What is NIS2?
NIS2 is a European directive and stands for Network and Information Security 2. NIS2 is, the successor to 2016's NIS. It does not supplement the old NIS but replaces it completely. NIS2 aims at improved digital and economic resilience. The October 17, 2024 deadline for translation into Dutch law is not going to be met. Nevertheless, the general advice is to comply with this directive by October 17, 2024 as an organization; for the digital security of your organization, requirements from your customers1, to gain competitive advantage, etc.
Who does NIS2 apply to?
A key difference between NIS and NIS2 is that it will apply to significantly more sectors. It will also distinguish between essential entities and significant entities. Below is a table of relevant sectors.
Organizations that are medium-sized (fewer than 250 people and whose annual turnover does not exceed EUR 50 million or annual balance sheet total does not exceed EUR 43 million) or larger and operating in any of these sectors are covered.
Essential | Important |
Energy | Digital providers |
Transport | Postal and courier services |
Banking | Waste Management |
Infrastructure financial market | Food |
Healthcare | Chemical substances |
Drinking water | Research |
Digital infrastructure | Manufacturing |
Managers of ICT services. | |
Wastewater | |
Government Services | |
Space |
The contents of NIS2
The directive's requirements regarding measures to be taken to mitigate cyber risks are not different for essential or major entities; however, there is a difference in oversight and sanction policies. Sanctions range from directions and hefty fines to holding directors accountable and suspending them. NIS2 is a guideline to take seriously.
Measures to be taken include information systems security policies, an incident procedure; backup management and business continuity plans, supply chain security, etc.
In addition, the directive explicitly points out to also consider vulnerabilities of the organization's suppliers and suppliers' suppliers when determining measures. As a result, NIS2 will impact not only the organizations directly covered by the directive but also supplying parties.
Furthermore, a greater role for and responsibility of the board applies. For example, they must approve cybersecurity measures and oversee their implementation. They are also required to undergo mandatory training.
In addition to mandatory action, organizations are required to report significant incidents covered by NIS2.
NIS2 implementation
NIS2 applies to significantly more organizations than a first impression might suggest; in part because entities must also monitor the level of IT security control of their suppliers. Clearly, NIS2 will not just be an internal exercise. The measures mentioned in the directive are not formulated in a normative manner as is the case with the DORA (Digital Operational Resilience Act). A thorough risk analysis, good standards framework and taking appropriate measures is not an abc-tic.
Our recent blog provides more detailed information about NIS2, or download our free whitepaper for further comprehensive insights.
N.B. NIS2 is a European directive. If you have customers in other European countries, the directive may have been translated into local legislation earlier than in the Netherlands. Your customers will therefore require you to comply with NIS2 sooner.
Discover the latest insights
Our recent blog provides more detailed information about NIS2, or download our free whitepaper for further comprehensive insights.
Learn more about NIS2
Are you interested in more information on this topic? Then please contact Marc van Heese or Toine van den Hurk. We are ready to answer your questions and help you further.
Our expert team, with years of experience, is ready to support you and offer personalized advice tailored to your specific situation. We strive to respond to your inquiries as quickly as possible so that you are always helped quickly.