NIS2 — New Cybersecurity Standards for Websites

The NIS2 Directive (Directive 2022/2555 of the European Parliament and of the Council of 14 December 2022) replaced the original NIS Directive and significantly expanded the scope of entities subject to cybersecurity obligations. For organisations operating in the EU, NIS2 introduces new requirements for risk management, incident response, and transparency — including on the organisation's website.

Who Does NIS2 Apply To?

NIS2 substantially broadens the personal scope compared to NIS1. It now covers two categories:

• Essential entities: Energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, public administration, and space. Large enterprises (≥250 employees or turnover ≥€50m).
• Important entities: Postal and courier services, waste management, manufacture and distribution of chemicals, food production, manufacturing (medical devices, vehicles, machinery), digital services (platforms, search engines, social networks), and research organisations. Medium-sized enterprises (≥50 employees or turnover ≥€10m).

A critical addition: NIS2 now covers digital service providers — including e-commerce platforms, content delivery networks (CDNs), domain name registries, and DNS providers. If your organisation provides such services, you are an important or essential entity regardless of size.

NIS2 Risk Management Requirements

Art. 21 of NIS2 requires covered entities to implement appropriate and proportionate technical, operational, and organisational measures. These include:

• Risk analysis and information system security policies — a documented approach to identifying and evaluating threats.
• Incident handling — plans and procedures for managing security incidents.
• Business continuity — backup management, disaster recovery, and crisis management.
• Supply chain security — verifying the security of suppliers and service providers (hosting, CDN, payment gateways).
• Security in the acquisition, development and maintenance of systems — including vulnerability handling and disclosure.
• Policies and procedures to assess the effectiveness of risk management measures.
• Basic cyber hygiene practices and cybersecurity training.
• Policies on the use of cryptography and, where appropriate, encryption.
• Human resources security, access control policies, and asset management.
• Multi-factor authentication (MFA) or continuous authentication solutions.

Incident Reporting Obligations

NIS2 introduces strict deadlines for reporting significant cybersecurity incidents:

• 24 hours: An early warning to the CSIRT (Computer Security Incident Response Team) or competent authority — if the incident is suspected to result from unlawful or malicious acts, or may have a cross-border impact.
• 72 hours: An incident notification with an initial assessment of the incident's severity, indicators of compromise, and — where applicable — an indication of whether it results from unlawful acts.
• 1 month: A final report containing a detailed description, the type of threat, root cause, cross-border impact, and remedial measures taken.

Significance threshold: an incident that causes or is capable of causing severe operational disruption or financial losses for the entity concerned, or affects or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.

What Does NIS2 Mean for Your Website?

An organisation's website is part of its digital infrastructure and is subject to NIS2 requirements in several respects:

• Privacy and security policy: Should include information on security measures used to protect user data, encryption in use (HTTPS/TLS), and breach response procedures.
• Vulnerability disclosure contact: It is recommended to implement a responsible disclosure policy — for example, a security@domain.eu address or a security.txt file (RFC 9116) on the website.
• Supplier transparency: If your website uses third-party services (CDN, hosting, payment gateways), they should be identified in the privacy policy as processors or third parties.
• Forms and user data: All forms on the website must use HTTPS. Transmitting data over an unencrypted channel is a violation of both GDPR and NIS2.
• Third-party plugins and scripts: NIS2 addresses supply chain risk — every external script (analytics, chatbot, widget) is a potential attack vector. Organisations should control and audit these dependencies.

Penalties for NIS2 Violations

NIS2 introduces a robust sanctions regime:

• Essential entities: up to €10 million or 2% of global annual turnover (whichever is higher).
• Important entities: up to €7 million or 1.4% of global annual turnover (whichever is higher).

Critically, NIS2 introduces personal liability for management board members— supervisory authorities may impose a temporary ban on the exercise of managerial functions on individuals where violations result from their negligence.

NIS2 Compliance Checklist

Minimum requirements for entities covered by NIS2:

• Website uses HTTPS exclusively (valid TLS certificate, HTTP→HTTPS redirect).
• MFA implemented for all administrative accounts and CMS panels.
• Regular penetration testing and vulnerability scanning (at least annually).
• Documented incident management policy with a designated CSIRT or contact point.
• Security verification of key suppliers (hosting, DNS, CDN).
• Business continuity plan with tested backup restoration procedures.
• Responsible vulnerability disclosure policy (security.txt or dedicated email address).