NIS2 Directive
The new NIS2 directive is set to take effect in 2024, bringing stricter cybersecurity requirements for organizations across all EU member states. By adhering to the NIS2 directive as early as now, organizations can gain a competitive advantage by enhancing their reputation, and increasing the trust of their customers, ultimately driving growth and profitability.
NIS2: Europe’s Most Extensive Cybersecurity Directive To Date


Essential Entities Under The NIS2 Directive
Energy
Including subsectors; electricity, oil, and gas.
Transportation
Including subsectors; air transport, rail transport, shipping, and road transport.
Health
Including subsector; healthcare environments (including hospitals and private clinics).
Public Administration
Banking & Financial Market Infrastructure
Financial market infrastructure, e.g., payment services.
Digital Infrastructures
Digital infrastructures, such as the delivery of DNS and TLD registries.
Water Supply
Space
Important Entities Under The NIS2 Directive
Digital Providers
Food
NIS2 categorizes the food sector as an important entity. Encompassing all stages from farming to food processing, packaging, transportation, and retail sales.
Chemicals
Manufactoring
Research
Waste Management
Postal & Courier Services
Don't Wait Until It's Too Late. We'll Help You Comply with NIS2 Regulations
Start your compliance journey now.
Protecting Information: The Essential Security Requirements of NIS2
Risk Assessment
One of the key requirements is conducting a thorough risk assessment. This means that businesses impacted by NIS2 must take a close look at the security risks involved with their services and come up with appropriate measures to manage them. It's not just a matter of checking off a box - it's about continuously keeping your business and its customers safe and secure!
Incident Management
Businesses impacted by NIS2 must have a plan in place for how to handle potential cyber security incidents and quickly restore their services. It's like having a fire evacuation plan - you hope you'll never need it, but it's essential to have just in case. So, make sure your incident management plan is in place and ready to go!
Security Measures
When it comes to cyber security, there's no room for shortcuts. That's why NIS2 requires businesses to take appropriate technical and organizational measures to safeguard their networks and information systems. This means conducting regular security testing and implementing measures to protect against potential threats. Think of it like locking your doors and windows at night to keep your home safe - except, in this case, you're securing your business's digital assets.
Incident Reporting
With NIS2's incident reporting requirements, affected businesses must report serious security incidents to the national cybersecurity authority as quickly as possible. This means taking swift action to notify the proper authorities of any significant security threats to your business.
Business Continuity
Having business continuity plans in place, including backup and recovery procedures, can help your business maintain its operations in the event of a cyber incident and will not only minimize downtime, but you'll also ensure the continuity of your critical services.
NIS2 & NIS - What Is The Difference?
The NIS2 directive largely follows the same principles as NIS but with a number of important additions:
- More businesses, government authorities, and organizations will be subject to NIS2.
- Greater accountability in making sure your suppliers work securely.
- Introduction of sanctions, like those included in GDPR
- Requiring specific training for management
- Mandatory incident reports of so-called ”near misses”
- The use of encryption

Getting You Ready for NIS2 Compliance

What Is NIS2 & How Will It Affect Your Organization?
Under the NIS2 Directive, more entities and sectors will be required to take steps that will aid in improving cyber security in Europe. In addition to addressing supply chain security, NIS2 streamlines reporting obligations introduces stricter supervisory measures, and introduces more enforcement requirements.

How the NIS2 Cyber Security Directive Will Impact You
As part of this webinar, we will be joined by Anders Jonson, a Cyber Security Expert and Senior Advisor at ENISA, who has been involved in the development of NIS2 for the EU.

Lessons on NIS2 Compliance: A Guide to Securing Critical Infrastructure
Discover how to navigate the scope of the NIS 2 directive and comply with the requirements to prevent and respond to cyberattacks.
Safeguard Your Business from Cyberattacks
Extend Visibility
Know what you're up against. We can help you identify your IT system's weak points, categorize the assets that are vulnerable, and pinpoint the most likely threats. This knowledge will help you take action to protect your business proactively.
Prioritize Action
Identifying risks is just the first step; you need to act on them. We can help you develop a clear action plan that prioritizes your actions based on the level of threat, potential impact, and resources.
Communicate Risk
Don't keep cyber security risks a secret - communication is key. Get a clear view of your business's cyber risk with Holm Security. Our platform provides security executives and business leaders with centralized and business-aligned insights, including actionable insights into your overall cyber risk.

Ready to Navigate NIS2 Compliance?
Book Your Consultation Meeting Today!
What You Need To Know
What Is NIS2?
The NIS2 (Network and Information Systems) directive introduces several new requirements for organizations operating in the European Union. These include:
- Security requirements: NIS2 mandates that organizations implement appropriate and proportionate technical and organizational measures to manage the risks posed to the security of their network and information systems.
- Incident reporting: Organizations are required to report significant incidents that have a substantial impact on their network and information systems to the relevant national authority.
- Incident response: Organizations must have an incident response plan in place that outlines the necessary steps to be taken in the event of a cybersecurity incident.
- Cooperation: NIS2 emphasizes the importance of cooperation between EU member states, particularly in cross-border incidents.
- Penalties for non-compliance: NIS2 includes more severe penalties for non-compliance, which can include administrative fines of up to €10 million or 2% of the organization's global annual turnover, whichever is higher.
- Sector-specific requirements: The directive outlines specific requirements for each of the fifteen sectors covered by NIS2, based on the risk profile of each sector.
It is important to note that the specific requirements of NIS2 may vary depending on the sector and the country in which an organization operates.
When Is the NIS2 Implementation Date?
The NIS2 Directive is set to be put into applicable national law by all EU member states by 17 October 2024. This is a crucial date for businesses to take note of as failure to comply with the directive can result in severe consequences such as financial penalties and damage to reputation. So, it's essential that companies gear up and make necessary preparations to ensure full compliance well before the deadline. Don't wait until it's too late - act now to avoid any potential negative consequences.
What Sectors are Covered by NIS2?
If your organization falls under any of the categories below, NIS2 is applicable to you.
Essential Entities (EE)
Size threshold: varies by sector, but generally 250 employees, annual turnover of € 50 million or balance sheet of € 43 million
Energy
Transport
Finance
Public Administration
Health
Space
Water supply (drinking & wastewater)
Digital Infrastructure
e.g. cloud computing service providers and ICT management
Important Entities (IE)
Size threshold: varies by sector, but generally 50 employees, annual turnover of € 10 million or balance sheet of € 10 million
Postal Services
Waste Management
Chemicals
Research
Foods
Manufacturing
e.g. medical devices and other equipment
Digital Providers
e.g. social networks, search engines, online marketplaces
Plus all sectors under “essential entities” and within the size threshold for “important entities”
What Are the NIS2 Fines?
The NIS2 directive takes a nuanced approach to administrative fines, differentiating between essential and important entities.
For those essential entities, the directive stipulates that Member States must set a maximum fine level of at least €10,000,000 or 2% of the global annual revenue, whichever is higher.
For important entities, the fines will be slightly lower, with NIS2 requiring Member States to fine them for a maximum of at least €7,000,000 or 1.4% of the global annual revenue, whichever is higher.
It's essential for organizations to understand which category they fall under to ensure that they are fully compliant with the NIS2 directive and avoid any potential financial penalties. Stay on top of your game by knowing your status and taking the necessary steps to ensure compliance!
What Is the Difference between NIS2 & GDPR?
NIS2 is for European cybersecurity what GDPR was for European data protection. Where GDPR strengthened the requirements for how EU member states manage personal data, the aim of NIS2 is to ensure that all European companies and organizations that operate within critical infrastructure maintain an adequate level of cybersecurity.