Get 4 FREE months of Conformio to implement ISO 27001
Save with the yearly plan
  1. Home
  2. Resources
  3. What is NIS 2 Directive? A detailed and straightforward guide

What is NIS 2 Directive? A detailed and straightforward guide

Article by Advisera Dejan KosuticDejan Kosutic 15 min read
TABLE OF CONTENTS
NIS2 basics

NIS2 Directive summary What is the old NIS directive, and how is NIS 2 different? What does “NIS” stand for? Why is NIS 2 important? Where can I find the full text of NIS 2? When does NIS2 come into effect?

NIS2 requirements

Who does NIS2 apply to? What are essential and important entities, and what is the difference? What is the structure of NIS 2? What are the main cybersecurity requirements of NIS 2? What are the reporting obligations of essential and important entities? How to implement cybersecurity according to NIS 2

Fines; role of the government

What are NIS 2 fines and liability? NIS 2 certification Which government bodies are defined in NIS 2? Which laws did EU countries publish based on NIS 2? (Transposition of NIS 2)

Relationship with other frameworks

How is NIS2 related to ISO 27001? What is the difference between NIS 2 and the EU GDPR? What is the difference between NIS 2 and DORA? What is the difference between NIS 2 and the Critical Entities Resilience Directive (CER)

Updated on March 6, 2024 (transposition in Member States)

NIS2 basics

NIS2 Directive summary

The “NIS 2 Directive,” or simply “NIS2,” is a European Union directive that specifies cybersecurity requirements that need to be implemented by EU companies that are considered to be critical infrastructure.

Its full name is “Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union,” and it was published on December 14, 2022.

Since NIS 2 is a directive, this means that each EU country will define its own cybersecurity laws based on NIS 2, whereas NIS 2 specifies the minimum level of cybersecurity to be achieved. In practice, this means that companies in some countries will have to comply with the minimum specified in NIS 2, and in other countries they will have to comply with more strict cybersecurity requirements specified in local laws.

NIS 2 has the mark “2” because it replaces the old NIS directive.

The NIS2 Directive could become for cybersecurity what the EU GDPR has become for privacy — a worldwide standard that other countries use as a best practice for their own legislation.

What is the old NIS directive, and how is NIS 2 different?

The old NIS directive (Directive 2016/1148) also specified cybersecurity for critical infrastructure, but it did not manage to introduce the same level of cybersecurity across all Member States, resulting in a fragmented approach.

The new NIS2 introduces a wider array of industries (sectors) that must be compliant, better cooperation between the Member States, new timelines for reporting incidents, more focus on supply chains, the responsibility on the top management of entities, stricter penalties, etc.

NIS 2 replaces the old NIS on October 18, 2024.

What is NIS 2 Directive? A detailed and straightforward guide - Advisera

What does “NIS” stand for?

The full title of the old NIS directive was: “Directive (EU) 2016/1148 concerning measures for a high common level of security of network and information systems across the Union.”

Therefore, “NIS” is an abbreviation of “Network and Information Systems.”

Why is NIS 2 important?

NIS 2 is important because it sets very strict cybersecurity requirements for a large number of companies in the European Union – by some estimates, more than 100,000 companies in the European Union will have to become NIS 2 compliant.

Even though NIS 2 does not apply to as many companies as, e.g., the EU GDPR, it will certainly become a de facto standard for critical infrastructure that other (non-EU) countries will emulate – a very similar scenario has happened already in non-EU countries with privacy regulations that are very similar to the EU GDPR.

Where can I find the full text of NIS 2?

You can find the official text here: https://eur-lex.europa.eu/eli/dir/2022/2555.

You can also find the full text here, arranged by chapters and articles, and with the ability to search by keyword: Full Text of NIS 2 Directive.

When does NIS2 come into effect?

NIS 2 will take effect on October 18, 2024 – this is also the deadline for EU countries to define their own laws and regulations based on NIS 2.

NIS2 requirements

Who does NIS2 apply to?

There are 3 criteria that define which organizations (NIS 2 calls them “essential entities” and “important entities”) must comply with NIS 2:

  • 1) Location – if they provide services or carry out activities in any country of the European Union (no matter if they are based in the EU or not); and
  • 2) Size – if they have more than 50 employees and have more than 10 million euro in revenue; and
  • 3) Industry – if they operate in any of these sectors:
    • Energy
    • Transport
    • Banking
    • Financial market infrastructures
    • Health
    • Drinking water
    • Waste water
    • Digital infrastructure
    • ICT service management (business-to-business)
    • Public administration
    • Space
    • Postal and courier services
    • Waste management
    • Manufacture, production, and distribution of chemicals
    • Production, processing, and distribution of food
    • Manufacturing
    • Digital providers
    • Research

This article will provide you with a detailed breakdown on companies that must be compliant in each sector: Which companies must comply with NIS 2? Essential vs. important entities.

Who does NIS 2 apply to?

What are essential and important entities, and what is the difference?

“Essential entities” and “important entities” are what NIS 2 calls companies and other organizations that need to comply with NIS 2.

Essential entities are as follows:

  • Companies that have more than 250 employees or 50 million euro of revenue and that are in one of the following sectors: energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management (business-to-business), public administration, or space
  • Trust service providers
  • DNS service providers
  • Public electronic communication networks
  • Public administration entities
  • Any critical entity according to Critical Entities Resilience (CER) Directive (EU) 2022/2557
  • Other entities specified by Member States

Important entities are all other organizations that are not essential entities, but that fall under the 3 criteria mentioned in the previous section.

What is the structure of NIS 2?

NIS 2 starts with a preamble where, in 144 points, it explains the background and provides some guidelines for the main part of the Directive. The main part of NIS 2 has 46 articles that are structured in the following chapters:

You can read all the NIS 2 articles here: Full Text of NIS 2 Directive.

What are the main cybersecurity requirements of NIS 2?

Surprisingly, only Chapter IV, called “Cybersecurity risk-management measures and reporting obligations,” defines what essential and important entities must do to comply with NIS 2. All the other chapters are not relevant for these companies, because they specify the obligations of the EU countries (Member States), and what government agencies must do to enforce NIS 2.

Chapter IV has the following articles:

For a detailed description of Chapter IV requirements, read this article: The 8 most important cybersecurity and reporting requirements in NIS2.

What are the reporting obligations of essential and important entities?

Essential and important entities must send notifications about significant incidents to:

  • A computer security incident response team (CSIRT) or competent authority
  • Recipients of their services

Entities need to submit several types of reports to the CSIRT: an early warning, an incident notification, an intermediate report, a final report, and a progress report.

Learn more here: What are reporting obligations according to NIS 2?

How to implement cybersecurity according to NIS 2

To comply with NIS 2, the best practice for essential and important entities is to follow these implementation steps:

  1. Obtain senior management support.
  2. Set up project management.
  3. Perform initial training.
  4. Write a top-level Policy on information system security.
  5. Define the Risk Management Methodology.
  6. Perform risk assessment and treatment.
  7. Write and approve the Risk Treatment Plan.
  8. Implement cybersecurity measures.
  9. Set up supply chain security.
  10. Set up the assessment of cybersecurity effectiveness.
  11. Set up incident notifications.
  12. Set up continual cybersecurity training.
  13. Conduct periodic internal audits.
  14. Conduct periodic management review.
  15. Execute corrective actions.

This article will explain the steps in more detail: 15 implementation steps for NIS 2 cybersecurity risk management measures, while this article will describe how to write all the documents: List of required documents according to NIS 2.

Fines; role of the government

What are NIS 2 fines and liability?

For companies that are not NIS 2 compliant, the fines are as follows:

  • For essential entities – up to 10 million euros or 2% of the total annual turnover.
  • For important entities – up to 7 million euros or 1.4% of the total annual turnover.

It is important to note that Article 20 requires the top management of essential and important entities to approve the cybersecurity risk management measures and oversee their implementation, and it specifies that top management can be held liable if cybersecurity is not compliant with Article 21.

NIS 2 certification

NIS 2 does not require essential and important entities to get certified.

However, Member States (or the EU commission) may require those entities to use particular IT products or services that are certified in accordance with the European cybersecurity certification scheme according to the Cybersecurity Act (EU Regulation 2019/881).

Which government bodies are defined in NIS 2?

  • “Member States” are countries that are members of the European Union – they must publish their own cybersecurity laws and regulations based on NIS 2.
  • “Competent authorities” are designated by Member States to supervise the essential and important entities that must be compliant with NIS 2 and local cybersecurity laws.
  • “Single points of contact” are established by Member States to enable cross-border cooperation between authorities.
  • “Cyber crisis management authorities” are competent authorities, designated by Member States, which are responsible for the management of large-scale cybersecurity incidents and crises.
  • “Computer security incident response teams” (CSIRTs) are designated by Member States in order to handle incidents in accordance with defined processes.
  • The “European cyber crisis liaison organisation network” (EU-CyCLONe) supports the coordinated management of large-scale cybersecurity incidents and crises.
  • The “Cooperation Group” facilitates strategic cooperation and the exchange of information among Member States.
  • The “European Union Agency for Cybersecurity” (ENISA) establishes a vulnerability database, creates a biennial report on the state of cybersecurity in the Union, maintains a registry of entities with special status, draws up guidelines regarding the technical areas and existing standards, etc.

Which laws did EU countries publish based on NIS 2? (Transposition of NIS 2)

EU countries (Member States) must publish local laws and regulations related to the NIS 2 Directive by October 17, 2024 – this process of adopting local legislation based on an EU directive is called “transposition.”

As of the date of writing this article, only one Member State has transposed NIS 2 into their local legislation:

Relationship with other frameworks

How is NIS2 related to ISO 27001?

NIS 2 does not require the implementation of ISO 27001; however, it does mention the ISO/IEC 27000 series in the preamble as a way to implement cybersecurity risk management measures, and the main part of NIS 2 encourages the use of international standards.

When comparing NIS 2 with ISO 27001 more closely, it becomes clear that ISO 27001 provides an excellent framework for complying with the cybersecurity risk management measures required by NIS 2.

ISO 27001 provides a clear guide on how to define the risk management process, how to combine technical implementation with training and other HR issues, how to involve the top management, etc.

What is the difference between NIS 2 and the EU GDPR?

The full title of the EU GDPR is “Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).”

Even though both NIS 2 and the GDPR both focus on protection of data, they are quite different:

NIS 2 EU GDPR
Type Directive (companies comply with local legislation that is published) Regulation (directly applicable to companies)
Applies to Organizations that are considered essential and important entities Any organization that processes personal data
Protection Cybersecurity measures are applied to all data within the company Cybersecurity measures apply to personal data only; there is also a legal aspect of protection of personal data
Effective from October 18, 2024 May 25, 2018

What is the difference between NIS 2 and DORA?

The full title of DORA is “Regulation (EU) 2022/2554 on digital operational resilience for the financial sector.”

Although NIS 2 and DORA were both published on the same day (December 27, 2022), there are big differences between them:

NIS 2 DORA
Type Directive (companies comply with local legislation that is published) Regulation (directly applicable to financial institutions)
Applies to Organizations that are considered essential and important entities Financial institutions
Protection Emphasis on cybersecurity measures Besides cybersecurity measures, the emphasis is also on overall resilience of financial institutions
Effective from October 18, 2024 January 17, 2025

What is the difference between NIS 2 and the Critical Entities Resilience Directive (CER)

The full title of CER is “Directive (EU) 2022/2557 on the resilience of critical entities.”

Although NIS 2 and CER (as well as DORA) were published on the same day (December 27, 2022), they have a different focus:

NIS 2 CER
Type Directive (companies comply with local legislation that is published) Directive (companies comply with local legislation that is published)
Applies to Organizations that are considered essential and important entities Organizations that are considered critical according to Member State decision
Protection Emphasis on cybersecurity measures Emphasis on resilience and business continuity
Effective from October 18, 2024 October 18, 2024; however, critical entities need to become compliant within 10 months from the day they are designated as critical

For more information about NIS2, download this free white paper: Comprehensive guide to the NIS 2 Directive.

 
Tags Articles NIS 2 Basics
Advisera Dejan Kosutic

Dejan Kosutic

Leading expert on cybersecurity & information security and the author of several books, articles, webinars, and courses. As a premier expert, Dejan founded Advisera to help small and medium businesses obtain the resources they need to become compliant with EU regulations and ISO standards. He believes that making complex frameworks easy to understand and simple to use creates a competitive advantage for Advisera's clients, and that AI technology is crucial for achieving this.

As an ISO 27001 and NIS 2 expert, Dejan helps companies find the best path to compliance by eliminating overhead and adapting the implementation to their size and industry specifics.
Read more articles by Dejan Kosutic