Security Announcement Barracuda Email Security Gateway Appliance (ESG) Zero-Day Vulnerability

NIS2 Directive

The new NIS2 directive is set to take effect in 2024, bringing stricter cybersecurity requirements for organizations across all EU member states.  By adhering to the NIS2 directive as early as now, organizations can gain a competitive advantage by enhancing their reputation, and increasing the trust of their customers, ultimately driving growth and profitability.

160 K+
estimated companies affected by NIS2
10€ M
Maximum fine for NIS2 non-compliance
Number of sectors covered by NIS2 Directive

NIS2: Europe’s Most Extensive Cybersecurity Directive To Date

The NIS2 directive represents the most expansive cybersecurity mandate in Europe thus far. It introduces more stringent regulations for risk management and reporting of incidents, extends its scope to cover additional industries, and imposes more severe penalties for failing to comply. As a result, a vast number of EU organizations must reevaluate their cybersecurity stance.
NIS2 Graphic

Countdown to NIS2 Becomes Law: Are You Ready?


Essential Entities Under The NIS2 Directive

NIS2 distinguishes between Essential Entities (EE) and Important Entities (IE). The directive's Annex I details the former, while Annex II details the latter. Organizations must determine if they fall into either category and adhere to the directive's requirements accordingly.


Including subsectors; electricity, oil, and gas.

Explore Industry


Including subsectors; air transport, rail transport, shipping, and road transport.

Learn More


Including subsector; healthcare environments (including hospitals and private clinics).

Read More

Public Administration

By designating the public administration sector as an essential entity, the NIS2 Directive recognizes the significance of protecting it from cyber threats, reflecting its criticality.
Explore Industry

Banking & Financial Market Infrastructure

Financial market infrastructure, e.g., payment services

Digital Infrastructures

Digital infrastructures, such as the delivery of DNS and TLD registries.

Water Supply

Including drinking water and wastewater.


The NIS2 Directive recognizes the space sector as an essential entity, subject to its strict cybersecurity requirements.

Important Entities Under The NIS2 Directive

Digital Providers

The digital providers sector is a diverse and ever-changing industry that includes companies offering a range of digital products and services, including search engines, online marketplaces, and social networks.


NIS2 categorizes the food sector as an important entity. Encompassing all stages from farming to food processing, packaging, transportation, and retail sales.



Covering the manufacture, production, and distribution of chemicals, NIS2 addresses a vital aspect of the industrial landscape that is crucial to Europe's competitiveness. The chemical industry plays a pivotal role in providing innovative materials and technological solutions in this regard.


The manufacturing sector includes the manufacturing of: medical devices, computers and electronics, machinery and equipment, motor vehicles, trails and semi-trailers and other transport equipment)


The research sector is a significant driver of innovation and advancement, which makes it a valuable target for cybercriminals seeking to disrupt critical systems or steal sensitive research data.

Waste Management

Given its comprehensive involvement in waste collection, transportation, treatment, and disposal, the waste management sector faces a considerable risk of cyberattacks that could disrupt its essential operations. The NIS2 Directive now encompasses the waste management industry, mandating it to comply with stringent cybersecurity requirements.

Postal & Courier Services

Acknowledging the significance of the postal sector, the NIS2 directive mandates that organizations operating within this domain undertake necessary measures to fortify their cybersecurity posture, making it strong and resilient.

Don't Wait Until It's Too Late. We'll Help You Comply with NIS2 Regulations

Start your compliance journey now.


Protecting Information: The Essential Security Requirements of NIS2

Risk Assessment

One of the key requirements is conducting a thorough risk assessment. This means that businesses impacted by NIS2 must take a close look at the security risks involved with their services and come up with appropriate measures to manage them. It's not just a matter of checking off a box - it's about continuously keeping your business and its customers safe and secure!

Incident Management

Businesses impacted by NIS2 must have a plan in place for how to handle potential cyber security incidents and quickly restore their services. It's like having a fire evacuation plan - you hope you'll never need it, but it's essential to have just in case. So, make sure your incident management plan is in place and ready to go!

Security Measures

When it comes to cyber security, there's no room for shortcuts. That's why NIS2 requires businesses to take appropriate technical and organizational measures to safeguard their networks and information systems. This means conducting regular security testing and implementing measures to protect against potential threats. Think of it like locking your doors and windows at night to keep your home safe - except, in this case, you're securing your business's digital assets.

Incident Reporting

With NIS2's incident reporting requirements, affected businesses must report serious security incidents to the national cybersecurity authority as quickly as possible. This means taking swift action to notify the proper authorities of any significant security threats to your business.

Business Continuity

Having business continuity plans in place, including backup and recovery procedures, can help your business maintain its operations in the event of a cyber incident and will not only minimize downtime, but you'll also ensure the continuity of your critical services.

NIS2 & NIS - What Is The Difference?

The NIS2 directive largely follows the same principles as NIS but with a number of important additions:

  • More businesses, government authorities, and organizations will be subject to NIS2.
  • Greater accountability in making sure your suppliers work securely.
  • Introduction of sanctions, like those included in GDPR
  • Requiring specific training for management
  • Mandatory incident reports of so-called ”near misses”
  • The use of encryption
NIS2 Compliance Graphic

How Can Holm Security Help?

  • Prioritizing Security Gaps from a Risk-Based Perspective

    We believe that taking a risk-based approach to cyber security is the best way to stay one step ahead of potential threats. By prioritizing security gaps in this way, you can strengthen the cycle for addressing new risks and vulnerabilities continuously. But it's not just about reacting to incidents that have already occurred. Our platform offers incident reporting, even for vulnerabilities without incidents, allowing you to proactively discover trends and patterns regarding your cyber security health. We'll ensure you're always on top of potential risks.

  • Partnering with Holm Security for NIS Compliance

    We've helped hundreds of organizations meet the NIS requirements, thanks to our systematic analytical and risk-based approach to cyber risks through continuous and automated vulnerability management. We know that achieving NIS compliance can be a daunting task. That's why we offer a Success Program, providing the tools, training, service, and support you need to make NIS compliance a part of your daily work. With our help, you can navigate the complexities of NIS compliance with ease, leaving you free to focus on what really matters - growing your business.

  • Stay Ahead of Potential Threats 

    With our platform, you can identify vulnerabilities, reduce risk, and ensure compliance, all with just a few clicks. We'll helps you stay on top of potential threats, giving you peace of mind that your systems and data are always secure. So why wait? Take a significant step towards a more systematic approach to cyber threats and a stronger cyber defense with Holm Security.


What You Need To Know

What Is NIS2?

The NIS2 (Network and Information Systems) directive introduces several new requirements for organizations operating in the European Union. These include:

  • Security requirements: NIS2 mandates that organizations implement appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems.
  • Incident reporting: Organizations are required to report significant incidents that have a substantial impact on their network and information systems to the relevant national authority.
  • Incident response: Organizations must have an incident response plan in place that outlines the necessary steps to be taken in the event of a cybersecurity incident.
  • Cooperation: NIS2 emphasizes the importance of cooperation between EU member states, particularly in cross-border incidents.
  • Penalties for non-compliance: NIS2 includes more severe penalties for non-compliance, which can include administrative fines of up to €10 million or 2% of the organization's global annual turnover, whichever is higher.
  • Sector-specific requirements: The directive outlines specific requirements for each of the fifteen sectors covered by NIS2, based on the risk profile of each sector.

It is important to note that the specific requirements of NIS2 may vary depending on the sector and the country in which an organization operates.

When Is the NIS2 Implementation Date?

The NIS2 Directive is set to be put into applicable national law by all EU member states by 17 October 2024. This is a crucial date for businesses to take note of as failure to comply with the directive can result in severe consequences such as financial penalties and damage to reputation. So, it's essential that companies gear up and make necessary preparations to ensure full compliance well before the deadline. Don't wait until it's too late - act now to avoid any potential negative consequences.

What Sectors are Covered by NIS2?

NIS2 Entity Categories
If your organization falls under any of the categories below, NIS2 is applicable to you. 

Essential Entities (EE)
Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million or balance sheet of € 43 million

Public Administration
Water supply (drinking & wastewater)
Digital Infrastructure
e.g. cloud computing service providers and ICT management

Important Entities (IE)
Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million or balance sheet of € 10 million

Postal Services
Waste Management
e.g. medical devices and other equipment

Digital Providers
e.g. social networks, search engines, online marketplaces

Plus all sectors under “essential entities” and within the size threshold for “important entities”

What Are the NIS2 Fines?

The NIS2 directive takes a nuanced approach to administrative fines, differentiating between essential and important entities.

For those essential entities, the directive stipulates that Member States must set a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.

For important entities, the fines will be slightly lower, with NIS2 requiring Member States to fine them for a maximum of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

It's essential for organizations to understand which category they fall under to ensure that they are fully compliant with the NIS2 directive and avoid any potential financial penalties. Stay on top of your game by knowing your status and taking the necessary steps to ensure compliance!

What Is the Difference between NIS2 & GDPR?

NIS2 is for European cybersecurity what GDPR was for European data protection. Where GDPR strengthened the requirements for how EU member states manage personal data, the aim of NIS2 is to ensure that all European companies and organizations that operate within critical infrastructure maintain an adequate level of cybersecurity.