NIS2 Directive for Swiss Companies: The Ultimate Implementation Guide

Another EU Regulation… really now?

I know. You're probably thinking: “Yet another compliance requirement. Didn't we just digest GDPR?”

And yes… NIS2 is another EU thing. More paperwork, more new processes, more budget that was actually intended for innovation.

But here's the difference: NIS2 isn't just another checkbox exercise. The directive aims to create genuine cybersecurity resilience. And for Swiss companies – even though we're not in the EU – there's no way to ignore it.

Why? Because if you do business in the EU, if you have EU customers, if your supply chain includes EU companies… then you're in the thick of it. EU regulation has a funny way of spilling over Swiss borders.

Let's demystify the whole thing. Without legal jargon. Without scaremongering. Just practical: What is NIS2, who does it really affect, and how do you implement it without spending the next two years solely on that?

What exactly is NIS2?

NIS2 stands for “Network and Information Security Directive 2” – the second version of the EU directive on network and information security.

The first NIS directive came out in 2016 and… well, it was a bit toothless. Too vague requirements, too few affected companies, hardly any enforcement. The EU realized: That's not enough.

So NIS2 came along. Passed at the end of 2022, with an implementation deadline of October 2024 for EU member states.

What's different?

Firstly: The scope has been massively expanded. Where the old NIS directive only affected a handful of sectors (energy, health, transport), NIS2 now covers 18 sectors. Yes, eighteen.

Secondly: The requirements are much more specific. No longer “you might want to think about cybersecurity sometime” but clear guidelines on risk management, incident response, supply chain security, etc.

Thirdly: The penalties have real teeth. Up to 10 million euros or 2% of global annual revenue. And – that's new – personal{