NIS2 is an EU directive focused on achieving a high common level of cybersecurity across EU Member States. For organizations in scope of this Directive, new cybersecurity requirements will be imposed.

NIS2 is a successor of the NIS Directive, and covers more industries and more obligations including cybersecurity risk-management measures and new incident notification requirements.

Cybersecurity risk-management measures have to be approved by the board, and board members can be, in certain cases, held personally liable.

The following sectors fall in scope of the NIS2 Directive:

• Category 1: energy; transport; banking; financial market infrastructures; health; drinking water; wastewater; digital infrastructure; ICT service management; public administration; space
• Category 2: postal and courier services; waste management; manufacture, production and distribution of chemicals; food production, processing and distribution; manufacturing; digital providers; research

The Directive applies to the organizations that fall within these sectors and have a minimum of 50 employees and/or at least an annual turnover (and/or an annual balance sheet total) of EUR 10 million. Additionally there are some specific cases in which the size of the organization is irrelevant.

Organizations mentioned in category 1 with a minimum of 250 employees and/or an annual turnover of EUR 50 million and/or an annual balance sheet total of EUR 43 million, face stricter supervision and enforcement.

Even certain small enterprises and micro-enterprises, with a key role for society, the economy or for particular sectors or types of service may fall within the scope of this NIS2 directive.

It is important to identify at an early stage which obligations are relevant for your organization.

In most Member States the Directive has yet to be translated into national legislation. That leaves some uncertainty about the exact scope and details of the obligations. It is recommended to start early to acquaint yourself with what will soon be reality.

Not only to be compliant with the new Directive and law, but to have a secure network and infrastructure that keeps your business, your suppliers’ and your customers’ data safe.

We take care of the cyber security risk-management measures listed in NIS2. This includes e.g. incident handling, business continuity and crisis management, basic cyber hygiene practices, and policies and procedures regarding the use of encryption.

Where relevant we look into possible vulnerabilities related to suppliers and service providers, the quality of their products and cybersecurity practices, such as secure development procedures.

We help setting up information systems to inform the national Computer Security Information Response Team (CSIRT) and/or competent authority (early warning within 24 hours and an incident notification within 72 hours) and the organization’s customers.

While preparing for NIS2, other EU directives, regulations and acts will be taken into consideration as well. For instance the Directive on the Resilience of Critical Entities (CER), Cyber Resilience Act (CRA), AI Act, and Digital Operational Resilience Act (DORA) and GDPR.