The European Union's Network and Information Security Directive 2 (NIS2) applies to many more organizations than GDPR did, and it reaches beyond Europe. Any US-based subsidiary, supplier, or service provider to a European critical infrastructure operator is potentially subject to NIS2 requirements. Many American industrial companies don't yet understand whether NIS2 affects them. Those that do often underestimate the compliance burden. NIS2 is not just European regulation — it is a requirement Pacific Northwest manufacturers and data center operators with European parents, customers, or supply-chain exposure need to plan for now.
NIS2 takes effect in October 2024, with member state implementation deadlines in October 2025. It applies to "essential services" (energy, water, transport, health, financial services) and to "important entities" in digital infrastructure, manufacturing, and other sectors. If your US operation supplies critical infrastructure customers in Europe, or if your parent company is European and subject to NIS2, you're affected. The directive requires risk management, incident reporting, supply chain security, and breach notification—and it defines these more broadly and strictly than most US regulations.
Key NIS2 Requirements
NIS2 requires organizations to implement a cybersecurity risk management program, including asset management, threat assessment, access control, encryption, resilience testing, and incident response. Organizations must report significant incidents to their national authority. Organizations must conduct security assessments of their supply chain and contractually require vendors to meet baseline security standards. Organizations must establish roles and responsibilities for cybersecurity governance. These aren't radical requirements, but they're broader and more explicit than many US standards.
The directive also imposes personal liability for company directors and executives. If a company experiences a significant breach and it's found that governance was inadequate, executives can face personal consequences. This elevates cybersecurity to a board-level concern. Many US companies operating in Europe haven't yet communicated this to their boards.
Compliance Implications for US-Based Operations
- Global security standards: If your parent company is European or your significant customers are European, you need to align your security practices to meet NIS2 standards. This likely means implementing controls that exceed what your US regulators require.
- Supply chain assessment: You must assess and document the security practices of your vendors and suppliers. Vendors with access to critical systems must meet defined security baselines. You must contractually bind vendors to security requirements.
- Incident reporting obligations: NIS2 requires reporting of significant incidents to authorities. If your US operation experiences an incident that affects European customers or critical infrastructure, you must report to European authorities. This may conflict with US law if you're not careful with timing and sequence.
- Evidence and documentation: NIS2 inspectors will ask for evidence of risk management, security assessments, supply chain reviews, and incident handling. Documentation is essential. If you cannot demonstrate practices with contemporaneous evidence, you're non-compliant.
Building Compliance as a US Subsidiary
Start by clarifying your NIS2 applicability. Consult with your parent company and your legal counsel. If NIS2 applies to you, conduct a gap assessment against NIS2 requirements. Assess your current practices against the standard, identify gaps, and prioritize remediation. Build a risk management program that addresses NIS2 requirements. Document it. Test it. Ensure board-level visibility and support.
NIS2 compliance is manageable if you start now. We help US-based subsidiaries of European companies understand their obligations, conduct gap assessments, and build compliant programs. Contact us to assess your NIS2 applicability and compliance needs.
This article was written by the Cascadia OT Security practice, which advises Pacific Northwest data centers and manufacturers on industrial cybersecurity. For engagement inquiries, reach our practice team.