Companies face risk of huge fines and suspensions under tough new cyber rules in the EU

Companies could face hefty fines or even suspensions of service in the European Union under strict new cybersecurity regulations set to come into force next month.

The EU's NIS 2 cybersecurity directive will on Oct. 17 become enforceable by member states. That means firms will have to ensure their operations are up to scratch with obligations set out by the new law.

The rules impose tougher requirements on companies around their internal cyber resilience strategy and internal practices.

CNBC runs through all you need to know about NIS 2 — from what the law requires to the potential penalties businesses could face for violations.

NIS 2, which stands for Network and Information Security Directive 2, is an EU directive that aims to increase the security of IT systems and networks across the bloc. Introduced in 2020, the law serves as an update to an earlier directive simply called NIS.

NIS 2 expands the scope of its predecessor to address more recent cybersecurity challenges and threats that have emerged as criminals have found new ways to hack companies and compromise their sensitive data.

The directive applies to organizations that operate within the EU and provide essential services to consumers, including banks, energy suppliers, health care institutions, internet providers, transport firms, and waste processors.

The main areas it will address are risk management, corporate accountability, reporting obligations, and business continuity planning in the event of a cyber breach.

Geert van der Linden, executive vice president of global cybersecurity services at Capgemini, told CNBC that NIS 2 has effectively set a new baseline for companies on what's acceptable to protect citizens, maintain operations and remain resilient in the