Guidance on EU NIS2 Directive

Directive (EU) 2016/1148, known as the NIS Directive, and its evolution, Directive (EU) 2022/2555 (NIS2), play a crucial role in safeguarding cybersecurity in the European Union. These directives establish a common framework for the security of networks and information systems, addressing the growing threat of cyberattacks.

Breakdown of the NIS and NIS2 Directives

The original NIS Directive focused on developing cybersecurity capabilities and ensuring the continuity of essential services in key sectors. NIS2, in effect since January 16, 2023, expands this framework by further harmonizing security requirements and extending notification obligations to various economic sectors.

Who Does the NIS2 Directive Affect?

NIS2 imposes obligations on companies and strategic sectors, ranging from banking and telecommunications to manufacturing and digital services. The affected entities are not small and medium-sized enterprises (SMEs) and must meet specific criteria, such as having more than 250 employees and/or more than 50 million euros in revenue. These directives arise from the growing technological dependence and the increase in cyber threats. They aim to protect the digital economy and society by ensuring the integrity and resilience of critical infrastructures. NIS2 reinforces this approach, promoting greater harmonization and encompassing more sectors.

Find out if your company is subject to the NIS 2 Directive

The scope of the NIS 2 directive encompasses all organizations, including companies and suppliers, that play a crucial role in sustaining the European economy and society by delivering essential or important services. If your organization falls under any of the following categories and meets the criteria of having more than 50 employees and a turnover exceeding €10 million, compliance with the NIS 2 directive becomes mandatory.

Public and private entities in seven specific sectors

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food
  • Manufacturing of medical devices
  • Computers and electronics
  • Machinery equipment
  • Motor vehicles
  • Energy​
  • Transport
  • Banking
  • Financial market infrastructures
  • Healthcare
  • Drinking water supply and distribution
  • Digital infrastructures
  • Online marketplaces
  • Online search engines
  • Cloud computing services

Measures for Companies

Companies affected by NIS2 must implement cybersecurity measures, such as disaster recovery plans, penetration testing, and cyber hygiene policies. Adapting to new approaches, such as vulnerability management, is essential to comply with the directive.

Key Regulations for Companies

NIS2 modifies the existing framework, requiring companies in critical sectors to adopt national cybersecurity strategies and appoint competent authorities, crisis managers, and incident response teams.

The Crucial Role of ENISA

ENISA plays a key role in implementing NIS2, developing vulnerability registries and supporting peer reviews among member states.

Transposition of NIS2

Member states have 21 months to transpose NIS2 into their national legislations, emphasizing the urgency of implementing cybersecurity measures.

The NIS and NIS2 Directives represent significant steps toward stronger and more harmonized cybersecurity in the EU. Their impact on various sectors underscores the importance of taking proactive measures to protect critical infrastructure and ensure digital security at the national and European levels.