NIS2 is the new European directive for cybersecurity that affects significantly more companies than its predecessor. Whether you run an energy company, are active in healthcare, or provide IT services to other businesses - there's a good chance NIS2 applies to your organization. In this whitepaper, we clearly explain what NIS2 entails, how to determine if it applies to you, and what steps you need to take to become compliant.
What is NIS2?
NIS2, fully Network and Information Security Directive 2, is the new European directive for cybersecurity that replaces the original NIS directive from 2016. The first NIS directive was an important step in harmonizing cybersecurity requirements within the European Union, but proved to have shortcomings in practice. Member states interpreted the rules differently, the scope was limited, and enforcement was inconsistent.
With NIS2, the EU addresses these problems. The directive is significantly stricter than its predecessor and has a much broader scope. Where the first NIS directive was primarily aimed at critical infrastructure such as energy and transport, NIS2 brings a large number of new sectors under the legislation. Additionally, the requirements become more concrete, reporting obligations stricter, and penalties substantially higher. The goal is clear: to increase the cyber resilience of Europe as a whole by guaranteeing a minimum level of security at all organizations that play an important role in society or the economy.
Which companies fall under NIS2?
One of the biggest changes in NIS2 is the expansion of scope. The directive applies to many more sectors than the original NIS directive. Where previously mainly traditional critical infrastructure fell under the rules, sectors such as food production, waste management, chemicals, and digital services are now included. This means thousands of companies in the Netherlands that until now had no specific cybersecurity legislation must now comply with strict requirements.
NIS2 distinguishes between two categories: essential entities and important entities. The difference mainly lies in the intensity of supervision and the level of possible penalties. Essential entities are organizations whose failure directly has major societal consequences - think of electricity networks, hospitals, or drinking water supply. Important entities are organizations that are important for the economy and society, but where the direct impact of failure is less acute. Both categories must meet the same security requirements, but essential entities are proactively monitored while important entities are mainly reactively enforced.
Essential sectors (Essential Entities)
| Sector | Examples |
|---|---|
| Energy | Electricity, gas, oil, heat |
| Transport | Air, rail, water, road |
| Banking | Credit institutions |
| Healthcare | Hospitals, labs, pharmaceuticals |
| Drinking water | Water suppliers |
| Digital infrastructure | DNS, data centers, cloud |
| Government services | Central and regional government |
| Space | Satellite services |
Important sectors (Important Entities)
| Sector | Examples |
|---|---|
| Postal & courier services | Package deliverers |
| Waste management | Waste processors |
| Chemicals | Chemical production |
| Food | Food production and distribution |
| Manufacturing | Machines, devices, vehicles |
| Digital services | Marketplaces, search engines, social media |
| Research | Research institutions |
The four main requirements
NIS2 prescribes ten categories of security measures that organizations must implement. These measures cover the full spectrum of cybersecurity, from technical controls to organizational processes. While all ten are important, four stand out that form the core of NIS2 compliance and where supervisors will focus most attention in practice.
It's important to understand that NIS2 does not prescribe specific technical solutions. The directive uses a risk-based approach: you must take appropriate measures proportionate to the risks your organization faces. What is appropriate for a hospital may be different from what is appropriate for a food producer. This provides flexibility but also places the responsibility on the organization to determine what is needed and to properly substantiate this.
1
Risk management
identify and manage risks
2
Incident reporting
report within 24 hours
3
Supply chain
secure suppliers
4
Continuity
keep functioning
Requirement 1: Risk management
You must systematically identify, analyze, and manage cybersecurity risks.
Requirement 2: Incident reporting
In case of a significant cybersecurity incident, you must act quickly and report.
Early warning
Within 24 hours - first notification that there is an incident
Incident notification
Within 72 hours - detailed report with initial analysis
Final report
Within 1 month - complete report with cause and measures taken
Requirement 3: Supply chain security
You are not only responsible for your own security, but also for that of your suppliers.
Requirement 4: Business continuity
You must be able to continue functioning during and after a cybersecurity incident.
Timeline: when must you be compliant?
The European Union has given member states a clear deadline for implementing NIS2 in national legislation: October 2024. In practice, this means the directive is now in force, even though some member states are still finalizing their national legislation. The Netherlands is working on national implementation. Although this law may take effect slightly later than the original European deadline, it is wise not to wait with preparations.
The reason to take action now is twofold. First, implementing the required measures takes time - months to sometimes more than a year, depending on your current maturity level in cybersecurity. Second, supervisors can start enforcing immediately once the law takes effect. Organizations that are not yet compliant then run the risk of fines and other sanctions. By starting now, you give yourself the space to approach the implementation carefully without working under time pressure.
December 2022
NIS2 published - directive adopted by EU
October 2024
Implementation deadline - member states must have national law
2025
Enforcement starts - supervisors will start checking
Ongoing
Continuous compliance - annual audits and updates
Roadmap to compliance
Achieving NIS2 compliance is a project that must be approached in a structured manner. By following a clear roadmap, you prevent overlooking important matters and ensure your efforts are effective. The roadmap below is based on best practices and provides a practical framework to get from your current situation to full compliance.
The speed at which you can go through this process depends on your starting position. Organizations already working with recognized frameworks such as ISO 27001 or that already fall under sector-specific regulations will find that many things are already in order. For organizations that still have little formalized cybersecurity, the process is longer but certainly achievable. The most important thing is to start and make steady progress.
Determine if NIS2 applies
Check sector and size
Conduct a gap analysis
Where are you now vs. where do you need to be?
Create a project plan
Prioritize and plan the actions
Implement measures
Carry out technical and organizational improvements
Document everything
Prove that you are compliant
Train employees
Awareness and specific training
Test and practice
Incident response and business continuity
Continuous improvement
Annual review and updates
Documentation you need
Penalties and enforcement
One of the most notable differences between NIS2 and its predecessor is the tightening of the sanction regime. The European Union has clearly wanted to make clear that cybersecurity must be taken seriously, and has underlined this with penalty amounts comparable to those of the GDPR. For many organizations, these potential penalties form an important motivation to take compliance seriously.
In addition to financial sanctions, NIS2 also introduces other enforcement instruments. Supervisors are given the power to conduct audits, request documentation, and give binding instructions that organizations must follow. In extreme cases, they can even temporarily suspend executives or prohibit the exercise of certain activities. This makes clear that NIS2 is not a paper tiger, but a directive with serious consequences for organizations that do not fulfill their responsibilities.
EUR 10M
or 2%
essential entities
EUR 7M
or 1.4%
important entities
Quick-start NIS2 checklist
Now that you understand what NIS2 entails and what requirements it sets, it's time for action. This checklist provides an overview of all important steps and documents needed for NIS2 compliance. Use this list as a guide for your implementation project and as a control tool to verify that you haven't overlooked anything.
It is wise to use this checklist in combination with the previously described roadmap. Work systematically through the items and document for each point what the current status is, what actions are needed, and who is responsible for implementation. This way, you create not only compliance but also the documentation that supervisors want to see in a potential audit.
