en
en Global
fr-be Belgium
da Denmark
fi Finland
de-de Germany
en-my Malaysia
nl Netherlands
no Norway
poland Poland
sv Sweden
en-gb UK
in India
uae Middle East
Free trial
KNOWLEDGE BASE

The NIS & NIS2 Directives

The first version of NIS entered into force in 2018. The main purpose of NIS is to create a more resilient and secure digital environment within the EU member states by establishing common cyber security standards, enhancing critical infrastructure protection, promoting risk-based cyber security practices, and fostering cooperation and information-sharing among member states and relevant stakeholders.  

The threat landscape is constantly changing, and the threats are getting bigger. The EU has decided to develop a second version of NIS. The NIS2 Directive will take effect throughout 2025 and seeks to enhance the work further started with the NIS Directive. 

Book a free NIS/NIS2 consultation
Watch video

New in the NIS2 Directive

The NIS2 Directive largely follows the same principles as NIS but with several important additions. NIS2 contains: 

  • More entities and sectors (industries) covered 
  • New methods of selection and registration 
  • New incident notification deadlines 
  • Greater accountability for management and personal responsibility 
  • Introduction of sanctions, like those included in GDPR 
  • Mandatory incident reports, also for so-called “near-misses” 
NIS2 Graphic

Countdown to NIS2 becoming law: Are you ready?

Depending on which EU member country you're in, NIS2 will take effect in the fall of 2024 or in 2025.

 

Request consultation
160 K+
Estimated number of organizations affected by NIS2.
10€ million
Maximum fine for NIS2 non-compliance.
15 sectors
Number of sectors covered by NIS2.
1 million+
Impacted entities due to supply chain security requirements.

Download our
NIS2 Reference Guide

Download

Requires a risk-based & systematic approach

Implementing risk-based and systematic cyber security practices is an important component of NIS and NIS2. Organizations should assess and manage cyber security risks effectively based on their specific circumstances and the potential impact of cyber incidents. A systematic approach goes hand in hand with creating a proactive approach – a pillar in any cyber security strategy.

Holm Security Systematic Risk-based Platform
call center businessman tech support

Cyber security risk management measures

Essential and important entities must take appropriate and proportional technical, operational, and organizational measures to manage the risks posed to the systems that underpin their services and prevent or minimize the impact of incidents on their and other services. 

Such measures include: 

  • Risk analysis and information system security 
  • Incident handling 
  • Business continuity measures (back-ups, disaster recovery, crisis management) 
  • Supply chain security 
  • Security in system acquisition, development, and maintenance, including vulnerability handling and disclosure 
  • Policies and procedures to assess the effectiveness of cyber security risk management measures 
  • Basic computer hygiene and training 
  • Policies on appropriate use of cryptography and encryption 
  • Human resources security, access control policies, and asset management 
  • Use of multi-factor secured voice/video/text communication & secured emergency communication

Management responsibilities under NIS2

Management accountability is yet another cornerstone of NIS2, as the new Directive will obligate management to take ownership of their organizations’ cyber security maturity level. This will include conducting risk assessments and approving risk treatment plans, meaning management must partake in cyber security training. The Directive also mandates organizations train their employees on cyber security risk and response.

Failure by management to comply with NIS2 requirements could result in serious consequences, including liability, temporary bans, and administrative fines as provided for in the implementing national legislation. 

Management bodies of essential and important entities must: 

  • Approve the adequacy of the cyber security risk management measures taken by the entity 
  • Supervise the implementation of risk management measures 
  • Follow training to gain sufficient knowledge and skills to identify risks and assess cyber security risk management practices and their impact on the services provided by the entity 
  • Offer similar training to their employees on a regular basis 
  • Be accountable for non-compliance 
people silhouettes in motion blur
RECORDED WEBINAR

Upgrade your cyber defense to comply with NIS2

View video

Industries impacted by NIS2

The first version of NIS impacted a limited number of sectors. With NIS2 comes extended coverage to a total of 15 industries. The former distinction between Operators of Essential Services (OES) and Digital Service Providers (DSPs) in the original NIS Directive is replaced by a distinction between Essential Entities (EE) and Important Entities (IE), depending on factors such as size, sector, and criticality to society. Both entity types must follow the NIS2 framework for cyber security, whereas essential entities have stricter reporting and supervision requirements.

Essential entities 

Energy

Including subsectors electricity, oil, and gas.

Read more

Transportation

Including subsectors of air transport, rail transport, shipping, and road transport.

Read more

Health

Including subsector healthcare environments (including hospitals and private clinics).

Read more

Public administration

By designating the public administration sector as an essential entity, the NIS2 Directive recognizes the significance of protecting it from cyber threats, reflecting its criticality.
Read more

Banking & financial market infrastructure

Banks and financial market infrastructure, e.g. payment services.

Read more

Digital infrastructure

Digital infrastructure such as the delivery of DNS and TLD registries.

Read more

Water supply

Including drinking water and wastewater.
Read more

Space

The NIS2 Directive recognizes the space sector as an essential entity, subject to its strict cyber security requirements.

Important entities

Digital providers

The digital providers sector is a diverse and ever-changing industry that includes companies offering a range of digital products and services, including search engines, online marketplaces, and social networks.

Food

NIS2 categorizes the food sector as an important entity. Encompassing all stages from farming to food processing, packaging, transportation, and retail sales.

Read more

Chemicals

Covering the manufacture, production, and distribution of chemicals, NIS2 addresses a vital aspect of the industrial landscape that is crucial to Europe's competitiveness. The chemical industry plays a pivotal role in providing innovative materials and technological solutions in this regard.

Manufacturing

The manufacturing sector includes the manufacture of medical devices, computers and electronics, machinery and equipment, motor vehicles, semi-trailers and other transport equipment.
Read more

Research

The research sector is a significant driver of innovation and advancement, which makes it a valuable target for cybercriminals seeking to disrupt critical systems or steal sensitive research data.

Waste management

The NIS2 Directive now encompasses the waste management industry, mandating it to comply with stringent cyber security requirements. Given its comprehensive involvement in waste collection, transportation, treatment, and disposal, the waste management sector faces a considerable risk of cyberattacks that could disrupt its important operations.

Postal & courier services

Acknowledging the significance of the postal sector, the NIS2 Directive mandates that organizations operating within this domain undertake necessary measures to fortify their cyber security posture, making it strong and resilient.
attack vector coverage for compliance needs

Holm Security helps you take a major leap towards NIS/NIS2 compliance

Holm Security helps hundreds of organizations throughout the EU to comply with the NIS Directive and is now helping more to comply with NIS2. We provide the tools you need to take huge steps towards compliance.  

These tools allow you to: 

  • Perform automated and continuous (systematic) risk assessments 
  • Create a proactive approach towards cyber security 
  • Implement basic cyber hygiene practices and cyber security training 
  • Provide the tools needed to secure the supply chain 
  • Help management supervise the implementation of risk management 
  • Demonstrate compliance based on data and reports
READ MORE

Frequently asked questions

We have the answers to your questions about NIS and NIS2. Read more in our FAQ.

Frequently asked questions

FAQs

FAQs

We'll help you comply with the NIS2 Directive.

Get started today.

Request a free NIS/NIS2 consultation

Ready to navigate NIS2 compliance? 
Book your consultation meeting today!