NIS2 Directive: what it means for companies in the Balkans

The NIS2 Directive (Directive (EU) 2022/2555) is a European regulation that significantly expands cybersecurity obligations for medium and large organizations in critical sectors. Although Bosnia and Herzegovina and most countries in the region are not EU members, NIS2 directly affects companies in the Balkans that do business with European clients, supply services into the supply chain, or have subsidiaries in the EU. In practice, this means mandatory risk management measures, incident reporting within short deadlines, and personal accountability for management.

What the NIS2 Directive is and why it matters

NIS2 is the successor to the first NIS Directive from 2016 and represents the EU's most significant step forward in regulating cybersecurity. It entered into force in January 2023, and member states were required to transpose it into national legislation by October 2024. The aim is to raise a consistent level of security across network and information systems throughout the Union, since the previous rules proved too fragmented and too narrow.

The key change compared to NIS1 is scope. While the first directive covered a relatively narrow group of operators of essential services, the NIS2 Directive encompasses a far wider range of organizations and introduces a clear distinction between essential and important entities. As a result, the number of entities subject to the rules in the EU is measured in the tens of thousands, including many companies that previously had no formal obligations in the area of security.

Who the NIS2 Directive covers

NIS2 applies based on two core criteria: belonging to a regulated sector and the size of the organization. As a rule, medium and large entities are covered, meaning organizations with 50 or more employees or an annual turnover above 10 million euros. Smaller companies may be covered if they are identified as critical to a particular sector or country.

The directive distinguishes between sectors of high criticality and other critical sectors. Below is an overview of the typical categories:

Category	Example sectors
Sectors of high criticality	Energy, transport, banking, healthcare, drinking water, wastewater, digital infrastructure, public administration, space
Other critical sectors	Postal and courier services, waste management, manufacture and distribution of chemicals, food production, manufacturing (medical devices, electronics, machinery), digital service providers, research

It is important to understand that the division into essential and important entities does not change the fundamental security obligations, but primarily the method of supervision and the level of penalties. Essential entities are subject to stricter, proactive supervision, while important entities are supervised mainly reactively, after a report or indications of a problem.

Why NIS2 concerns companies in the Balkans

It is a fair question why businesses from BiH, Serbia, Montenegro, or North Macedonia should concern themselves with a European directive. There are several very practical reasons why the NIS2 Directive affects companies in the region even without a formal legal obligation.

1. Supply chain

NIS2 explicitly requires covered entities to manage risks in their supply chain, including risks associated with suppliers and service providers. This means European clients increasingly require their Balkan suppliers of software, IT services, outsourcing, or components to demonstrate an appropriate level of security. A company from Mostar that develops software for a German client may find security clauses derived precisely from NIS2 written into its contract.

2. Subsidiaries and operations in the EU

If a Balkan group has a subsidiary registered in a member state, that subsidiary may be directly subject to NIS2. Consequently, the security standards of the parent organization must keep pace with the requirements set for the subsidiary.

3. Aligning the region with the EU acquis

Countries in the region that are in the EU accession process are gradually adopting European regulations. It is realistic to expect that equivalent obligations in the area of cybersecurity will appear in national legislation across the Balkans as well. Companies that prepare in time will avoid costly and hasty compliance later on.

4. Reputation and insurance

A growing number of cyber insurance policies and tenders require proof of security controls before a contract is concluded. NIS2 is de facto becoming the reference framework against which the seriousness of a supplier is measured, regardless of whether the company's headquarters are in the EU or in BiH. For businesses in the region that want to grow toward Western markets, compliance becomes a selling point rather than just a cost.

Key obligations introduced by the NIS2 Directive

NIS2 does not prescribe a detailed list of technical controls, but instead sets out a framework of measures that an organization must apply in proportion to its risks. The main groups of obligations are as follows:

• Risk management: establishing policies for risk analysis and information system security, including the assessment of threats and vulnerabilities.
• Incident handling: the ability to detect, handle, and report security incidents.
• Business continuity: backups, disaster recovery, and crisis management.
• Supply chain security: assessing the security of suppliers and service providers.
• Security in procurement, development, and maintenance: including vulnerability management and disclosure.
• Cryptography and encryption policies: where appropriate.
• Cyber hygiene and training: basic security practices and employee training.
• Access control and asset management: including multi-factor authentication and secure communications.

The incident reporting regime is particularly important. NIS2 introduces a multi-stage mechanism: an early warning to the competent authority within 24 hours of becoming aware of a significant incident, a more detailed report within 72 hours, and a final report within one month. These deadlines require an organization to have defined processes and responsible individuals in place in advance, because they cannot be created out of nothing at the moment an incident occurs.

It is worth emphasizing that NIS2 uses a risk-based and proportionality-driven approach. A small company with low risk will not have to implement the same controls as an operator of energy infrastructure. Measures are chosen according to size, exposure, and the potential consequences of an incident. This is good news for companies in the Balkans, because it does not automatically mean an enormous cost, but rather the consistent application of controls appropriate to the actual risk. In practice, an organization first documents what it protects and against what, and only then selects its controls.

Management accountability and penalties

One of the most significant innovations of the NIS2 Directive is the personal accountability of management. Management must approve risk management measures, oversee their implementation, and undergo appropriate training. In the event of serious failures, supervisory authorities may, as a last resort, temporarily ban individuals from performing managerial functions.

Penalties have also been raised to a level comparable to GDPR. For essential entities, the upper limit is up to 10 million euros or 2 percent of total annual worldwide turnover, whichever is higher. For important entities, the upper limit is up to 7 million euros or 1.4 percent of turnover. The final amounts depend on the national legislation transposing the directive, but the direction is clear: security is no longer solely a technical matter, but also a management one.

How companies in BiH and the region can prepare

Preparing for NIS2 does not have to be a single large project. The most effective approach is to start from an assessment of the current state and build gradually. We suggest the following sequence of steps:

1. Determine whether you are covered. Check your sector, size, and especially your role in the supply chain of European clients. Even if you are not directly covered, contractual requirements can be equally binding.
2. Carry out a maturity and gap analysis. Compare your current controls with the expectations of NIS2 and related standards such as ISO 27001. This gives you a clear list of priorities.
3. Establish risk management and policies. Formalize responsibilities, inventory your information assets, and define basic security policies.
4. Prepare an incident response plan. Define who reports incidents, how, and within what deadline, and rehearse the scenarios. A mature detection and response capability helps here.
5. Test your resilience. Penetration testing and vulnerability assessment show how effective your controls actually are, not just on paper.
6. Organize your supply chain. Set security requirements for your own suppliers, just as European clients set them for you.

In many cases, aligning with NIS2 and preparing for ISO 27001 go hand in hand, because they share a large portion of controls. An organization that already has a certified information security management system is significantly closer to meeting NIS2 requirements.

NeoBit, as a company from Mostar, works with firms in BiH and the region along this entire journey, from the initial assessment and security services such as penetration testing and Guardian 360 SOC monitoring (MDR), to incident response preparation and ISO 27001 readiness. If you are not sure where you stand, a good starting point is a structured readiness assessment questionnaire, and for a concrete discussion about your case, the contact page is available.

NIS2 is not just a cost, but an opportunity

Although the NIS2 Directive is often perceived as a new regulatory burden, for companies in the Balkans it is also a competitive opportunity. A supplier that can demonstrate mature cybersecurity finds it easier to enter European supply chains and retain existing clients. Investing in security reduces the likelihood of costly incidents, business disruptions, and loss of trust. In that sense, early preparation is not a reaction to a regulation, but a strategic decision that protects a company's revenue and reputation.

Frequently asked questions

Does the NIS2 Directive apply in Bosnia and Herzegovina?

NIS2 is not directly legally binding in BiH, because Bosnia and Herzegovina is not an EU member. However, it has an indirect effect on domestic companies through the contractual requirements of European clients, through subsidiaries in the EU, and through the expected gradual alignment of regional legislation with European regulation. Many companies therefore apply NIS2 standards in practice even before they become a formal obligation.

What is the difference between the NIS1 and NIS2 directives?

NIS2 significantly expands the number of covered sectors and organizations, introduces a clear distinction between essential and important entities, stricter incident reporting deadlines, personal accountability for management, and penalties comparable to GDPR. NIS1 covered a narrower group of operators of essential services and left states more room for differing interpretations, which led to inconsistent application.

What penalties does the NIS2 Directive prescribe?

For essential entities, the upper limit of the penalty is up to 10 million euros or 2 percent of total annual worldwide turnover, whichever is higher. For important entities, the limit is up to 7 million euros or 1.4 percent of turnover. The exact amounts depend on the national law by which each member state transposes the directive.

How do you start preparing for NIS2?

The best approach is to start from an assessment of whether you are covered and a gap analysis that compares your current state with NIS2 requirements and the ISO 27001 standard. This is followed by establishing risk management, an incident response plan, and resilience testing through penetration testing. Through its readiness assessment questionnaire, NeoBit helps companies in the region quickly gain a clear picture of their priorities.

Related guides: Cybersecurity in BiH - the complete guide · Data protection and GDPR in BiH - a guide for companies · ISO 27001 preparation: a guide to certification for companies