NIS2 (EU Directive 2022/2555): cybersecurity obligations and what changes for Brazilian companies operating in the European Union
Direct answer
NIS2 (EU Directive 2022/2555) is the European cybersecurity rulebook that broadens the scope of the former NIS Directive, covering both essential and important sectors. It requires risk management with the minimum measures set out in Article 21, phased incident reporting (early warning within 24h, notification within 72h, and a final report within 1 month), and holds top management accountable. Brazilian companies are usually caught indirectly, as suppliers to entities regulated within the bloc.
Key takeaways
- ›NIS2 replaces the NIS Directive (2016/1148) and expands the number of covered sectors and entities, classifying them as essential or important entities under distinct supervisory regimes.
- ›The core obligations are cybersecurity risk management (the minimum measures of Article 21), phased incident reporting (24h, 72h, and 1 month), and direct accountability of management bodies.
- ›As a directive, NIS2 does not apply directly: each Member State transposes it into national law, with a transposition deadline of 17 October 2024.
- ›Brazilian companies are rarely regulated directly, but they are caught through supply chain security (Article 21) when they supply software, managed services, or infrastructure to covered European entities.
- ›NIS2 provides for substantial administrative fines and management accountability measures, making compliance a matter of governance and not just of IT.
- ›Getting ready requires mapping contractual exposure with European clients, aligning controls to Article 21, and building an incident response capability compatible with the notification deadlines.
What NIS2 is and why it replaces the previous directive
NIS2 is Directive (EU) 2022/2555 of the European Parliament and of the Council, published on 14 December 2022, on measures for a high common level of cybersecurity across the European Union. It repeals Directive (EU) 2016/1148, known as NIS, which was deemed insufficient given the expanding attack surface and the inconsistency in how Member States applied the original rule.
The stated goal is to raise and harmonize cybersecurity maturity across the European internal market. NIS2 standardizes the criteria for including entities, defines a minimum set of risk management measures, harmonizes incident notification obligations, and strengthens the supervision and cooperation mechanisms among national authorities.
Because it is a directive and not a regulation, NIS2 does not produce immediate direct effects on companies. It binds the Member States, which must transpose its content into national law. This means a company's concrete obligation arises from the national transposition law of the country where the European client is established, and not from the text of the directive on its own.
Who is covered: essential and important sectors
NIS2 classifies covered entities into two categories: essential entities and important entities. Annexes I and II of the directive list the sectors. Annex I covers sectors of high criticality, such as energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (business-to-business), public administration, and space.
Annex II covers other critical sectors, including postal and courier services, waste management, the manufacture, production, and distribution of chemicals, the production and distribution of food, the manufacture of certain products, digital service providers (such as online marketplaces, search engines, and social networking platforms), and research.
As a rule, classification combines sector and size. A general size threshold applies: medium and large entities in the listed sectors tend to be covered, with essential entities subject to proactive supervision and important entities to reactive supervision, triggered after signs of non-compliance. There are exceptions in which smaller entities are also included, for example when they provide critical services whose disruption would have a significant impact, in accordance with the criteria of Article 2 and Article 3 of the directive.
Reach for companies outside the EU and the supply chain effect
A Brazilian company with no establishment in the European Union is generally not an entity directly regulated by NIS2. The directive focuses on entities that provide services or are established within the bloc. There are, however, specific jurisdiction rules for certain digital service and infrastructure providers, which may be required to designate a representative in the Union when they offer services within it, in accordance with the jurisdiction and territoriality criteria of Article 26.
The most common practical reach for Brazilian companies is indirect, through supply chain security. Article 21 requires covered European entities to consider the risks associated with their suppliers and service providers, including the quality of those partners' cybersecurity practices. In practice, this pushes contractual requirements down to software vendors, managed service providers, integrators, and infrastructure operators located outside the bloc.
For a SaaS company, an exporting manufacturer, or a Brazilian services firm that serves regulated European clients, this usually materializes as contractual clauses, security questionnaires, short-deadline incident notification requirements, and audit rights. Ignoring this chain effect can lead to lost contracts or exclusion from supplier qualification processes.
The obligations: Article 21 measures and management accountability
The heart of the obligations lies in Article 21, which establishes cybersecurity risk management measures based on an all-hazards approach. The minimum set includes policies on risk analysis and information system security; incident handling; business continuity and crisis management; supply chain security; security in the acquisition, development, and maintenance of systems, including vulnerability management; policies and procedures to assess the effectiveness of the measures; basic cyber hygiene practices and training.
The list continues with policies on the use of cryptography and, where appropriate, encryption; human resources security, access control policies, and asset management; and, where appropriate, multi-factor or continuous authentication solutions, secured voice, video, and text communications, and secured emergency communication systems. The measures must be proportionate to the risk, the size, and the exposure of the entity.
NIS2 introduces explicit accountability for top management. Article 20 requires the management bodies of the entities to approve the risk management measures, oversee their implementation, and be held liable for infringements. The directive also provides that the members of those bodies receive adequate training to identify risks and assess cybersecurity practices, shifting the topic to the level of corporate governance.
Incident reporting: the 24h, 72h, and 1-month deadlines
Article 23 establishes a phased regime for notifying significant incidents, addressed to the competent authority or the designated CSIRT. An incident is considered significant when it causes, or is capable of causing, severe operational disruption of services or financial losses, or when it affects other natural or legal persons, causing considerable material or non-material damage.
The first milestone is the early warning, which must be made without undue delay and, in any event, within 24 hours of the entity becoming aware of the significant incident. Next, within 72 hours, an incident notification must be submitted with an initial assessment, including severity, impact, and, where available, indicators of compromise.
At the request of the CSIRT or the authority, intermediate reports may be required. The final report must be submitted within one month of the incident notification, containing a detailed description, the type of threat or root cause, the mitigation measures applied, and, where applicable, the cross-border impact. For a company in the supply chain, meeting these contractual deadlines requires detection and response processes that are already structured, and not improvised after the incident.
Transposition by the Member States and how a Brazilian company prepares
The directive set 17 October 2024 as the deadline for Member States to adopt and publish the transposition measures, to apply from the following day. In practice, the pace of transposition varied across countries, so the specific obligations, competent authorities, significant-incident thresholds, and sanction regimes depend on the national law applicable to each European client.
For a Brazilian company, preparation begins by mapping exposure: identifying which European clients are essential or important entities, in which Member States they operate, and which contractual obligations already arise or will arise from that status. In parallel, it is advisable to align internal controls with the Article 21 measures, with emphasis on risk management, supply chain security, vulnerability management, and incident response capability.
NIS2 also provides for robust sanction regimes, with administrative fines that, for essential entities, can reach significant amounts set in proportion to turnover, plus additional measures on management. Although the sanctions fall on the regulated entities, the effect propagates to suppliers via contract. Structuring compliance in a documentable way becomes a competitive edge in the race for European contracts, and not merely a legal defense.
How to comply
- 1
Map your NIS2 exposure
List your European clients and prospects, identify which qualify as essential or important entities and in which Member States they operate, in order to understand the applicable national transposition law.
- 2
Review contracts and security clauses
Analyze existing contracts and supply templates for cybersecurity obligations, incident notification deadlines, audit rights, and supply chain requirements derived from Article 21.
- 3
Run a gap assessment against Article 21
Compare your current controls with the minimum measures of Article 21, including risk management, incident handling, continuity, cryptography, access control, and MFA, and document the gaps.
- 4
Structure risk management and supply chain security
Implement a risk analysis policy, assessment of your own suppliers, and vulnerability management, ensuring traceability of decisions for audit and governance purposes.
- 5
Build detection and response capability
Deploy continuous monitoring and an incident response plan with defined roles, capable of sustaining a 24-hour early warning, a 72-hour notification, and a final report within 1 month when contractually required.
- 6
Engage top management
Present the risks and obligations to the management body, formalize approval of the measures, and provide adequate training, reflecting the accountability set out in Article 20.
- 7
Keep evidence and review periodically
Document policies, tests, and incidents, and reassess the controls in regular cycles and whenever there is a relevant change of client, service, or threat.
Frequently asked questions
Does NIS2 apply directly to my Brazilian company?
As a rule, not directly, if the company has no establishment in the EU. The reach is usually indirect, via the supply chain, when you supply software, managed services, or infrastructure to covered European entities that pass requirements down by contract. There are specific jurisdiction rules for certain digital providers in Article 26.
What is the difference between an essential entity and an important entity?
Both have the same risk management and notification obligations, but they differ in the supervision and sanction regime. Essential entities are subject to proactive supervision and more severe sanction regimes; important entities are under reactive supervision, triggered when there are signs of non-compliance.
What are the incident notification deadlines?
There are three main milestones: an early warning within 24 hours of becoming aware of the significant incident, a notification with an initial assessment within 72 hours, and a final report within one month. Intermediate reports may be requested by the authority or the CSIRT, in accordance with Article 23.
What changes for the company's top management?
NIS2 explicitly holds management bodies accountable. They must approve and oversee the risk management measures and can be held liable for infringements, in addition to receiving adequate training to assess cybersecurity practices, in accordance with Article 20.
Is NIS2 already in force?
The directive has been in force since 2023, but, being a directive, it depends on national transposition. The deadline for Member States to transpose it was 17 October 2024. The concrete obligations arise from the national law applicable to each European client, whose pace of adoption has varied across countries.
What minimum measures does Article 21 require?
Among others: risk analysis and security policies, incident handling, continuity and crisis management, supply chain security, vulnerability management, effectiveness assessment, cyber hygiene and training, cryptography, access control, asset management, and, where appropriate, multi-factor authentication.
What sanctions does NIS2 provide for?
The directive sets sanction regimes with administrative fines, proportionate to turnover and more severe for essential entities, in addition to measures on management. The sanctions fall on the regulated entities, but the impact propagates to suppliers through contractual requirements.
How do I start preparing in practical terms?
Start by mapping your exposure with regulated European clients, review contracts, run a gap assessment against Article 21, build risk management and incident response compatible with the 24h, 72h, and 1-month deadlines, and engage top management. Decripte supports this journey with risk management, monitoring and SOC, incident response, and compliance under its Regulatory Security practice.
Sources
Decripte implements compliance — without you building an in-house team.
Adherence assessment, auditable technical controls, pentest and documentation for the regulator/auditor. Or start free by seeing what is already exposed.
