NIS2 and Cybersecurity: What the New EU Directive Means for IT Contractors

The EU NIS2 Directive came into force in October 2024, significantly expanding the scope of entities required to comply with cybersecurity mandates. For Ukrainian companies providing services to EU clients, NIS2 serves as a practical benchmark.

Scope of NIS2

NIS2 covers “essential” and “important” entities across 18 sectors, including energy, transport, healthcare, digital infrastructure, cloud providers, and manufacturing. IT contractors serving these sectors fall under the directive’s purview due to supply chain requirements.

Key Requirements

NIS2 mandates the implementation of cybersecurity risk management, incident reporting within 24 hours, ensuring business continuity and a recovery plan, assessing supply chain risks, and training personnel on cyber hygiene practices.

Zero Trust as an Architectural Response

Zero Trust architecture — based on the principle of “never trust, always verify” — is one of the most effective approaches to meeting NIS2 requirements. It encompasses network microsegmentation, multi-factor authentication (MFA), least privilege access, and continuous monitoring of user behavior.

The Data Act: A Parallel Context

Alongside NIS2, the EU Data Act is gaining prominence, regulating the conditions for accessing data generated by IoT devices. For contractors, this translates into requirements for data portability and the prohibition of vendor lock-in.