NIS2 Directive for Swiss Companies

Another EU Regulation... really now?

I know. You're probably thinking: “Yet another new compliance requirement. Didn't we just digest GDPR?”

And yes... NIS2 is another one of those EU things. More paperwork, more new processes, more budget that was actually meant for innovation.

But here's the difference: NIS2 is not just another checkbox exercise. The directive aims to create real cybersecurity resilience. And for Swiss companies – even if we're not in the EU – there's no way to ignore it.

Why? Because if you do business in the EU, if you have EU customers, if your supply chain includes EU companies... then you're right in the middle. EU regulation has a funny way of spilling over Swiss borders.

Let's demystify it. Without legal jargon. Without scaremongering. Just practical: What is NIS2, who does it really affect, and how do you implement it without spending the next two years solely on it?

What is NIS2 exactly?

NIS2 stands for “Network and Information Security Directive 2” – the second version of the EU directive on network and information security.

The first NIS directive came in 2016 and... well, was a bit toothless. Too vague requirements, too few companies affected, little enforcement. The EU realized: That's not enough.

So NIS2 came. Adopted at the end of 2022, with implementation due by October 2024 for EU member states.

What's different?

First: The scope has been massively expanded. Where the old NIS directive only affected a handful of sectors (energy, health, transport), NIS2 now covers 18 sectors. Yes, eighteen.

Second: The requirements are much more specific. No more “you should maybe think about cybersecurity”, but clear guidelines on risk management, incident response, supply chain security, etc.

Third: The penalties have real teeth. Up to 10 million euros or 2% of the global annual revenue. And – this is new – personal liability for management.

And for Swiss companies?

Here's where it gets interesting. Switzerland is not in the EU. We are not obliged to adopt EU directives 1:1.

But (and this is a big but)...

If your company:

• Has subsidiaries in the EU

• Provides critical services for EU customers

• Is part of the supply chain of EU companies

• Operates in the EU (even partially)

...then you can't ignore NIS2. Your EU partners will demand proof of compliance. Contracts will include NIS2 clauses. And Swiss authorities are paying close attention to how EU standards develop.

We see this with GDPR – many Swiss companies practically had to become GDPR compliant, even if the Swiss Data Protection Act (DPA) was of a slightly different nature.

It will be similar for NIS2.

Does NIS2 affect your company?

The most important question first: Are you even affected?

NIS2 distinguishes between two categories:

1. Essential Entities (Essential Entities)

These are the “critical” sectors:

• Energy: Electricity, gas, oil, district heating, hydrogen

• Transport: Aviation, rail, shipping, road transport

• Banking & Financial Market Infrastructure

• Healthcare: Hospitals, laboratories, research institutions, pharma

• Drinking Water & Wastewater

• Digital Infrastructure: Internet exchange points, DNS providers, TLD registries, cloud services, data centers

• Space: Yes, satellite operators.

• Public Administration (only at central level)

2. Important Entities (Important Entities)

The expanded network:

• Postal and Courier Services

• Waste Management

• Chemical Production & Distribution

• Food Production & Distribution

• Manufacturing: Medical devices, computers/electronics, machinery, vehicles

• Digital Services: Online marketplaces, search engines, social media platforms, B2B SaaS

• Research Organizations

Sounds broad, right? That's intentional. The EU wanted to cover all areas that could seriously disrupt the economy or society in the event of a cyberattack.

The Size Thresholds

Not every small startup is affected. There are thresholds:

You are affected if you have:

• 50 or more employees, OR

• More than 10 million euros in annual revenue

There are exemptions for smaller companies in certain sectors… but if you are in a critical area, you're probably not getting around it.

The Swiss Self-Assessment Check

Okay, practically. Answer these questions:

1. Sector Check:

• [ ] Is my company active in one of the 18 NIS2 sectors?

• [ ] Do I operate critical infrastructure (energy, transport, health, etc.)?

• [ ] Do I offer digital services (cloud, SaaS, data center)?

2. Size Check:

• [ ] Do I have 50+ employees?

• [ ] Does my annual revenue exceed 10 million euros?

3. EU Exposure Check:

• [ ] Do I have branches or subsidiaries in the EU?

• [ ] Are my customers EU companies in regulated sectors?

• [ ] Am I part of the supply chain of NIS2-mandated companies?

• [ ] Do I process data from EU citizens or companies?

If you answer at least one question per category with “Yes”... welcome to the NIS2 club.

The Gray Zone: Swiss Peculiarities

This is where it gets complicated. Switzerland will likely develop its own cybersecurity law (similar to how we have our DPA instead of GDPR).

So even if you are purely focused on the Swiss market: The direction is clear. Cybersecurity minimum standards are coming. Becoming NIS2-compliant is also a good preparation for purely Swiss companies.

The 10 Key NIS2 Requirements

Now it gets concrete. What does NIS2 actually require from you?

Here are the ten core requirements, without legal jargon:

1. Risk Management (Risk Management)

What it means: You need to systematically identify, assess, and manage your cyber risks.

In practice:

• Regular risk analyses (at least annually, better quarterly)

• Documented risk assessment methodology

• Prioritization by criticality

• Action plan for risk reduction

This is not new... but NIS2 requires that you document and prove it.

The Reality Check: Most companies do informal risk analyses (“Yes, we know our HR system is outdated”). NIS2 wants formal processes.

2. Incident Response (24-hour Reporting Obligation!)

What it means: You must report cybersecurity incidents within 24 hours. To the competent authority (in EU countries the CSIRT – Computer Security Incident Response Team).

In practice:

• Incident response plan must exist

• Clear escalation paths

• 24h initial detection and reporting to authority

• 72h interim report

• 30-day final report

The Reality Check: Many companies discover breaches only after weeks or months. NIS2 says: You have 24 hours. That is... ambitious. But achievable with the right monitoring tools.

For Swiss companies: Switzerland currently has no 24-hour reporting obligation. But if you serve EU customers, you must adhere to their rules.

3. Business Continuity & Disaster Recovery

What it means: You need a plan on how to resume operations after a cyberattack.

In practice:

• Business Continuity Plan (BCP)

• Disaster Recovery Plan (DRP)

• Backup strategy (and regular tests!)

• Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

The Reality Check: “We have backups” is not enough. You need to show that you can also restore them. And how long it takes.

We often see: Companies have backups. But the restore procedure was never tested. Or the backups are encrypted... but the decryption key is on the system that was just encrypted. Oops.

4. Supply Chain Security (Supply Chain Risks)

What it means: You are responsible for the cybersecurity of your suppliers and service providers.

In practice:

• Security assessment of your critical suppliers

• Contractual security requirements

• Monitoring and audits

• Incident-notification clauses

The Reality Check: This is tough. You can't audit every supplier. But you must identify the critical ones and know their security level.

The SolarWinds attack in 2020 showed: Your weakest link is often not in your house, but in the supply chain.

5. Network Security (Network Security)

What it means: You must protect your network. Sounds mundane, but NIS2 is specific:

In practice:

• Segmentation (Zero Trust approach)

• Firewalls and Intrusion Detection/Prevention

• VPN for remote access

• Network monitoring

Interesting post for that: Zero Trust - Where Do I Actually Start?

The Reality Check: Many companies have “flat networks” – everything can communicate with everything. That's the opposite of what NIS2 wants.

Micro-segmentation is the gold standard. Yes, it's complex. But a ransomware incident is more complex.

6. Access Control (Access Control)

What it means: Only authorized persons may access critical systems.

In practice:

• Multi-factor authentication (MFA) everywhere

• Least privilege principle (minimal rights)

• Regular access reviews

• Strong password policies

• Privileged Access Management (PAM) for admin accounts

The Reality Check: MFA is not optional in 2025. Period.

And no, SMS-based MFA is not good enough. Authenticator apps or hardware tokens.

7. Cryptography & Encryption

What it means: Data must be encrypted. In transit and at rest.

In practice:

• TLS 1.3 for all connections

• Encrypted databases

• Encrypted backups

• Key management (who has access to encryption keys?)

The Reality Check: “Our data is in the cloud, it's safe” – no. You must control who has the encryption keys.

8. Employee Training (Security Awareness)

What it means: Your employees must be regularly trained in cybersecurity.

In practice:

• Annual security awareness training (minimum)

• Phishing simulations

• Incident reporting training

• Role-specific training (e.g. for developers, admins)

The Reality Check: The most annoying compliance training in the world. But also the most important. 90% of breaches start with phishing or social engineering.

9. Security Tests & Audits

What it means: You must regularly test whether your security measures work.

In practice:

• Vulnerability scans (monthly or quarterly)

• Penetration tests (annually, after major changes)

• Security audits (internal or external)

• Code reviews (for software development)

The Reality Check: “We've never had an attack, so we're safe” is no longer an argument.

10. Management Responsibility & Governance

What it means: The executive management is responsible. Not IT. Not the CISO. The C-suite.

In practice:

• Management must approve and oversee cybersecurity measures

• Regular reporting to the board/management

• Budget responsibility

• Personal liability for gross negligence

The Reality Check: This is the game changer. Previously, management could say “IT topic, take care of it”. Not anymore.

NIS2 makes cybersecurity a top priority. And with personal liability. That has drawn attention... to say the least.

Blog post: CISO-as-a-Service – Leadership in Cybersecurity When It Matters

The NIS2 Implementation Roadmap

Okay. You now know what NIS2 wants. How do you implement it without spending the next two years solely on it?

Here's our proven approach. No theory – this is what we do with clients.

Phase 1: Gap Analysis (4-6 weeks)

Goal: Understand where you stand vs. where you need to be.

What happens:

• Scope Definition: Which systems, processes, data are NIS2-relevant?

• Current State: Documentation of current security measures

• Desired State: Mapping to NIS2 requirements

• Gap Identification: What's missing? What needs to be improved?

• Risk Assessment: Which gaps are critical?

Output: Gap analysis report with prioritized action areas.

The Reality Check: Most companies are at 40-60% compliance. That's normal. No one starts from scratch. But no one is “accidentally” NIS2-compliant either.

Phase 2: Roadmap & Prioritization (2-3 weeks)

Goal: Realistic implementation planning with business buy-in.

What happens:

• Identify Quick Wins: What can we implement in 4-8 weeks?

• Medium and Long-term Planning: What takes 6-12 months?

• Resources & Budget: What does it really cost?

• Risk vs. Effort: Where do we invest first?

• Executive Buy-In: Presentation and approval

Output: 12-18 months roadmap with milestones, budget, resources.

The Reality Check: NIS2 compliance is not a 3-month project. Count on 12-18 months for full implementation. But after 3-6 months, you should have closed the most critical gaps.

Phase 3: Implementation (6-12 months)

Goal: Implement measures. Document. Test.

The phases within implementation:

Month 1-3: Quick Wins & Foundations

• Activate MFA everywhere

• Create incident response plan

• Set up basic monitoring

• Apply critical patches

• First security awareness training

Month 4-6: Core Security Improvements

• Network segmentation

• PAM (Privileged Access Management)

• Backup & recovery testing

• Supply chain assessment (Top 10 suppliers)

• Vulnerability management process

Month 7-12: Advanced & Governance

• Zero trust architecture (gradually)

• Penetration tests

• Business continuity plans

• Governance framework

• Management reporting

The Reality Check: You will not implement everything perfectly. That's okay. NIS2 requires “appropriate” measures. Which means: risk-based, proportionate, state-of-the-art.

Small companies don't need to have the same measures as corporations. But they must have the right measures.

Phase 4: Documentation (ongoing!)

Goal: Prove that you are compliant.

What needs to be documented:

• Risk analyses and assessments

• Security policies and processes

• Incident response plans and incidents

• Training records (who was trained when?)

• Audit reports and test results

• Management reviews and decisions

• Supplier assessments

The Reality Check: Documentation is the unloved part. But crucial under NIS2.

“If it's not documented, it didn't happen” – that applies to audits.

You don't need perfect documentation. But you need traceable documentation.

Phase 5: Testing & Continuous Improvement (ongoing)

Goal: Ensure that measures work. And keep up with the threat landscape.

What needs to happen regularly:

• Quarterly: Vulnerability scans, access reviews, policy updates

• Semi-annually: Security awareness training, backup recovery tests

• Annually: Penetration tests, risk analysis update, management review

The Reality Check: NIS2 compliance is not a project. It is a program.

You will never be “done”. Threats change. Technology changes. Your business changes.

The question is not “When are we compliant?”, but “How do we stay compliant?”

The Most Common Mistakes in NIS2 Implementation

We see the same stumbling blocks repeatedly. Here are the top 5:

Mistake #1: Treating NIS2 as a Pure IT Project

The Problem: “IT, take care of NIS2” – and the IT tries to handle it alone.

Why that fails: NIS2 is a business risk management topic, not an IT topic. It needs:

• Executive Management (Governance, Budget, Liability)

• Legal (Contracts, Data Protection, Reporting Obligations)

• HR (Training, Awareness)

• Procurement (Supplier Management)

• All departments (Risk Identification)

The Solution: Cross-functional NIS2 project team. With executive sponsor from management.

Mistake #2: Underestimating Documentation

The Problem: “We already do all that somehow, we just need to write it down.”

Why that fails: “Just write it down” becomes a 6-month project. Because you realize: you don't actually do a lot. Or not consistently. Or not traceably.

The Solution: Plan documentation from the start. Use templates. Not perfect, but complete.

Mistake #3: Ignoring Supply Chain Security

The Problem: “We're concentrating on our own systems for now. Suppliers come later.”

Why that fails: Later never comes. And your suppliers need time to improve their security.

The Solution: Include supply chain security from the start. Identify and address the Top 10-20 critical suppliers. Early.

[LINK: third-party-risk-management] (if available)

Mistake #4: Waiting Too Long

The Problem: “NIS2 might affect us, but Switzerland is not in the EU, so we have time...”

Why that fails: Your EU customers and partners don't wait. Contracts already contain NIS2 clauses. RFPs demand compliance evidence.

The Solution: Start now. Gap analysis takes 4-6 weeks. After that, you know where you stand. And can make informed decisions.

Mistake #5: Striving for Perfection Instead of Pragmatism

The Problem: “We'll implement NIS2 100% before we report or document anything.”

Why that fails: 100% doesn't exist. You will always find optimization potential.

The Solution: Proceed risk-based. The most critical 20% of measures close 80% of risks. Start there.

NIS2 requires “appropriate” and “state-of-the-art”. Not “perfect”.

What Happens in Case of Non-Compliance?

Okay, real talk. What happens if you ignore NIS2?

The Penalties (in the EU)

For “Essential Entities”:

• Up to 10 million euros OR

• 2% of the worldwide annual revenue

• Whichever is higher

For “Important Entities”:

• Up to 7 million euros OR

• 1.4% of the worldwide annual revenue

Personal Liability: New to NIS2: Management can be held personally liable for gross negligence.

This means: If management ignored cybersecurity, despite warnings, and a severe incident occurs... personal consequences are possible.

This is a paradigm shift. And has led to cold showers for many CEOs/CFOs.

The Reality of Enforcement

But: Theory vs. practice.

The EU member states are currently building the enforcement infrastructure. CSIRTs (Computer Security Incident Response Teams) need to be created or expanded. Auditors need to be trained.

This does not mean you have time. It means the first 12-24 months will likely focus on:

• Serious incidents (major breaches, critical infrastructure failures)

• Repeat offenders (companies ignoring warnings)

• Examples (a few high-profile cases to set an example)

For Swiss companies: Currently no direct penalties by EU authorities (we are not in the EU).

BUT:

• Contractual consequences: EU partners can terminate contracts or not renew them

• Reputational damage: “We are not NIS2 compliant” is not a good sales argument

• Swiss regulation is coming: NCSC is working on national standards that will be similar

• Civil liability: In the event of data breaches, customers can claim damages

The Business Case for Compliance

Forget the penalties. Here's the real reason why NIS2 compliance makes sense:

1. Risk Reduction: The measures actually make you safer. Ransomware incidents cost an average of 1-5 million euros. Plus reputational damage. Plus business interruption.

Contribution to this: Is it Cheaper to Recover after a Ransomware Attack or to Rebuild?

2. Competitive Advantage: “We are NIS2 compliant” will become a selling point. Especially with large, regulated customers.

3. Insurability: Cyber insurances will increasingly demand minimum standards. NIS2 compliance helps.

4. M&A Readiness: Due diligence in acquisitions looks at cybersecurity. NIS2 compliance makes you more attractive (or less risky).

5. Foundation for Growth: Solid security foundations enable faster, safer growth. You can enter new markets, use new technologies, without starting over each time.

How We Help with NIS2 Implementation

We have done NIS2 assessments and roadmaps with dozens of companies in recent months. From SMEs to large corporations. In regulated and non-regulated industries.

Our approach is assessment-first.

We don't start with “Here's what you need”. We start with “Where do you stand today?”

How We at ODCUS Operate

Step 1: Scope & Applicability Assessment

• Are you even affected?

• Which systems, processes, data are relevant?

• Essential or Important Entity?

Step 2: Gap Analysis

• Document current state

• Mapping to NIS2 requirements

• Identify and prioritize gaps

• Risk assessment

Step 3: Roadmap & Business Case

• Implementation Planning (Quick Wins, Medium, Long Term)

• Budget and resources

• Business case and ROI

• Presentation for Executive Management

Step 4: Implementation Support

• Project management

• Technical implementation (or coordination with your teams/partners)

• Documentation

• Testing and validation

Our job is to structure the process, identify the gaps, guide you through the complexity, and ensure that in the end, you are not only compliant... but actually safer.

Next Steps

Okay. You've read this far. That shows you're taking NIS2 seriously. Good.

Here’s what you should do now:

Step 1: Determine if You Are Affected (1-2 hours)

Use the self-assessment checklist above. Discuss with legal and executive management.

If unsure: Better to be safe and do an assessment.

Step 2: Initial Gap Analysis (internally, 1-2 weeks)

You can do an initial rough gap analysis yourself:

• List the 10 NIS2 requirements

• Rate where you stand on a scale of 1-10

• Identify the top 5 gaps

• Roughly estimate budget and effort

This gives you an initial feel.

Step 3: Inform Stakeholders and Get Buy-In

NIS2 is top management’s responsibility. Inform executive management. Early.

“Personal liability” is a good argument for budget and attention.

Step 4: Professional Assessment (recommended)

An external gap analysis takes 4-8 weeks and a few tens of thousands of francs.

For this, you get:

• Objective evaluation (no blind spots)

• Benchmarking (where do others stand?)

• Prioritized roadmap

• Business case for executive management

• Foundation for compliance evidence

That's money well spent. Because the alternative – blindly implementing measures – will be more expensive.

Step 5: Start. Don’t Wait.

The companies that start now have an advantage. They can proceed calmly and methodically.

The companies that wait until the first EU customer demands NIS2 compliance in the contract... are in a rush. And make mistakes. And pay more.

You don’t have to be perfect. But you have to start.