient(135deg,#f8fcfc 0%,#f0fafa 100%);border-radius:12px;padding:36px 40px;margin:40px 0;font-family:Montserrat,Arial,sans-serif;color:#111;border-left:6px solid #00B0AE;position:relative\">\n<p style=\"font-size:1.1vw;font-weight:600;margin:0 0 6px;color:#00B0AE;line-height:1.3;text-transform:uppercase;letter-spacing:1px\">Recommended training<\/p>\n<p style=\"font-size:1.6vw;font-weight:700;margin:0 0 4px;color:#1a1a2e;line-height:1.3\">ISO 27001 Lead Implementer<\/p>\n<p style=\"font-size:0.9vw;font-weight:600;margin:0 0 14px;color:#888;line-height:1.3\">Ref. ISO-27001LI<\/p>\n<p style=\"font-size:1vw;margin:0 0 16px;color:#444;line-height:1.6\">Master the end-to-end implementation of an ISMS and anticipate the requirements of the nis2 directive for your European clients and partners.<\/p>\n<div style=\"display:flex;flex-wrap:wrap;gap:8px 24px;margin:0 0 20px\">\n<span style=\"font-size:0.95vw;color:#444\"><strong style=\"color:#00B0AE\">Duration:<\/strong> 5 days<\/span><br \/>\n<span style=\"font-size:0.95vw;color:#444\"><strong style=\"color:#00B0AE\">Level:<\/strong> Intermediate<\/span><br \/>\n<span style=\"font-size:0.95vw;color:#444\"><strong style=\"color:#00B0AE\">Location:<\/strong> Geneva \/ Lausanne \/ Remote<\/span>\n<\/div>\n<p><a href=\"https:\/\/www.itta.net\/en\/trainings\/it-pro\/audit-and-cybersecurity\/iso-iec-27001-lead-implementer\/\" target=\"_blank\" rel=\"noopener\" style=\"display:inline-block;background:#00B0AE;color:#fff;padding:14px 32px;border-radius:8px;font-size:1.05vw;font-weight:700;text-decoration:none;font-family:Montserrat,Arial,sans-serif\">Discover the course \u2192<\/a>\n<\/div>\n<h2 id=\"conclusion\">Conclusion<\/h2>\n<p>NIS2 changes the game for cybersecurity in Europe. The directive broadens its scope, tightens obligations and holds leaders accountable. Financial penalties are now dissuasive. However, the essential point is not the fear of a fine. It is the building of a genuine security culture.<\/p>\n<p>For Swiss companies, vigilance is required. Subsidiaries in the Union, supply chain effect, contractual requirements: the channels of exposure are numerous. Furthermore, Switzerland is strengthening its own framework, with the nFADP and the obligation to report cyberattacks against critical infrastructure. Preparing today means protecting your markets of tomorrow.<\/p>\n<p>The most solid approach remains setting up an ISMS aligned with ISO 27001. It meets NIS2 requirements while reassuring your partners. Investing in internal skills is therefore a strategic choice. It is the best way to turn a regulatory constraint into a competitive advantage.<\/p>\n<h2 id=\"faq\">FAQ<\/h2>\n<p><strong>Does NIS2 apply directly to Swiss companies?<\/strong><br \/>The directive applies in European Union countries. However, a Swiss company may be subject to it through a subsidiary established in the Union. It may also feel its requirements through contracts, via its European clients and the supply chain effect.<\/p>\n<p><strong>What is the difference between an essential entity and an important entity?<\/strong><br \/>The classification depends on the sector, the service provided and the size of the organisation. Both categories share the same core obligations. In contrast, the supervision regime and the fine ceiling differ, with a higher level for essential entities.<\/p>\n<p><strong>What are the incident notification deadlines?<\/strong><br \/>Article 23 of the directive provides for an early warning within 24 hours, a full notification within 72 hours, then a final report no later than one month after the incident notification. These short deadlines require procedures prepared in advance.<\/p>\n<p><strong>Is an ISO 27001 certification enough to be NIS2 compliant?<\/strong><br \/>The ISO 27001 standard covers the vast majority of the directive&#8217;s requirements, which itself refers to the ISO\/IEC 27000 family. A well-designed ISMS is a very solid basis. You must nonetheless check the local transposition obligations in each country concerned.<\/p>\n<p><strong>What does a company risk in the event of non-compliance?<\/strong><br \/>Essential entities face fines of up to approximately CHF 9.3 million (at least EUR 10 000 000 under the directive) or 2% of annual worldwide turnover, whichever is higher. For important entities, the cap is approximately CHF 6.5 million (at least EUR 7 000 000) or 1.4%. Executives can also be held personally liable.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Cybersecurity is no longer just an IT specialist&#8217;s job. With NIS2, the European Union imposes a common security baseline on tens of thousands of companies. Do you think a Swiss company escapes the nis2 directive? That is a misreading. The supply chain, subsidiaries and contracts catch up with you very quickly. Table of Contents NIS2: [&hellip;]<\/p>\n","protected":false},"author":112,"featured_media":253886,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","footnotes":""},"categories":[2938,2944],"tags":[],"class_list":["post-253889","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-informatique","category-it-pro"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v27.5 (Yoast SEO v27.5) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>NIS2: What the Directive Changes for Companies<\/title>\n<meta name=\"description\" content=\"NIS2: who is concerned, obligations, penalties and impact for Swiss companies. A compliance guide and the role of ISO 27001.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Damien Crocq\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":[\"Article\",\"BlogPosting\"],\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/\"},\"author\":{\"name\":\"Damien Crocq\",\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/#\\\/schema\\\/person\\\/ca875e6c61a8f6f224901d4b48e1494f\"},\"headline\":\"NIS2: What the Directive Changes for Companies in 2026\",\"datePublished\":\"2026-07-14T15:29:52+00:00\",\"dateModified\":\"2026-07-14T15:30:56+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/\"},\"wordCount\":1985,\"publisher\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.itta.net\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/nis2-directive-entreprises-2026-featured.webp\",\"articleSection\":[\"Informatique\",\"IT Pro\"],\"inLanguage\":\"en-GB\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/\",\"url\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/\",\"name\":\"NIS2: What the Directive Changes for Companies\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.itta.net\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/nis2-directive-entreprises-2026-featured.webp\",\"datePublished\":\"2026-07-14T15:29:52+00:00\",\"dateModified\":\"2026-07-14T15:30:56+00:00\",\"description\":\"NIS2: who is concerned, obligations, penalties and impact for Swiss companies. A compliance guide and the role of ISO 27001.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.itta.net\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/nis2-directive-entreprises-2026-featured.webp\",\"contentUrl\":\"https:\\\/\\\/www.itta.net\\\/wp-content\\\/uploads\\\/2026\\\/07\\\/nis2-directive-entreprises-2026-featured.webp\",\"width\":1376,\"height\":768,\"caption\":\"nis2\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/blog\\\/nis2-directive-companies-2026\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.itta.net\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"NIS2: What the Directive Changes for Companies in 2026\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.itta.net\\\/en\\\/\",\"name\":\"ITTA\",\"description\":\"Formations &amp; Certifications en Suisse Romande\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.itta.net\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":[\"Organization\",\"EducationalOrganization\"],\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/#organization\",\"name\":\"ITTA\",\"alternateName\":\"IT TRAINING ACADEMY SA\",\"url\":\"https:\\\/\\\/www.itta.net\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.itta.net\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/Logo-transparent.png\",\"contentUrl\":\"https:\\\/\\\/www.itta.net\\\/wp-content\\\/uploads\\\/2023\\\/02\\\/Logo-transparent.png\",\"width\":1500,\"height\":623,\"caption\":\"ITTA\"},\"image\":{\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/people\\\/ITTA\\\/100063747262936\\\/\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/1001738\",\"https:\\\/\\\/www.instagram.com\\\/itta_suisse\\\/\"],\"contactPoint\":{\"@type\":\"ContactPoint\",\"telephone\":\"+41 58 307 73 00\",\"contactType\":\"customer service\",\"availableLanguage\":[\"French\",\"English\"],\"areaServed\":[{\"@type\":\"Country\",\"name\":\"Switzerland\"},{\"@type\":\"Country\",\"name\":\"France\"}]},\"location\":[{\"@type\":\"Place\",\"name\":\"ITTA Geneve\",\"address\":{\"@type\":\"PostalAddress\",\"streetAddress\":\"Route des Jeunes 35\",\"addressLocality\":\"Carouge\",\"postalCode\":\"1227\",\"addressRegion\":\"GE\",\"addressCountry\":\"CH\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":46.18274,\"longitude\":6.12922}},{\"@type\":\"Place\",\"name\":\"ITTA Lausanne\",\"address\":{\"@type\":\"PostalAddress\",\"streetAddress\":\"Rue des Cotes-de-Montbenon 16\",\"addressLocality\":\"Lausanne\",\"postalCode\":\"1003\",\"addressRegion\":\"VD\",\"addressCountry\":\"CH\"},\"geo\":{\"@type\":\"GeoCoordinates\",\"latitude\":46.52111,\"longitude\":6.62734}}]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.itta.net\\\/en\\\/#\\\/schema\\\/person\\\/ca875e6c61a8f6f224901d4b48e1494f\",\"name\":\"Damien Crocq\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\\\/\\\/www.itta.net\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/damien-bio-1-100x100.jpg\",\"url\":\"https:\\\/\\\/www.itta.net\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/damien-bio-1-100x100.jpg\",\"contentUrl\":\"https:\\\/\\\/www.itta.net\\\/wp-content\\\/uploads\\\/2024\\\/04\\\/damien-bio-1-100x100.jpg\",\"caption\":\"Damien Crocq\"},\"description\":\"Damien est un professionnel dynamique, passionn\u00e9 par le marketing digital et le r\u00e9f\u00e9rencement naturel. Dipl\u00f4m\u00e9 d'un master en Web Marketing, il a acquis une solide exp\u00e9rience en e-commerce et a enseign\u00e9 sur des th\u00e9matiques de marketing digital. Aujourd'hui, il occupe le poste de sp\u00e9cialiste en marketing digital chez ITTA. Toujours curieux et innovant, Damien reste avant tout un passionn\u00e9 des technologies \u00e9mergentes, de l'informatique, de l'IA et du r\u00e9f\u00e9rencement naturel.\",\"sameAs\":[\"https:\\\/\\\/www.itta.net\",\"https:\\\/\\\/www.linkedin.com\\\/in\\\/damien-crocq\\\/?originalSubdomain=fr\"]}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"NIS2: What the Directive Changes for Companies","description":"NIS2: who is concerned, obligations, penalties and impact for Swiss companies. A compliance guide and the role of ISO 27001.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/","twitter_misc":{"Written by":"Damien Crocq","Estimated reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":["Article","BlogPosting"],"@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/#article","isPartOf":{"@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/"},"author":{"name":"Damien Crocq","@id":"https:\/\/www.itta.net\/en\/#\/schema\/person\/ca875e6c61a8f6f224901d4b48e1494f"},"headline":"NIS2: What the Directive Changes for Companies in 2026","datePublished":"2026-07-14T15:29:52+00:00","dateModified":"2026-07-14T15:30:56+00:00","mainEntityOfPage":{"@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/"},"wordCount":1985,"publisher":{"@id":"https:\/\/www.itta.net\/en\/#organization"},"image":{"@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/www.itta.net\/wp-content\/uploads\/2026\/07\/nis2-directive-entreprises-2026-featured.webp","articleSection":["Informatique","IT Pro"],"inLanguage":"en-GB"},{"@type":"WebPage","@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/","url":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/","name":"NIS2: What the Directive Changes for Companies","isPartOf":{"@id":"https:\/\/www.itta.net\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/#primaryimage"},"image":{"@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/#primaryimage"},"thumbnailUrl":"https:\/\/www.itta.net\/wp-content\/uploads\/2026\/07\/nis2-directive-entreprises-2026-featured.webp","datePublished":"2026-07-14T15:29:52+00:00","dateModified":"2026-07-14T15:30:56+00:00","description":"NIS2: who is concerned, obligations, penalties and impact for Swiss companies. A compliance guide and the role of ISO 27001.","breadcrumb":{"@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/"]}]},{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/#primaryimage","url":"https:\/\/www.itta.net\/wp-content\/uploads\/2026\/07\/nis2-directive-entreprises-2026-featured.webp","contentUrl":"https:\/\/www.itta.net\/wp-content\/uploads\/2026\/07\/nis2-directive-entreprises-2026-featured.webp","width":1376,"height":768,"caption":"nis2"},{"@type":"BreadcrumbList","@id":"https:\/\/www.itta.net\/en\/blog\/nis2-directive-companies-2026\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.itta.net\/en\/"},{"@type":"ListItem","position":2,"name":"NIS2: What the Directive Changes for Companies in 2026"}]},{"@type":"WebSite","@id":"https:\/\/www.itta.net\/en\/#website","url":"https:\/\/www.itta.net\/en\/","name":"ITTA","description":"Formations &amp; Certifications en Suisse Romande","publisher":{"@id":"https:\/\/www.itta.net\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.itta.net\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":["Organization","EducationalOrganization"],"@id":"https:\/\/www.itta.net\/en\/#organization","name":"ITTA","alternateName":"IT TRAINING ACADEMY SA","url":"https:\/\/www.itta.net\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.itta.net\/en\/#\/schema\/logo\/image\/","url":"https:\/\/www.itta.net\/wp-content\/uploads\/2023\/02\/Logo-transparent.png","contentUrl":"https:\/\/www.itta.net\/wp-content\/uploads\/2023\/02\/Logo-transparent.png","width":1500,"height":623,"caption":"ITTA"},"image":{"@id":"https:\/\/www.itta.net\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/people\/ITTA\/100063747262936\/","https:\/\/www.linkedin.com\/company\/1001738","https:\/\/www.instagram.com\/itta_suisse\/"],"contactPoint":{"@type":"ContactPoint","telephone":"+41 58 307 73 00","contactType":"customer service","availableLanguage":["French","English"],"areaServed":[{"@type":"Country","name":"Switzerland"},{"@type":"Country","name":"France"}]},"location":[{"@type":"Place","name":"ITTA Geneve","address":{"@type":"PostalAddress","streetAddress":"Route des Jeunes 35","addressLocality":"Carouge","postalCode":"1227","addressRegion":"GE","addressCountry":"CH"},"geo":{"@type":"GeoCoordinates","latitude":46.18274,"longitude":6.12922}},{"@type":"Place","name":"ITTA Lausanne","address":{"@type":"PostalAddress","streetAddress":"Rue des Cotes-de-Montbenon 16","addressLocality":"Lausanne","postalCode":"1003","addressRegion":"VD","addressCountry":"CH"},"geo":{"@type":"GeoCoordinates","latitude":46.52111,"longitude":6.62734}}]},{"@type":"Person","@id":"https:\/\/www.itta.net\/en\/#\/schema\/person\/ca875e6c61a8f6f224901d4b48e1494f","name":"Damien Crocq","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.itta.net\/wp-content\/uploads\/2024\/04\/damien-bio-1-100x100.jpg","url":"https:\/\/www.itta.net\/wp-content\/uploads\/2024\/04\/damien-bio-1-100x100.jpg","contentUrl":"https:\/\/www.itta.net\/wp-content\/uploads\/2024\/04\/damien-bio-1-100x100.jpg","caption":"Damien Crocq"},"description":"Damien est un professionnel dynamique, passionn\u00e9 par le marketing digital et le r\u00e9f\u00e9rencement naturel. Dipl\u00f4m\u00e9 d'un master en Web Marketing, il a acquis une solide exp\u00e9rience en e-commerce et a enseign\u00e9 sur des th\u00e9matiques de marketing digital. Aujourd'hui, il occupe le poste de sp\u00e9cialiste en marketing digital chez ITTA. Toujours curieux et innovant, Damien reste avant tout un passionn\u00e9 des technologies \u00e9mergentes, de l'informatique, de l'IA et du r\u00e9f\u00e9rencement naturel.","sameAs":["https:\/\/www.itta.net","https:\/\/www.linkedin.com\/in\/damien-crocq\/?originalSubdomain=fr"]}]}},"_links":{"self":[{"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/posts\/253889","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/users\/112"}],"replies":[{"embeddable":true,"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/comments?post=253889"}],"version-history":[{"count":5,"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/posts\/253889\/revisions"}],"predecessor-version":[{"id":254019,"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/posts\/253889\/revisions\/254019"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/media\/253886"}],"wp:attachment":[{"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/media?parent=253889"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/categories?post=253889"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.itta.net\/en\/wp-json\/wp\/v2\/tags?post=253889"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}