COMPLIANCE

NIS2 Directive

The new NIS2 directive is set to take effect in 2024, bringing stricter cybersecurity requirements for organizations across all EU member states.  By adhering to the NIS2 directive as early as now, organizations can gain a competitive advantage by enhancing their reputation, and increasing the trust of their customers, ultimately driving growth and profitability.

160 K+
estimated companies affected by NIS2
10€ M
Maximum fine for NIS2 non-compliance
15
Number of sectors covered by NIS2 Directive

NIS2: Europe’s Most Extensive Cybersecurity Directive To Date

The NIS2 directive represents the most expansive cybersecurity mandate in Europe thus far. It introduces more stringent regulations for risk management and reporting of incidents, extends its scope to cover additional industries, and imposes more severe penalties for failing to comply. As a result, a vast number of EU organizations must reevaluate their cybersecurity stance.
NIS2 Graphic

Countdown to NIS2 Becomes Law: Are You Ready?

 

Essential Entities Under The NIS2 Directive

NIS2 distinguishes between Essential Entities (EE) and Important Entities (IE). The directive's Annex I details the former, while Annex II details the latter. Organizations must determine if they fall into either category and adhere to the directive's requirements accordingly.

Energy

Including subsectors; electricity, oil, and gas.

Explore Industry

Transportation

Including subsectors; air transport, rail transport, shipping, and road transport.

Learn More

Health

Including subsector; healthcare environments (including hospitals and private clinics).

Read More

Public Administration

By designating the public administration sector as an essential entity, the NIS2 Directive recognizes the significance of protecting it from cyber threats, reflecting its criticality.
Explore Industry

Banking & Financial Market Infrastructure

Financial market infrastructure, e.g., payment services.

Read More

Digital Infrastructures

Digital infrastructures, such as the delivery of DNS and TLD registries.

Explore Industry

Water Supply

Including drinking water and wastewater.
Learn More

Space

The NIS2 Directive recognizes the space sector as an essential entity, subject to its strict cybersecurity requirements.

Important Entities Under The NIS2 Directive

Digital Providers

The digital providers sector is a diverse and ever-changing industry that includes companies offering a range of digital products and services, including search engines, online marketplaces, and social networks.

Food

NIS2 categorizes the food sector as an important entity. Encompassing all stages from farming to food processing, packaging, transportation, and retail sales.

Explore Industry

Chemicals

Covering the manufacture, production, and distribution of chemicals, NIS2 addresses a vital aspect of the industrial landscape that is crucial to Europe's competitiveness. The chemical industry plays a pivotal role in providing innovative materials and technological solutions in this regard.


Manufactoring

The manufacturing sector includes the manufacturing of: medical devices, computers and electronics, machinery and equipment, motor vehicles, and semi-trailers and other transport equipment).
Explore Industry

Research

The research sector is a significant driver of innovation and advancement, which makes it a valuable target for cybercriminals seeking to disrupt critical systems or steal sensitive research data.

Waste Management

Given its comprehensive involvement in waste collection, transportation, treatment, and disposal, the waste management sector faces a considerable risk of cyberattacks that could disrupt its essential operations. The NIS2 Directive now encompasses the waste management industry, mandating it to comply with stringent cybersecurity requirements.

Postal & Courier Services

Acknowledging the significance of the postal sector, the NIS2 directive mandates that organizations operating within this domain undertake necessary measures to fortify their cybersecurity posture, making it strong and resilient.

Don't Wait Until It's Too Late. We'll Help You Comply with NIS2 Regulations

Start your compliance journey now.

REQUIREMENTS

Protecting Information: The Essential Security Requirements of NIS2

Risk Assessment

One of the key requirements is conducting a thorough risk assessment. This means that businesses impacted by NIS2 must take a close look at the security risks involved with their services and come up with appropriate measures to manage them. It's not just a matter of checking off a box - it's about continuously keeping your business and its customers safe and secure!

Incident Management

Businesses impacted by NIS2 must have a plan in place for how to handle potential cyber security incidents and quickly restore their services. It's like having a fire evacuation plan - you hope you'll never need it, but it's essential to have just in case. So, make sure your incident management plan is in place and ready to go!

Security Measures

When it comes to cyber security, there's no room for shortcuts. That's why NIS2 requires businesses to take appropriate technical and organizational measures to safeguard their networks and information systems. This means conducting regular security testing and implementing measures to protect against potential threats. Think of it like locking your doors and windows at night to keep your home safe - except, in this case, you're securing your business's digital assets.

Incident Reporting

With NIS2's incident reporting requirements, affected businesses must report serious security incidents to the national cybersecurity authority as quickly as possible. This means taking swift action to notify the proper authorities of any significant security threats to your business.

Business Continuity

Having business continuity plans in place, including backup and recovery procedures, can help your business maintain its operations in the event of a cyber incident and will not only minimize downtime, but you'll also ensure the continuity of your critical services.

NIS2 & NIS - What Is The Difference?

The NIS2 directive largely follows the same principles as NIS but with a number of important additions:

  • More businesses, government authorities, and organizations will be subject to NIS2.
  • Greater accountability in making sure your suppliers work securely.
  • Introduction of sanctions, like those included in GDPR
  • Requiring specific training for management
  • Mandatory incident reports of so-called ”near misses”
  • The use of encryption
NIS2 Compliance Graphic

Safeguard Your Business from Cyberattacks

Extend Visibility

Know what you're up against. We can help you identify your IT system's weak points, categorize the assets that are vulnerable, and pinpoint the most likely threats. This knowledge will help you take action to protect your business proactively. 

Prioritize Action

Identifying risks is just the first step; you need to act on them. We can help you develop a clear action plan that prioritizes your actions based on the level of threat, potential impact, and resources.

Communicate Risk

Don't keep cyber security risks a secret - communication is key. Get a clear view of your business's cyber risk with Holm Security. Our platform provides security executives and business leaders with centralized and business-aligned insights, including actionable insights into your overall cyber risk.

Ready to Navigate NIS2 Compliance? 
Book Your Consultation Meeting Today!

 
FAQ

What You Need To Know

What Is NIS2?

The NIS2 (Network and Information Systems) directive introduces several new requirements for organizations operating in the European Union. These include:

  • Security requirements: NIS2 mandates that organizations implement appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems.
  • Incident reporting: Organizations are required to report significant incidents that have a substantial impact on their network and information systems to the relevant national authority.
  • Incident response: Organizations must have an incident response plan in place that outlines the necessary steps to be taken in the event of a cybersecurity incident.
  • Cooperation: NIS2 emphasizes the importance of cooperation between EU member states, particularly in cross-border incidents.
  • Penalties for non-compliance: NIS2 includes more severe penalties for non-compliance, which can include administrative fines of up to €10 million or 2% of the organization's global annual turnover, whichever is higher.
  • Sector-specific requirements: The directive outlines specific requirements for each of the fifteen sectors covered by NIS2, based on the risk profile of each sector.

It is important to note that the specific requirements of NIS2 may vary depending on the sector and the country in which an organization operates.

When Is the NIS2 Implementation Date?

The NIS2 Directive is set to be put into applicable national law by all EU member states by 17 October 2024. This is a crucial date for businesses to take note of as failure to comply with the directive can result in severe consequences such as financial penalties and damage to reputation. So, it's essential that companies gear up and make necessary preparations to ensure full compliance well before the deadline. Don't wait until it's too late - act now to avoid any potential negative consequences.

What Sectors are Covered by NIS2?

NIS2 Entity Categories
If your organization falls under any of the categories below, NIS2 is applicable to you. 

Essential Entities (EE)
Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million or balance sheet of € 43 million

Energy
Transport
Finance
Public Administration
Health
Space
Water supply (drinking & wastewater)
Digital Infrastructure
e.g. cloud computing service providers and ICT management

Important Entities (IE)
Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million or balance sheet of € 10 million

Postal Services
Waste Management
Chemicals
Research
Foods
Manufacturing
e.g. medical devices and other equipment

Digital Providers
e.g. social networks, search engines, online marketplaces

Plus all sectors under “essential entities” and within the size threshold for “important entities”

What Are the NIS2 Fines?

The NIS2 directive takes a nuanced approach to administrative fines, differentiating between essential and important entities.

For those essential entities, the directive stipulates that Member States must set a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.

For important entities, the fines will be slightly lower, with NIS2 requiring Member States to fine them for a maximum of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

It's essential for organizations to understand which category they fall under to ensure that they are fully compliant with the NIS2 directive and avoid any potential financial penalties. Stay on top of your game by knowing your status and taking the necessary steps to ensure compliance!

What Is the Difference between NIS2 & GDPR?

NIS2 is for European cybersecurity what GDPR was for European data protection. Where GDPR strengthened the requirements for how EU member states manage personal data, the aim of NIS2 is to ensure that all European companies and organizations that operate within critical infrastructure maintain an adequate level of cybersecurity.