Header image overlay

NIS2: What does the new European directive mean?

The digital world is constantly evolving and that brings risks. The European Union's recent "Network and Information Security 2", or NIS2 directive for short, in force today emphasises the need for cybersecurity within organisations and governments and raises the bar with new, mandatory rules.

More Rules, Wider Reach

NIS2 (PDF) is an extension of the previous NIS directive created by the European institutions since 2016. It focuses on creating a broad awareness of cybersecurity in order for governments and companies to better defend themselves against increasingly complex cyber threats today and tomorrow.

NIS2 logo The new directive also brings subcontractors and service providers (who have access to your critical infrastructure) under the regulatory umbrella. From now on, they too have to comply with stricter cybersecurity obligations if they want to work with your organisation. In fact, this group was overlooked in the first version of the directive.

Key Differences between NIS1 and NIS2

The NIS1 directive already set strict requirements for 'essential businesses' such as water, energy and telecoms companies. NIS2 goes a step further and applies to more organisations, including many medium and large enterprises.

A key feature of NIS2 is its more concrete approach, thanks to a list of minimum basic safeguards that companies should implement:

  1. Risk analysis and information security policy
  2. Incident handling (prevention, detection and response to incidents)
  3. Business continuity and crisis management
  4. Supply chain security
  5. Security in network and information systems
  6. Policies and procedures for cybersecurity risk management measures
  7. The use of cryptography/encryption

It also enables national authorities to monitor and enforce them more strictly. Fines can be substantial. For essential entities, they can amount to 2% of global turnover, up to €10 million!

How do you prepare for NIS2 and potential sanctions?

NIS2 requires organisations to take adequate measures in areas such as cyber risk management, penetration testing, incident response and recovery. So, your organisation needs to identify all risks and arm itself even better against threats. You will also need to make your team aware of the legal obligations to avoid fines.

Cryptolocker No Backup | VanRoey.be

Through checkpoints or audits by regulators, there will be strict checks on whether the level of your security is compliant with regulations. Failure to properly implement certain security measures will therefore have major consequences; not only do you run extra risk of hacks, but -as with GDPR breaches- financial penalties will be based on your organisation's global turnover.

It is important to understand how these new regulations may affect your organisation and take the necessary steps to comply with the NIS2 guideline comply. Cyber security is no longer a choice, it is a must. Would you like support in this? Count on our certified experts to assist you and/or provide a thorough Security audit execute:

vat no.*

"Not properly implementing certain security measures will therefore have major consequences; not only will you be at additional risk of hacks, but financial penalties will also be based on your organisation's global turnover."

share this post:

Well secured?
Our specialists take a close look at your organisation's security with a particularly thorough scan.

Written by:

Matthias Sanne
Marketing & design @ VanRoey

Has been working as a marketer, designer, webmaster, copywriter, PowerPoint guru and numerous other things for 15 years. He gets his energy from simplifying complex matters. He tries to do the same in his Techblog PowrUsr.com where he brings handy solutions to challenging problems.

Related info