Introduction
On November 28, 2022, the EU adopted the Directive (EU) 2022/2555 ("NIS 2"), marking a significant expansion of its cybersecurity regulatory framework 1. Building on the original Network and Information Systems Directive ("NIS 1") 2, it aims to create a more resilient and harmonized digital environment across the EU.
Canadian businesses, irrespective of their location, may have obligations related to NIS 2 if they offer services to, or operate within, the EU.
What is NIS 2?
Compared to NIS 1, NIS 2 includes a broader range of public and private sector entities, introduces stricter risk management and incident reporting obligations, and strengthens enforcement through enhanced supervisory powers.
NIS 2 permits competent authorities to conduct audits, issue binding instructions, and impose corrective measures where necessary. Compliance requires the implementation of solutions such as advanced IT security frameworks, regular employee training, robust incident response protocols, and readiness for ongoing oversight, including inspections and formal compliance assessments.
How are NIS 2 Obligations Implemented?
Unlike the other texts of this series, which are regulations, each EU member state must transpose NIS 2 into their national laws. This means NIS 2 does not apply directly into national law; instead, each member shall adopt a national law to transpose the directive into the state's national legislation. As a result, there may be some regional differences in its implementation. For example, Hungary, Finland, and Belgium exclude the banking and financial sectors, as these are covered under the Digital Operational Resilience Act (DORA) 3. Other Member States have gone beyond the minimum requirements of the directive. Spain, in its draft legislation, includes the nuclear industry, while Poland includes mineral extraction under the energy sector and electronic communications under digital infrastructure.
Following the October 2024 deadline to transpose NIS 2, 23 Member States faced infringement procedures for failing to notify the European Commission of their national measures 4. By May 2025, 19 had still not complied and were issued a reasoned opinion with a two-month deadline 5. As of the date of this Bulletin, 14 Member States have transposed NIS 2 into national law 6, while 13 others have draft legislation pending. If these 13 fail to meet the new deadline, the Commission may refer their cases to the EU Court of Justice.
Who Has NIS 2 Obligations?
NIS 2 related obligations can apply to both public and private entities depending on the criticality of the sector in which an entity operates and the significance of the entity itself.
Sectors are classified according to their importance to the functioning of the economy and society. Those deemed highly critical—such as energy and digital infrastructure—are subject to more stringent cybersecurity obligations. In contrast, other critical sectors—including postal and courier services—face slightly less rigorous requirements.
Entities are further categorized based on their size and role. Essential entities are generally large organizations that deliver services fundamental to society and the economy. Important entities typically include medium-sized businesses operating in highly critical sectors, or medium to large enterprises in other critical sectors 7, 8.
Do Canadian Businesses Need to Comply?
Canadian businesses in highly critical or critical sectors providing essential or important services within the EU may have NIS 2 related compliance obligations. They must also designate a legal representative in EU Member State where its services are offered.
Non-compliance with NIS 2 related obligations can result in significant penalties. Essential entities may face fines of up to €10 million or 2% of global annual turnover, while important entities could incur fines up to €7 million or 1.4% of global annual turnover.
Transposition laws may provide additional sanctions. For example, Belgium's law allows the national cybersecurity authority to temporarily suspend an entity's services or activities or temporarily prohibit individuals in managerial roles from exercising their responsibilities within that entity 9. France's draft law has similar provisions 10.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
