The European Union (EU) has officially enforced the NIS2 Directive, new cyber security regulation which, similarly to the GDPR (General Data Protection Regulation), requires EU member states and any global trading partners to comply.
NIS2 Directive, which builds upon the original Network and Information Security Directive introduced in 2016, imposes strict cyber security requirements, including enhanced management liability, reporting to authorities, risk management, and business continuity planning. It came into force on 16 January 2023 and EU member states had until yesterday - 17 October 2024 - to transpose it into national law.
NIS2 mandates that organisations must report cyber incidents to authorities promptly and inform their stakeholders, suppliers, and customers. In fact NIS2 Directive imposes more stringent reporting timelines compared to the GDPR -Organisations must submit an early warning notification within 24 hours, contrasting with GDPR’s 72-hour requirement.
Security solutions provider Check Point Software Technologies urges African businesses to ensure they have a comprehensive incident response plan in place, along with regular cybersecurity training for both IT and leadership teams.
The company points out that the EU remains Africa’s largest trading partner, with over 18 economic partnership agreements and trade worth billions annually. African businesses - especially in sectors like energy, banking, transport, and manufacturing, are key partners in EU supply chains.
More than 80% of European enterprises are now within the scope of the NIS2 legislation, and it extends to global supply chain partners. To continue doing business with EU companies, African organisations must comply with NIS2, which mandates strict cyber security measures to protect critical infrastructure and supply chains.
Collins Emadau, Check Point partner and director at Westcon, explains, “Europe is still Africa’s leading trading partner. African businesses, particularly in leading economies such as South Africa, Kenya, and Nigeria, need to understand the far-reaching impact of NIS2. Compliance is not just about meeting EU standards - it’s about securing their future in a globalised market. Failure to comply will result in not only heavy fines but also the potential loss of critical trade partnerships with EU member states."
Issam El Haddioui, head of security sales engineering for Africa at Check Point, says, "NIS2 sets a new standard for cyber security, and African businesses must act now. Many organisations are unaware of the depth of these requirements, which go beyond local regulations. Compliance is essential not only for maintaining business relationships with the EU but also for enhancing the overall resilience of African economies against cyber threats."
Personal liability
NIS2 introduces personal liability for business leaders in the event of a cyber attack, meaning that executives themselves can be held financially accountable for breaches. Penalties include fines of up to €7 million or 1.4% of a company’s global annual turnover, whichever is higher.
This goes beyond the GDPR, placing even more responsibility on corporate leadership to ensure robust cybersecurity practices are in place, claims Check Point.
Compliance includes the directive that from 2028, organisations will be required to annually document their NIS2-compliant IT infrastructure and demonstrate that their cyber security measures are aligned with the latest technological advancements.
“African countries, especially economic leaders like South Africa, Kenya, and Nigeria, should also consider using the NIS2 framework as a model for strengthening their own national cyber security regulations. By improving cyber-readiness, African businesses can not only comply with international standards but also protect their data, operations, and reputations from evolving threats,” says El Haddioui.
Share