Last updated on October 4, 2025
NO — The NIS2 Directive extended mandatory risk-management and incident-reporting duties to more sectors and many more organisations across the EU. Organisations in scope must adopt security measures, notify competent authorities or CSIRTs about serious incidents within specified timeframes, cooperate with supervision, and be prepared for audits or enforcement. The Directive moved reporting from an optional “good practice” to a legal obligation for many providers of critical and essential services; skipping reporting when the incident meets the thresholds can lead to supervision and penalties once Member States transpose the Directive. The Directive has been in force since 2023 and Member States adopted implementing laws, so organisations cannot simply opt out.
https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
6/29/2023