NIS2 for IT & Telecommunications

What is NIS2?

NIS2 (Network and Information Security Directive 2) is a European Union directive that entered into force in January 2023 and required transposition into national law by EU member states by October 2024. It replaces the original NIS Directive from 2016 and significantly expands the scope of cybersecurity obligations across critical sectors. The directive establishes a unified framework for managing cyber risks, incident reporting, and supply chain security across the European Union.

NIS2 and the IT & Telecommunications Industry

The IT and telecommunications sector sits at the absolute center of NIS2's regulatory ambitions. Telecom operators, internet service providers, cloud infrastructure companies, managed security service providers, and data center operators are all explicitly classified as either "essential" or "important" entities under the directive. This is not coincidental — these organizations form the backbone of digital infrastructure that every other critical sector depends upon.

Consider a telecommunications operator providing mobile connectivity to a national hospital network, or a cloud provider hosting the software systems of an energy grid operator. A breach or prolonged outage in either case cascades immediately into sectors that directly affect public safety. NIS2 acknowledges this interdependency by placing telecommunications companies and IT service providers under its strictest compliance tiers.

Internet exchange point operators, DNS service providers, top-level domain registries, and managed service providers offering security operations or IT outsourcing are all captured by the directive. For the telecom and IT industry, NIS2 is not a peripheral compliance concern — it is a core operational obligation that touches security architecture, vendor contracts, board governance, and incident response procedures simultaneously.

Key Requirements

• Risk management measures: Organizations must implement documented cybersecurity risk management processes, including technical and organizational controls proportionate to the risk. For IT companies, this means formal asset inventories, threat modeling, and regular risk assessments covering both internal systems and services offered to customers.
• Incident reporting obligations: Significant incidents must be reported to the relevant national authority within 24 hours of detection (early warning), with a full incident notification submitted within 72 hours and a detailed final report within one month. Telecommunications providers must also notify affected customers without undue delay when incidents may impact service availability or data integrity.
• Supply chain security: Companies must assess and manage cybersecurity risks introduced by third-party suppliers and technology partners. A managed service provider, for example, must evaluate the security practices of its software vendors, hardware manufacturers, and subcontractors — and maintain contractual security requirements flowing down the supply chain.
• Business continuity and crisis management: Entities are required to have tested business continuity plans, backup procedures, and disaster recovery capabilities. For telecom operators, this extends to redundancy in network infrastructure and documented failover procedures for core services.
• Access control and authentication: Multi-factor authentication must be implemented across administrative and privileged access points. IT companies must enforce strict identity and access management policies, including regular access reviews and least-privilege principles.
• Encryption and data security: NIS2 mandates the use of encryption for data in transit and at rest where appropriate, along with secure communications protocols. This directly applies to telecommunications operators transmitting customer data across their networks.
• Security of human resources and awareness: Organizations must implement security policies covering employees, contractors, and third parties with access to systems. This includes background verification where applicable, mandatory security training, and clear procedures for staff departures.
• Governance and board accountability: Senior management is personally accountable for cybersecurity compliance. Management bodies must approve cybersecurity risk management measures, oversee their implementation, and can be held liable for infringements. This represents a fundamental shift from delegating security to IT departments alone.
• Vulnerability disclosure and patch management: Companies must have processes for identifying, evaluating, and remediating vulnerabilities in a timely manner. IT product and service providers are also encouraged to coordinate vulnerability disclosure with national CSIRT bodies.

Implementation Steps for IT & Telecommunications Companies

1. Determine your classification and applicable obligations. Establish whether your organization qualifies as an "essential entity" (large telecommunications operators, major cloud providers, internet exchange points) or an "important entity" (mid-sized IT managed service providers, smaller telecom operators). The classification determines the supervisory regime and the severity of potential penalties — essential entities face proactive supervision and fines of up to 10 million euros or 2% of global annual turnover, whichever is higher.
2. Conduct a gap analysis against NIS2 requirements. Map your current security posture against the ten minimum security measures defined in Article 21 of the directive. For a telecom operator, this might reveal gaps in supply chain security documentation or absence of a formal 24-hour incident escalation procedure. Document findings with risk ratings and assign ownership to specific roles.
3. Register with the relevant national authority. Most EU member states require in-scope entities to register with their national NIS2 competent authority. Telecommunications companies may already have relationships with national regulatory bodies, but IT service providers and cloud companies may need to identify and approach the correct authority for the first time.
4. Build or update your incident response plan with NIS2 timelines. The 24-hour early warning requirement is operationally demanding. You need detection and triage processes capable of identifying a "significant incident" quickly and routing it to the appropriate personnel who can initiate a regulatory notification. For large telecom operators with high volumes of security events, this may require automation and dedicated escalation workflows.
5. Conduct supply chain security assessments. Audit your critical third-party relationships and create a tiered supplier risk register. Prioritize vendors with access to your most sensitive systems or customer data. Revise contracts to include cybersecurity requirements, audit rights, and incident notification obligations. For an IT company offering cloud hosting, this means reviewing the security standards of hardware vendors, co-location facility operators, and software component suppliers.
6. Implement technical controls for access and encryption. Deploy multi-factor authentication across administrative interfaces, remote access points, and customer-facing management portals. Audit encryption practices for data in transit across network infrastructure and data at rest in storage systems. For telecommunications providers, review whether legacy network equipment supports current encryption standards and plan remediation where it does not.
7. Engage the board and establish governance structures. Prepare board-level reporting on cybersecurity risk posture and NIS2 compliance progress. Establish a clear accountability structure identifying which member of senior management owns NIS2 compliance. Boards must not only approve the cybersecurity policy — under NIS2, they are legally required to oversee its implementation and can face personal liability for negligence.
8. Train staff and build a security-aware culture. Deliver NIS2-specific training to senior management, technical staff, and employees with access to critical systems. For IT companies with distributed workforces or significant contractor use, extend training requirements and access control obligations contractually to these groups. Document training completion for regulatory evidence purposes.
9. Test your controls and conduct regular audits. Perform penetration testing, tabletop incident response exercises, and business continuity drills on a defined schedule. For telecommunications providers, this should include simulations of network disruption scenarios and verification that backup systems and failover procedures function as documented.

Frequently Asked Questions

Which IT and telecom companies are actually covered by NIS2?

NIS2 covers a broad range of organizations in this sector. Telecommunications operators (fixed and mobile), internet service providers, data center service providers, cloud computing service providers, content delivery network providers, managed service providers, managed security service providers, online marketplace and search engine operators, and providers of public electronic communications networks are all captured. The key threshold for most sectors is size — organizations with more than 50 employees or an annual turnover above 10 million euros generally fall within scope. However, certain entities such as top-level domain registries and DNS providers are included regardless of size due to their critical infrastructure role.

What counts as a "significant incident" that must be reported within 24 hours?

NIS2 defines a significant incident as one that causes or is capable of causing severe operational disruption to services or financial loss to the organization, or that affects other natural or legal persons by causing considerable material or non-material damage. For a telecom operator, this could be a DDoS attack that degrades mobile network availability across a region, a breach of customer authentication systems, or a ransomware attack affecting network management infrastructure. The threshold is intentionally broad — when in doubt, organizations are expected to report and let the competent authority assess severity rather than make that determination unilaterally.

How does NIS2 interact with GDPR for IT and telecom companies?

NIS2 and GDPR operate in parallel and can both apply to the same incident. A data breach affecting customer personal data may trigger both GDPR notification requirements (to the data protection authority within 72 hours) and NIS2 incident reporting (to the NIS2 competent authority, potentially a different body). IT and telecom companies should map the overlap between these two frameworks in their incident response procedures and ensure that notification workflows address both regulatory obligations without assuming that one report satisfies the other. In some member states, authorities are coordinating to reduce duplicate reporting burdens, but this cannot be assumed.

What are the penalties for non-compliance with NIS2?

For essential entities — which includes most major telecommunications operators and large IT infrastructure providers — penalties can reach 10 million euros or 2% of total global annual turnover, whichever amount is higher. For important entities, the ceiling is 7 million euros or 1.4% of global annual turnover. Beyond financial penalties, NIS2 introduces the possibility of temporary bans on individuals from exercising managerial responsibilities when non-compliance results from their negligence. This personal liability dimension for executives makes NIS2 qualitatively different from many prior cybersecurity frameworks and is a major reason why board engagement is now a compliance requirement rather than merely good practice.

Summary

NIS2 represents the most significant expansion of mandatory cybersecurity obligations in European history, and for IT and telecommunications companies, compliance is not optional — it is a legal requirement carrying substantial financial and reputational consequences. The directive demands a fundamental shift from reactive security practices to structured, board-governed, continuously tested risk management embedded across the entire supply chain. Organizations that treat NIS2 as an opportunity to strengthen their security posture — rather than a checkbox exercise — will be better positioned to protect their customers, retain regulatory trust, and compete in a market where cybersecurity has become a genuine differentiator.