From NIS to NIS2

Does your company fall within the scope of the NIS2 Directive?

Replacing the original NIS Directive with the NIS2 Directive aims to increase the level of cybersecurity in Europe in the longer term, which is a good thing. It does, however, bring certain challenges for organisations.

NIS2 extends the scope of the original NIS directive to more sectors and more entities. The sectors now include telecoms, social media platforms, public administrations, and specific elements in the health sector.

The entities now included in the NIS2 scope also go beyond just essential services organisations and digital service providers to cover online platforms. This means that social media sites, cloud service platforms, and search engines will now have to comply with stringent cybersecurity requirements.

Given this extended scope, companies will now need to assess whether they fall under the NIS2 directive and identify which of their business units are impacted.

Enhancing Cybersecurity

Where would a company start?

Our certified NIS2 security consultants will help you come up with a framework to break your security compliance down into small, digestible steps that your company can achieve in time for when the NIS2 Directive gets transposed into national law in October 2024.

We can help you understand and prioritise your information security compliance journey by building upon your existing data protection and other regulatory compliance frameworks.

Not only will we ensure that your IT systems are compliant with all relevant legislation, but we will also work to help you follow ethical guidelines, mitigate risks, maintain transparency, and build trust with your stakeholders, while enjoying all the benefits that secure information systems can offer you, your employees and your company.

Speak with us today!

NIS2 Compliance

What happens if a company falls within scope?

Any companies that fall within scope of NIS2 need now to evaluate their existing security measures and reinforce them, if necessary, review and amend their security policies accordingly, and put a plan in place for NIS2 compliance going forward.

Companies are also obliged to ensure not only their own security compliance is in order, but they will now also have to ensure the security compliance of their suppliers and partners and put in place a robust reporting mechanism for security breaches.

Frequently Asked Questions

about the new EU directive NIS2

What is the NIS2 Directive?

The NIS2 Directive is a legislative text on cybersecurity in the European Union (EU). It expands the scope of the original NIS Directive to include more sectors and entities. The directive strengthens security requirements and introduces monitoring measures. It also streamlines reporting obligations and introduces more stringent enforcement requirements. The directive came into force on January 16, 2023, with Member States having until October 17, 2024, to transpose it into their national law.

Who does the NIS2 Directive apply to?

The NIS2 Directive applies to a range of entities operating across various sectors in the EU. It covers both essential and important entities, including companies and suppliers. This new directive has extended the reach of the former directive to include more industries, while also setting guidelines for medium and large-sized companies. It applies to entities that provide services and/or carry out activities in any EU country, regardless of whether they are based in the EU or not. The affected sectors include but are not limited to energy, transport, banking, health, digital infrastructure, public administration, waste management, and food distribution.

What are the key requirements of the NIS2 Directive?

The NIS2 Directive introduces new requirements and obligations for organizations in four main areas: risk management, corporate accountability, reporting obligations, and business continuity. The risk management measures include issues like incident management and reporting, strengthening supply chain security, enhancing network security, improving access control measures, and implementing encryption protocols. Corporate accountability includes oversight, and approval of, and training in cybersecurity measures and approaches of the organisation. Reporting obligations require prompt reporting of security incidents with significant impact. Business continuity mandates that essential and important entities implement baseline security measures to address specific forms of likely cyber threats that might compromise the performance of the business.

What are the penalties for non-compliance with the NIS2 Directive?

Non-compliance with NIS2 could lead to significant penalties for companies. For essential entities, fines could be up to €10 million or 2% of their global annual turnover, whichever is highest. For important entities, fines could be up to €7 million or 1.4% of their global annual turnover, again, whichever is highest.

In addition to financial penalties, non-monetary remedies such as compliance orders, binding instructions, and security audit implementation orders could be imposed. Furthermore, senior management could be held personally liable for gross negligence in the event of a security incident.

Enhanced Benefits

Minimises exposure to fines and penalties, mitigating legal risks effectively.
Bolsters cybersecurity defences, thus significantly lowering the likelihood of expensive data breaches and ransomware incursions.
Fosters credibility and confidence among clients, collaborators, and stakeholders, nurturing enduring relationships.
Optimises resource allocation over time with a streamlined implementation strategy, resulting in sustained savings.
Addresses skill gaps by partnering with us, leveraging our comprehensive technical solutions and specialised consultancy services tailored to your industry. This collaborative approach ensures seamless NIS2 compliance tailored to your business needs.