Back to Home

About NIS2 Compliance

Understanding the Network and Information Security Directive 2 (NIS2) and its implications for your organization.

What is NIS2?

The Network and Information Security Directive 2 (NIS2) is an EU directive that aims to enhance the overall level of cybersecurity across the European Union. It replaces the original NIS Directive with expanded scope, stricter security requirements, and more severe penalties for non-compliance.

NIS2 was adopted in December 2022, and EU member states have until October 2024 to transpose it into national law. Organizations covered by NIS2 will need to implement appropriate security measures and report significant incidents to relevant authorities.

Key Requirements

Risk Management Measures

Implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks.

Incident Handling

Establish procedures for handling cybersecurity incidents, including detection, response, and recovery.

Business Continuity

Implement business continuity measures such as backup management and disaster recovery to ensure service continuity.

Supply Chain Security

Address security risks in the supply chain, including security-related aspects of relationships with suppliers and service providers.

Network Security

Implement measures to ensure network and information system security, including network segregation and access controls.

Incident Reporting

Report significant incidents to competent authorities within 24 hours of becoming aware of them, with a detailed report within 72 hours.

Vulnerability Handling

Establish procedures for vulnerability disclosure and management, including coordinated vulnerability disclosure policies.

Governance & Accountability

Management bodies must approve cybersecurity risk management measures and oversee their implementation.

Who is Affected?

NIS2 significantly expands the scope of organizations covered by cybersecurity regulations. It distinguishes between "essential" and "important" entities based on their sector and size.

Essential Entities
Highly critical sectors with stricter requirements
  • Sectors: Energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure, ICT service management, public administration, space
  • Size Threshold: More than 250 employees OR annual turnover exceeding €50 million OR balance sheet exceeding €43 million
Important Entities
Other critical sectors with significant requirements
  • Sectors: Postal services, waste management, chemicals, food, manufacturing, digital providers, research organizations, and medium-sized entities in essential sectors
  • Size Threshold: More than 50 employees OR annual turnover/balance sheet exceeding €10 million

Penalties for Non-Compliance

Significant Financial Penalties

NIS2 introduces substantial administrative fines for non-compliance:

  • Essential Entities: Up to €10 million or 2% of global annual turnover (whichever is higher)
  • Important Entities: Up to €7 million or 1.4% of global annual turnover (whichever is higher)
  • Management bodies can be held personally liable for breaches of their duties to ensure compliance

How Our Assessment Tool Helps

Our NIS2 Compliance Assessment Tool helps organizations navigate the complex requirements of the directive by:

  • Determining if your organization falls under the scope of NIS2
  • Assessing your current cybersecurity maturity against NIS2 requirements
  • Calculating potential financial exposure from non-compliance
  • Providing actionable recommendations to improve your compliance posture
  • Offering a prioritized roadmap for addressing compliance gaps