Skip to main content

What is NIS2?

NIS2 is a European directive and stands for Network and Information Security 2. NIS2 is, the successor to 2016's NIS. It does not supplement the old NIS but replaces it completely. NIS2 aims at improved digital and economic resilience. The October 17, 2024 deadline for translation into Dutch law is not going to be met. Nevertheless, the general advice is to comply with this directive by October 17, 2024 as an organization; for the digital security of your organization, requirements from your customers1, to gain competitive advantage, etc.

Who does NIS2 apply to?

A key difference between NIS and NIS2 is that it will apply to significantly more sectors. It will also distinguish between essential entities and significant entities. Below is a table of relevant sectors.

Organizations that are medium-sized (fewer than 250 people and whose annual turnover does not exceed EUR 50 million or annual balance sheet total does not exceed EUR 43 million) or larger and operating in any of these sectors are covered.

Essential Important
Energy Digital providers
Transport Postal and courier services
Banking Waste Management
Infrastructure financial market Food
Healthcare Chemical substances
Drinking water Research
Digital infrastructure Manufacturing
Managers of ICT services.
Wastewater
Government Services
Space

The contents of NIS2

The directive's requirements regarding measures to be taken to mitigate cyber risks are not different for essential or major entities; however, there is a difference in oversight and sanction policies. Sanctions range from directions and hefty fines to holding directors accountable and suspending them. NIS2 is a guideline to take seriously.

Measures to be taken include information systems security policies, an incident procedure; backup management and business continuity plans, supply chain security, etc.

In addition, the directive explicitly points out to also consider vulnerabilities of the organization's suppliers and suppliers' suppliers when determining measures. As a result, NIS2 will impact not only the organizations directly covered by the directive but also supplying parties.

Furthermore, a greater role for and responsibility of the board applies. For example, they must approve cybersecurity measures and oversee their implementation. They are also required to undergo mandatory training.

In addition to mandatory action, organizations are required to report significant incidents covered by NIS2.

NIS2 implementation

NIS2 applies to significantly more organizations than a first impression might suggest; in part because entities must also monitor the level of IT security control of their suppliers. Clearly, NIS2 will not just be an internal exercise. The measures mentioned in the directive are not formulated in a normative manner as is the case with the DORA (Digital Operational Resilience Act). A thorough risk analysis, good standards framework and taking appropriate measures is not an abc-tic.

Our recent blog provides more detailed information about NIS2, or download our free whitepaper for further comprehensive insights.

N.B. NIS2 is a European directive. If you have customers in other European countries, the directive may have been translated into local legislation earlier than in the Netherlands. Your customers will therefore require you to comply with NIS2 sooner.

Discover the latest insights

Our recent blog provides more detailed information about NIS2, or download our free whitepaper for further comprehensive insights.

Learn more about NIS2

Are you interested in more information on this topic? Then please contact Marc van Heese or Toine van den Hurk. We are ready to answer your questions and help you further.

Our expert team, with years of experience, is ready to support you and offer personalized advice tailored to your specific situation. We strive to respond to your inquiries as quickly as possible so that you are always helped quickly.

Marc van Heese RO RE CIA

Partner

06-52073162

Toine van den Hurk

Senior Manager of IT Audit & Risk

06-41773152