NIS2

What is NIS2?

NIS2 is a European directive and stands for Network and Information Security 2. NIS2 is the successor to 2016' s NIS. It does not supplement the old NIS but replaces it completely. NIS2 aims at improved digital and economic resilience.

Who does NIS2 apply to?

A key difference between NIS and NIS2 is that it will apply to significantly more sectors. It will also distinguish between essential entities and significant entities. Below is a table of relevant sectors.

Organizations that are medium-sized (fewer than 250 people and whose annual turnover does not exceed EUR 50 million or annual balance sheet total does not exceed EUR 43 million) or larger and operating in any of these sectors are covered.

The contents of NIS2

The directive ' s requirements regarding measures to be taken to mitigate cyber risks are not different for essential or major entities; however, there is a difference in oversight and sanction policies. Sanctions range from directions and hefty fines to holding directors accountable and suspending them. NIS2 is a guideline to take seriously.

Measures to be taken include information systems security policies, an incident procedure; backup management and business continuity plans, supply chain security, etc.

In addition, the directive explicitly points out to also consider vulnerabilities of the organization's suppliers and suppliers' suppliers when determining measures. As a result, NIS2 will impact not only the organizations directly covered by the directive but also supplying parties.

Furthermore, a greater role for and responsibility of the board applies. For example, they must approve cybersecurity measures and oversee their implementation. They are also required to undergo mandatory training.

In addition to mandatory action, organizations are required to report significant incidents covered by NIS2.

NIS2 implementation

NIS2 applies to significantly more organizations than a first impression might suggest; in part because entities must also monitor the level of IT security control of their suppliers. Clearly, NIS2 will not just be an internal exercise. The measures mentioned in the directive are not formulated in a normative manner as is the case with the DORA (Digital Operational Resilience Act). A thorough risk analysis, good standards framework and taking appropriate measures is not an abc-tic.

Our recent blog provides more detailed information about NIS2, or download our free whitepaper for further comprehensive insights.

The support provided from ARC People

Our clients ask us to support senior professionals with expertise and at a fair rate. To do so, you can contact the contact person at the bottom of this page, or submit a question to our ARC Interim Desk, which can suggest an available expert within a few days.

N.B. NIS2 is a European directive. If you have customers in other European countries, the directive may have been translated into local legislation earlier than in the Netherlands. Your customers will therefore require you to comply with NIS2 sooner.