NIS2 is not a GDPR sequel — it’s a resilience mandate. If your ERP goes down, your business stops. The European directive starts from this premise to impose unprecedented cybersecurity standards on companies classified as “essential” or “important.” And the ERP, as the backbone of the information system, is on the front line.
France missed the transposition deadline of October 17, 2024. The Senate adopted the “Critical Infrastructure Resilience and Cybersecurity Reinforcement” bill on March 12, 2025, and the text continues its journey through the National Assembly (nis-2-directive.com). Final adoption is expected during 2026, followed by ANSSI implementation decrees.
But preparation time has already started. Here’s what you need to understand and what you need to do.
NIS2 in 3 Minutes — What Changes from NIS1
Expanded Scope: 18 Sectors, Lowered Thresholds
The NIS1 directive (2016) only concerned a handful of vital operators. NIS2 radically expands the scope: 18 activity sectors are now covered (energy, transport, health, finance, manufacturing, digital services, waste management, space, etc.). Any company with more than 50 employees or generating more than €10 million in turnover in these sectors is potentially concerned.
In Europe, this represents thousands of mid-market and large SMEs that until now had no formal cybersecurity obligations at the European level.
Essential vs Important Entities — Two Levels of Obligations
NIS2 distinguishes two categories:
- Essential entities (EE): large companies in “highly critical” sectors (energy, transport, health, drinking water, digital infrastructure, public administration). Proactive supervision by national authorities, regular audits.
- Important entities (IE): medium-sized companies in the same sectors or companies of any size in “critical” sectors (postal services, waste management, chemical industry, food industry, manufacturing). Reactive supervision — authorities intervene on reporting.
Enhanced Sanctions
The fines provided by Article 34 of the directive are dissuasive (nis2directive.eu):
- Essential entities: up to €10M or 2% of global consolidated turnover (whichever is higher)
- Important entities: up to €7M or 1.4% of global consolidated turnover
Beyond fines, national authorities can order security audits at the company’s expense, suspend certifications or authorizations, and — for essential entities — temporarily prohibit executives from exercising their managerial functions.
Why ERP is at the Heart of NIS2
ERP as a “Critical Information System”
Article 21 of NIS2 imposes security measures on “networks and information systems” used to provide the entity’s services. ERP fulfills this definition in almost all cases: it manages accounting, invoicing, purchasing, production, inventory and often human resources. No critical business process works without it.
Targeted ERP Data
ERP concentrates the company’s most sensitive data:
- Financial: customer accounts, supplier accounts, cash flow, budget forecasts
- HR: payslips, employee personal data, contracts
- Supply chain: order books, supplier rates, stock levels
- Customers: commercial history, pricing conditions, billing data
An ERP compromise simultaneously exposes all these data categories.
Concrete Risks: Ransomware on ERP = Total Shutdown
The 2024 cyber threat landscape published by European cybersecurity agencies confirms the threat: cyber incidents targeting mid-market companies increased by 15% compared to 2023, with SMEs and mid-market companies remaining the primary victims, representing 37% of ransomware cases treated (ENISA Annual Report 2024).
Globally, the average cost of a data breach reached $4.88 million in 2024, a 10% increase from the previous year — the highest annual growth since the pandemic (IBM, Cost of a Data Breach Report 2024).
Ransomware that encrypts the ERP database doesn’t just steal data — it paralyzes all operations. No more invoicing, no more payroll, no more supplier orders. The shutdown is immediate and total.
The 7 NIS2 Obligations That Directly Impact Your ERP
Article 21 of the directive details the risk management measures each entity must implement. Here are the seven that directly concern ERP.
1. Risk Analysis and IT Security Policy
You must formalize a risk analysis covering all your information systems, including ERP. This analysis must be reviewed regularly and approved by management — not delegated to the CISO alone.
ERP Impact: map data flows in the ERP, identify critical modules, assess compromise scenarios (unauthorized access, ransomware encryption, data exfiltration).
2. Incident Management: Notification Under 24h/72h
NIS2 imposes a strict notification schedule in case of significant incident:
- 24 hours: initial alert to national authority (or competent CSIRT)
- 72 hours: detailed incident report
- 1 month: final report with root cause analysis and corrective measures
ERP Impact: your ERP must have intrusion detection mechanisms or be covered by a SIEM. You must be able to identify an incident on the ERP, assess its scope and notify within deadlines. Without adequate logging, it’s impossible.
3. Business Continuity: DRP/BCP Including ERP
The directive requires a tested business continuity plan (BCP) and disaster recovery plan (DRP). Since ERP is the most critical system for most companies, it must be at the center of these plans.
ERP Impact: define RTO (maximum recovery time) and RPO (maximum tolerable data loss) for ERP. Test complete restoration at least once a year. A DRP/BCP that doesn’t include ERP is a facade DRP/BCP.
4. Supply Chain Security
This is one of NIS2’s major innovations: the directive extends to your suppliers. If your ERP vendor, integrator or hosting provider is compromised, you are responsible for having assessed this risk upstream.
ERP Impact: require from your vendor (SAP, Odoo, Sage, Microsoft, etc.) security certifications (ISO 27001, SOC 2), contractual commitments on vulnerability correction deadlines and regular audits. For cloud ERPs, verify hosting provider certifications (SecNumCloud in France, C5 in Germany).
5. Vulnerability and Patch Management
Security patch application must be systematic and documented. ERPs, whether cloud or on-premise, regularly publish security patches.
ERP Impact: implement monitoring of your vendor’s security bulletins (SAP Security Patch Day, Odoo Security Advisories, Microsoft Patch Tuesday). Apply critical patches within a defined timeframe (ideally within 30 days). Document each patch application.
6. Encryption and Access Management
NIS2 requires data encryption measures “at rest” and “in transit,” as well as rigorous access management.
ERP Impact: enable TLS encryption for all ERP connections. Encrypt the database at rest (Transparent Data Encryption or equivalent). Implement multi-factor authentication (MFA) for all ERP access — without exception. Implement role-based access control (RBAC) and review rights quarterly.
7. ERP User Training and Awareness
Article 20 of NIS2 requires management members to undergo cybersecurity training and personally approve risk management measures. This responsibility cannot be delegated (DLA Piper).
ERP Impact: train all ERP users in best practices (password management, phishing detection, incident reporting). Specifically train management on ERP cybersecurity issues. Document these trainings — they will be verified during audits.
What ERP Vendors Are Preparing for NIS2
SAP — Trust Center and Threat Detection
SAP strengthens its security offering around S/4HANA: Trust Center with compliance dashboard, enhanced audit trail on all transactions, and SAP Enterprise Threat Detection for real-time anomaly detection. On-premise SAP customers will nevertheless have to manage patching and infrastructure security themselves.
Odoo — Security by Design and SOC 2
Odoo focuses on a “security by design” approach with an active bug bounty program and SOC 2 certified Odoo.sh hosting. Transparency is a strong point: security advisories are published quickly. The limitation: self-hosted Odoo instances remain under the customer’s total responsibility.
Microsoft Dynamics 365 — Compliance Manager and Azure Security
Microsoft Dynamics 365 benefits from the Azure Security Center ecosystem and Compliance Manager, which helps map regulatory compliance (NIS2 included). The advantage is native integration with Microsoft Defender and Sentinel for threat detection. The disadvantage: advanced security license costs add to ERP costs.
Sage and Access Group — Certifications in Progress
Sage progresses towards ISO 27001 certification across its cloud offering. Access Group strengthens security with regular penetration audits. Both UK vendors are driven by local regulations, which tend to be more prescriptive than the European directive on certain points.
NIS2 Action Plan for Your ERP — 6 Steps
Step 1 — Identify if Your Company is Concerned
Start with the decision tree:
- Does your company operate in one of the 18 NIS2 sectors?
- Do you have more than 50 employees OR generate more than €10M turnover?
- If yes to both: you are concerned. It remains to determine if you are “essential entity” or “important entity.”
National authorities provide portals to help companies with this qualification.
Step 2 — Map Critical Data Flows in ERP
Identify for each ERP module:
- What data transits (nature, volume, sensitivity)
- What are the incoming and outgoing flows (supplier EDI, banking APIs, CRM connections)
- Where data is stored (cloud, on-premise, hybrid)
- Who accesses it and with what rights
This mapping is the foundation of your risk analysis.
Step 3 — Audit Access and Rights
Review all ERP user accounts:
- Delete inactive accounts (former employees, departed contractors)
- Verify that each user has the minimum necessary level of rights (principle of least privilege)
- Enable MFA on all accounts — prioritizing administrator accounts
- Implement quarterly rights review
Step 4 — Implement ERP DRP/BCP
Define realistic objectives:
- RTO (recovery deadline): how long can your company operate without ERP? For most mid-market companies, the answer is “a few hours, not a few days.”
- RPO (tolerable data loss): when was the last backup? If the answer is “yesterday evening,” you’ll lose a day’s work.
Test your recovery plan at least once a year with a complete restoration exercise.
Step 5 — Secure the Software Supply Chain
Require from each actor in your ERP chain:
- Vendor: ISO 27001 or SOC 2 certifications, vulnerability disclosure policy, SLA for critical flaw correction
- Integrator: reinforced confidentiality clause, security audit of specific developments
- Hosting provider: certifications (SecNumCloud, HDS for health data, C5 in Germany), EU data localization
Document these requirements in your contracts. NIS2 makes you responsible for the weak link in your chain.
Step 6 — Document and Test
NIS2 compliance relies on documentary evidence:
- IT security policy (PSSI) covering ERP
- Incident register with three notification levels (24h, 72h, 1 month)
- Tested and dated DRP/BCP
- Signed quarterly access reviews
- Management and user training evidence
- Supplier contracts with security clauses
Organize an annual cyber crisis exercise simulating an ERP attack. An untested plan is a plan that will fail on D-day.
NIS2 Calendar — Key Dates for European Companies
| Deadline | Event |
|---|---|
| October 17, 2024 | EU transposition deadline (missed by France) |
| March 12, 2025 | Adoption of the bill by French Senate |
| May 7, 2025 | Reasoned opinion from European Commission to France for transposition delay |
| During 2026 | Expected final adoption (National Assembly + promulgation) |
| Post-adoption | Publication of implementation decrees by national authorities |
| Post-adoption | Mandatory entity registration on national portals |
| Post-adoption + delay | First incident notification obligations |
Transposition delays should not serve as an excuse to postpone preparation. NIS2’s technical requirements have been known since 2022. Companies waiting for promulgation to start will be behind when the decrees fall.
NIS2 vs GDPR: Don’t Confuse Them
| GDPR | NIS2 | |
|---|---|---|
| Object | Personal data protection | Information system resilience |
| Scope | Any company processing personal data | Companies in 18 sectors above thresholds |
| What is protected | Individuals’ data | IT system availability and integrity |
| Max sanctions | €20M or 4% of turnover | €10M or 2% of turnover (EE) |
| Management responsibility | Mandatory DPO | Management personally responsible (art. 20) |
Both regulations complement each other. A NIS2-compliant ERP is not automatically GDPR-compliant (and vice versa). To deepen the personal data dimension, consult our guide ERP and GDPR: Compliance and Data Protection.
To deepen ERP security beyond the NIS2 framework, read our complete guide ERP Cybersecurity: Protecting Your Management System and our comparison Cloud vs On-Premise ERP — the deployment model directly impacts your DRP and patching obligations. To validate your preparation level, start with a NIS2 compliance audit focused on ERP: 3 to 5 days of intervention, €10-20K depending on IT size. Result: a costed roadmap with gaps to fill, not a generic 200-page report.
