Frequently asked questions

The first step to compliance with NIS2 is understanding whether your organization must comply. We recommend looking at our NIS2 Reference Guide and referring to your local authority's guidance.

The listed sectors must comply with NIS2, except for some smaller organizations (looking at the number of employees and annual turnover).

Please look at our NIS2 Reference Guide for more details.

Sectors in NIS version 1:

• Healthcare
• Digital infrastructure
• Transport
• Water supply
• Digital distributors (service providers)
• Banking
• Financial market
• Energy

Added in NIS2:

• Public administration
• Digital infrastructure
• Wastewater
• Waste management
• Production and manufacturing
• Chemicals production, processing, and distribution
• Food and food distribution
• Space
• Postal and courier services

Increasing cyber security resilience 

NIS2 encourages EU member states and critical infrastructure operators to enhance their cyber security resilience and preparedness to respond to, and recover from, cyber incidents effectively. 

Harmonizing cyber security standards 

It seeks to harmonize cyber security standards and practices across the EU to ensure a consistent and high level of security across the digital landscape. 

Mandatory reporting of incidents 

NIS2 mandates the reporting of significant cyber incidents to national authorities and establishes a coordinated mechanism for sharing information on cyber threats and incidents among member states. 

Critical infrastructure protection 

The Directive places a special focus on protecting critical infrastructure sectors, such as energy, transportation, healthcare, and digital infrastructure by requiring them to meet specific cyber security requirements. 

Enforcement and penalties 

NIS2 introduces measures for effective enforcement of cyber security requirements and penalties for non-compliance, thereby incentivizing organizations to invest in cyber security measures. 

Cooperation and information-sharing 

It promotes cooperation and information sharing among member states and between the public and private sectors to enhance collective cyber security defense. 

The NIS2 Directive is set to be ratified by all EU member states through 2025. This is a crucial date for businesses to take note of, as failure to comply with the Directive can result in severe consequences such as financial penalties and damage to reputation. That said, it's essential that companies gear up and make necessary preparations to ensure full compliance well before the deadline. Don't wait until it's too late - act now to avoid any potential negative consequences. 

The difference between them lies not in which requirements they must meet, as these remain the same for both entities, but rather which supervisory measures and penalties will apply. Entities in both categories will have to meet the same requirements. However, the distinction will be in the supervisory measures and penalties.

Essential entities will be required to meet supervisory requirements as of the introduction of NIS2, while the important entities will be subject to ex-post supervision, meaning that action is only taken if and when in case authorities receive evidence of non-compliance. 

The NIS2 Directive takes a nuanced approach to administrative fines, differentiating between the two types of entities. 

Essential entities:  

A maximum of 10,000,000 EUR or 2% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher. 

Important entities 

A maximum of 7,000,000 EUR or 1.4% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher.

Implementing risk-based cyber security practices is one of the most important areas of NIS and NIS2. Holm Security helps organizations that must comply with NIS and NIS2:  

• Perform automated and continuous (systematic) risk assessments. 
• Create a proactive approach towards cyber security.
• Implement basic cyber hygiene practices and cyber security training.
• Provide the tools needed to secure the supply chain.
• Help management supervise the implementation of risk management.
• Demonstrate compliance based on data and reports. 

Regarding the requirements put down by the EU and local authorities, vulnerability scanning, or security scanning, is a requirement as part of risk assessment. The National Cyber Security Centre (NCSC) of Ireland and The Swedish Civil Contingencies Agency (MSB) refer to vulnerability management as a key element in compliance with the NIS2 Directive.

One of the focus areas of NIS2 is securing the supply chain. This means that both your organization and your suppliers must meet the criteria of NIS2 compliance. It is your responsibility to make sure that your suppliers do so.

We’re happy to tell you more about our solutions for securing your supply chain.

As a supplier to an organization that must comply with NIS/NIS2, you must ensure that you meet NIS/NIS2 security requirements. Contact us to discuss how we can help you prepare to meet the coming NIS2 requirements for the supply chain.

The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. DORA has many similarities with NIS and NIS2, like the risk-based approach, but is limited to the financial sector, while NIS2 applies to many industries indispensable to society. 

Directive & regulation

NIS is a directive, whereas DORA is a regulation.

A directive sets a course, and cannot be applied as it stands in every EU Member State. It must first be transposed into the national law of each country.

A regulation, on the other hand, applies unchanged in all Member States as soon as it comes into force. It is a binding legislative act and must be enforced in its entirety.

What else is different?

The NIS2 Directive harmonizes the global level of cyber security across the EU. Its goal is to ensure that the companies and organizations most important to the smooth running of our society achieve a high level of digital security.

The DORA regulation aims to strengthen the financial sector's digital operational resilience. Its role is to ensure that financial entities can withstand and operate even during a cyber attack. The availability and integrity of financial services are at the very core of the regulation.

In practice, the two texts complement rather than compete with each other. NIS2 aims to strengthen the overall level of cyber security in the EU, while DORA ensures that the financial system remains functional even during a cyberattack.

Read more about DORA here

What is the Digital Operational Resilience Act (DORA)?