The NIS2 Directive (Network and Information Security Directive 2) is the most comprehensive cybersecurity regulation the EU has ever enacted. Since October 2024, it replaces the original NIS Directive from 2016 and massively expands its scope: from 7 to 18 sectors, with stricter requirements, shorter reporting deadlines and personal liability for senior management. Switzerland is not an EU member – but for Swiss companies with EU business, NIS2 is nonetheless directly relevant.
What NIS2 Changes
The original NIS Directive primarily affected operators of essential services and digital service providers. NIS2 extends the scope to 18 sectors – now including manufacturing, food production, waste management, postal and courier services, public administration and digital infrastructure such as cloud providers and data centres.
Affected organisations are classified into two categories: Essential entities are subject to stricter oversight and proactive inspections. Important entities are reviewed on an ad-hoc basis.
The Five Core Obligations
1. Risk management measures (Art. 21). Article 21 lists ten minimum requirements: risk analysis, incident handling, business continuity, supply chain security, vulnerability management, cryptography policies, access control, multi-factor authentication, personnel management and regular effectiveness reviews.
2. Incident reporting obligations. An early warning must be issued within 24 hours. A full notification including severity assessment is due after 72 hours. A final report with root cause analysis follows within one month.
3. Supply chain security. Organisations must assess and contractually secure the cybersecurity of their suppliers and service providers – including software vendors, cloud providers and managed service providers.
4. Business continuity and crisis management. Backup strategies, disaster recovery plans and crisis management processes are no longer recommendations – they are mandatory. Plans must be tested regularly.
5. Management responsibility. Management bodies must approve risk management measures, oversee their implementation and participate in cybersecurity training. Personal liability applies in cases of non-compliance. NIS2 explicitly makes cybersecurity a board-level matter.
Sanctions
Fines follow the GDPR model. For essential entities: up to 10 million euros or 2% of global annual turnover (whichever is higher). For important entities: up to 7 million euros or 1.4% of turnover. Additionally, supervisory authorities may temporarily prohibit executives from exercising management functions.
Implementation Status in the EU
The deadline for national transposition expired on 17 October 2024. As of early 2026, approximately 20 of the 27 member states have completed transposition – Germany, Austria and Portugal only belatedly. The European Commission initiated infringement proceedings against 19 member states in May 2025. In January 2026, targeted amendment proposals to simplify NIS2 compliance followed.
What NIS2 Means for Swiss Companies
Switzerland is not directly bound by NIS2. In practice, however, the directive affects Swiss companies in three ways:
- EU subsidiaries: Swiss groups with establishments in the EU are directly subject to national NIS2 transposition laws there.
- Services in the EU market: Swiss companies providing digital services (cloud, DNS, managed services) within the EU may fall directly within scope – regardless of their registered office.
- Supply chain requirements: EU companies must assess the cybersecurity of their suppliers. Swiss suppliers will need to provide NIS2-compliant evidence – de facto, NIS2 is exported through the supply chain.
Swiss ISA Compared to NIS2
The Swiss Information Security Act (ISA) has been in force since January 2024 and is primarily directed at federal authorities and operators of critical infrastructure. Key differences:
- Scope: The ISA focuses on authorities and critical infrastructure. NIS2 covers 18 sectors and also includes medium-sized enterprises with 50 or more employees.
- Reporting obligations: The ISA requires notification to BACS (formerly NCSC) within 24 hours. NIS2 has three tiers: 24-hour early warning, 72-hour notification, one-month final report.
- Management liability: NIS2 explicitly provides for personal liability of senior management. The ISA has no comparable provision.
- Sanctions: NIS2 fines reach up to 10 million euros / 2% of turnover. The ISA provides for significantly lower sanctions.
- Supply chain: NIS2 sets explicit requirements for supply chain security. The ISA remains less detailed in this area.
For Swiss companies with EU business, ISA compliance alone is not sufficient. An ISMS based on ISO 27001 provides the common foundation to efficiently cover both regulatory frameworks.
Recommendations for Action
Swiss companies should now assess whether they are directly or indirectly affected: analyse EU business relationships, conduct a gap assessment, align incident response with the new reporting deadlines and involve senior management in cybersecurity governance.
How Zerberos Can Help
Translating regulatory requirements into concrete security measures – that is our core business. We support Swiss companies with:
- NIS2 impact analysis: Determining whether and how your company is affected by NIS2
- Gap assessment: Systematic comparison of your current state with NIS2 requirements
- Security roadmap: Prioritised action plan to close identified gaps
- Incident response planning: Building processes that meet NIS2 reporting deadlines
- Executive advisory: Management briefings on liability risks and governance obligations
Contact us for a no-obligation initial consultation.
Sources
- Directive (EU) 2022/2555 (NIS2), EUR-Lex, eur-lex.europa.eu/eli/dir/2022/2555
- ENISA, NIS2 Directive Guidance, enisa.europa.eu
- European Commission, NIS2 Directive – Securing Network and Information Systems, digital-strategy.ec.europa.eu
- ECSO, NIS2 Directive Transposition Tracker, ecs-org.eu
- Swiss Information Security Act (ISA), Federal Chancellery, fedlex.admin.ch
- BNC, Swiss ISG vs. EU Directive NIS-2: A Comparison, bnc.ch