en
en Global
fr-be Belgium
da Denmark
fi Finland
de-de Germany
en-my Malaysia
nl Netherlands
no Norway
poland Poland
sv Sweden
en-gb UK
Free Trial
COMPLIANCE

The NIS & NIS2 Directive

The first version of NIS entered into force in 2018. The main purpose of NIS is to create a more resilient and secure digital environment within the EU member states by establishing common cyber security standards, enhancing the protection of critical infrastructure, promoting risk-based cyber security practices, and fostering cooperation and information sharing among member states and relevant stakeholders.  The threat landscape is constantly changing, and the threats are becoming bigger. EU has decided to develop NIS with a second version. The NIS2 Directive will take effect in October 2024 and seeks to enhance the work further started with the NIS Directive. 

Learn More

News in the NIS2 Directive

The NIS2 directive largely follows the same principles as NIS but with several important additions. Here are some highlights. 

  • More entities (industries) and sectors are covered.
  • New methods of selection and registration.
  • New incident notification deadlines.
  • Greater accountability for management and personal responsibility.
  • Introduction of sanctions, like those included in GDPR.
  • Mandatory incident reports, also for so-called ”near misses”.  
NIS2 Graphic

Countdown to NIS2 Becomes Law: Are You Ready?

NIS2 enters into effect in October 2024.

 

Request Consultation
160 K+
Estimated organization affected by NIS2.
10€ million
Maximum fine for NIS2 non-compliance.
15 industries
Number of entities (industries) covered by NIS2.
1 million+
Impacted organizations becuase of supply chain security requirements.

Requires a Risk-Based & Systematic Approach

Implementing risk-based and systematic cyber security practices is one of the most important areas of NIS and NIS2. Organizations should assess and manage cyber security risks effectively based on their specific circumstances and the potential impact of cyber incidents. A systematic approach goes hand in hand with creating a proactive approach – a pillar in any cyber security strategy. 

Holm Security Systematic Risk-based Platform

Cyber Security Risk Management Measures

Essential and Important entities must take appropriate and proportional technical, operational, and organizational measures to manage the risks posed to the systems that underpin their services and prevent or minimize the impact of incidents on their and other services. 

  1. Risk analysis and information system security.
  2. Incident handling.
  3. Business continuity measures (back-ups, disaster recovery, and crisis management).
  4. Supply chain security.
  5. Security in system acquisition, development, and maintenance, including vulnerability handling and disclosure.
  6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures.
  7. Basic computer hygiene and training.
  8. Policies on appropriate use of cryptography and encryption.
  9. Human resources security, access control policies, and asset management.
  10. Use of multi-factor, secured voice/video/text communication and secured emergency communication. 
call center businessman tech support

Management Responsibilities with NIS2

Senior management has ultimate responsibility for cybersecurity risk management in Essential and Important Entities. Failure by management to comply with NIS2 requirements could result in serious consequences, including liability, temporary bans, and administrative fines as provided for in the implementing national legislation. 

Management bodies of Essential and Important Entities must: 

  • Approve the adequacy of the cybersecurity risk management measures taken by the entity.
  • Supervise the implementation of the risk management measures.
  • Follow training in order to gain sufficient knowledge and skills to identify risks and assess cybersecurity risk management practices and their impact on the services provided by the entity.
  • Offer similar training to their employees on a regular basis. 
  • Be accountable for the non-compliance. 
people silhouettes in motion blur
RECORDED WEBINAR

Upgrade Your Cyber Defense To Comply With NIS2 - A Step-by-Step Guide On How To Prepare

View Video

Industries Impacted by NIS2

The first version of NIS impacted a limited number of entities (industries). With NIS2 comes extended coverage to 15 entities. The former distinction between Operators of Essential Services (OES) and Digital Service Providers (DSP) in the original NIS Directive is replaced by a distinction between Essential Entities (EE) and Important Entities (IE), depending on factors such as size, sector, and criticality. Both entity types must follow the NIS2 framework for cyber security, whereas Important Entities have a more strict framework. 

Essential Entities 

Energy

Including subsectors; electricity, oil, and gas.

Explore Industry

Transportation

Including subsectors; air transport, rail transport, shipping, and road transport.

Learn More

Health

Including subsector; healthcare environments (including hospitals and private clinics).

Read More

Public Administration

By designating the public administration sector as an essential entity, the NIS2 Directive recognizes the significance of protecting it from cyber threats, reflecting its criticality.
Explore Industry

Banking & Financial Market Infrastructure

Financial market infrastructure, e.g., payment services.

Read More

Digital Infrastructures

Digital infrastructures, such as the delivery of DNS and TLD registries.

Explore Industry

Water Supply

Including drinking water and wastewater.
Learn More

Space

The NIS2 Directive recognizes the space sector as an essential entity, subject to its strict cybersecurity requirements.

Important Entities

Digital Providers

The digital providers sector is a diverse and ever-changing industry that includes companies offering a range of digital products and services, including search engines, online marketplaces, and social networks.

Food

NIS2 categorizes the food sector as an important entity. Encompassing all stages from farming to food processing, packaging, transportation, and retail sales.

Explore Industry

Chemicals

Covering the manufacture, production, and distribution of chemicals, NIS2 addresses a vital aspect of the industrial landscape that is crucial to Europe's competitiveness. The chemical industry plays a pivotal role in providing innovative materials and technological solutions in this regard.


Manufactoring

The manufacturing sector includes the manufacturing of: medical devices, computers and electronics, machinery and equipment, motor vehicles, and semi-trailers and other transport equipment).
Explore Industry

Research

The research sector is a significant driver of innovation and advancement, which makes it a valuable target for cybercriminals seeking to disrupt critical systems or steal sensitive research data.

Waste Management

Given its comprehensive involvement in waste collection, transportation, treatment, and disposal, the waste management sector faces a considerable risk of cyberattacks that could disrupt its essential operations. The NIS2 Directive now encompasses the waste management industry, mandating it to comply with stringent cybersecurity requirements.

Postal & Courier Services

Acknowledging the significance of the postal sector, the NIS2 directive mandates that organizations operating within this domain undertake necessary measures to fortify their cybersecurity posture, making it strong and resilient.

Holm Security Helps You Take a Huge Step Towards NIS/NIS2 Compliance

Holm Security help has helped hundreds of organizations throughout the EU to comply with the NIS Directive and is now helping more to comply with NIS2. We provide the tools you need to take huge steps towards compliance.  

  • Perform automated and continuous (systematic) risk assessments.
  • Create a proactive approach towards cyber security
  • Implement basic cyber hygiene practices and cybersecurity training.
  • Provide the tools needed to secure the supply chain.
  • Help management supervise the implementation of risk management.
  • Demonstrate compliance based on data and reports. 

Compliance Experts

 

attack vector coverage for compliance needs

Don't Wait Until It's Too Late. We'll Help You Comply with NIS2 Regulations

Start your compliance journey now.

Request Consultation
FAQ

What You Need To Know

How do I know if my organization must comply with NIS2?

The first step to comply with NIS2 is understanding whether your organization must comply. We recommend looking at our NIS2 quick reference and referring to your local authorities' guidance.  

What is the key purpose of NIS and NIS2?

Increasing Cybersecurity Resilience 

NIS2 encourages member states and critical infrastructure operators to enhance their cyber security resilience and preparedness to respond to and recover from cyber incidents effectively. 

Harmonizing Cybersecurity Standards 

It seeks to harmonize cyber security standards and practices across the EU to ensure a consistent and high level of security across the digital landscape. 

Mandatory Reporting of Incidents 

NIS2 mandates reporting significant cyber incidents to national authorities and establishes a coordinated mechanism for sharing information on cyber threats and incidents among member states. 

Critical Infrastructure Protection 

The directive specializes in protecting critical infrastructure sectors, such as energy, transport, healthcare, and digital infrastructure, requiring them to meet specific cyber security requirements. 

Enforcement and Penalties 

NIS2 introduces measures for effectively enforcing cyber security requirements and penalties for non-compliance, incentivizing organizations to invest in cyber security measures. 

Cooperation and Information Sharing 

It promotes cooperation and information sharing among member states and between the public and private sectors to enhance collective cyber security defense. 

Why is there a NIS2?

These are the main reasons for the second version of NIS (NIS2) coming in October 2024:

  • Evolving cyber threat landscape
  • Increased dependency on digital
  • infrastructure
  • Technological advancements
  • Lessons learned from NIS1
  • Harmonization and consistency implementation
  • Expansion of scope
  • Alignment with other EU legislation
    International cooperation

What are the news in NIS2?

To summarize, the news in NIS2 is the following:

  • More entities (industries) and sectors are covered.
  • New methods of selection and registration.
  • New incident notification deadlines.
  • Greater accountability for management and personal responsibility.
  • Introduction of sanctions, like those included in GDPR.
  • Mandatory incident reports, also for so-called ”near misses”. 

When will NIS2 enter into effect?

The NIS2 Directive is set to be put into applicable national law by all EU member states by 17 October 2024. This is a crucial date for businesses to take note of as failure to comply with the directive can result in severe consequences such as financial penalties and damage to reputation. So, companies must gear up and prepare to ensure full compliance well before the deadline. Be sure to act now to avoid any potential negative consequences. 

What are the NIS2 fines?

The NIS2 directive takes a nuanced approach to administrative fines, differentiating between the Essential and Important Entities. 

Essential Entities
A maximum of at least 10,000,000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher. 

Important Entities 
A maximum of at least 7,000,000 EUR or 1,4% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher. 

How can Holm Security help my organization comply with NIS2?

Implementing risk-based cyber security practices is one of the most important areas of NIS and NIS2.  Holm Security helps organizations that must comply with NIS and NIS2 within several key areas: 

  • Perform automated and continuous (systematic) risk assessments.
  • Create a proactive approach towards cyber security
  • Implement basic cyber hygiene practices and cyber security training.
  • Provide the tools needed to secure the supply chain.
  • Help management supervise the implementation of risk management.
  • Demonstrate compliance based on data and reports. 

Is vulnerability management required for compliance with NIS and NIS2?

Referring to the requirements stated by EU and local authorities, vulnerability scanning or security scanning is a requirement as a part of the key element: risk assessment. For instance, The National Cyber Security Centre (NCSC) of Ireland and The Swedish Civil Contingencies Agency (MSB) both refer to vulnerability management as a critical element in compliance with the NIS2 Directive.  

When complying with NIS/NIS2, what must we consider regarding our suppliers?

One of the focus areas of NIS2 is about securing the supply chain. This means that you will have to make sure not only that your organization is secure but also that your suppliers. In other words, you will have a responsibility to secure the entire supply chain. We’re happy to tell you more about our solutions for securing your supply chain. 

I’m a supplier to an organization that must comply with NIS/NIS2 – what should I consider?

As a supplier to an organization that must comply with NIS/NIS2, you must ensure that you fulfill more or less the exact security requirements. Even if NIS2 will not hit your organization directly, you must still comply. Contact us to discuss how we can help you become ready to meet the future NIS2 requirements for the supply chain. 

Ready to Navigate NIS2 Compliance? 
Book Your Consultation Meeting Today!