On the 17th of October 2024, the European Union will be implementing its NIS2 directive. Unlike most cybersecurity frameworks, this one is not optional. All member states will transpose the directive into their national law and the fines for non-compliance are steep.
The NIS2 Directive is an EU-wide cybersecurity legislation. Every member state is required to convert the directive into national law to boost the overall cybersecurity of the EU. NIS2 replaces the first NIS (Network and Information Security) Directive that was introduced in 2016. It is much broader in scope and has been updated to keep up with increased digitization and the evolving threat landscape.
Each member state is responsible for the conversion of this directive into national law. As the deadline of October 17, 2024 approaches, make sure to pay attention to any communication surrounding NIS2 from your government.
It’s crucial to mark your calendar for the subsequent dates as well: By 17 April 2025, the listing of essential and important entities will be established, and by 17 October 2027, the NIS2 Directive will undergo its first review. Stay prepared for these milestones to ensure compliance with the evolving cybersecurity framework.
By July 17 2024 and every 18 months thereafter, EU-CyCLONe* shall submit to the European Parliament and to the Council a report assessing its work.
*The European Cyber Crises Liaison Organisation Network
By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.
Member States will apply the measures they have published.
The Cooperation Group will establish, with the assistance of the Commission and ENISA, and, where relevant, the CSIRTs network, the methodology and organisational aspects of peer reviews.
Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and update that list on a regular basis and at least every two years.
By 17 April 2025 and every two years thereafter, the competent authorities shall notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.
By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council.
Watch our webinar as we dissect specific articles from the legislation, providing tangible insights on how to prepare and navigate the complex terrain of NIS2 compliance.
The scope for NIS2 is much wider than it was for the NIS1 directive. Make sure to check if you are in scope, even if you weren’t before. A company is in scope if it operates in one of the (sub)sectors and types of services listed below AND is of a certain size.
Even if you don’t fall into the scope, it is still advisable to try and follow the NIS2 security requirements. They are a good guideline for increasing your cybersecurity and risk-management strategies.
Under the NIS2 regulation, all member states are in charge of ensuring the compliance of all companies in the scope of the directive. To do so they have several tools at their disposal. These range from simple requests for information, data, or evidence of implementation of cybersecurity policies, to regular or ad-hoc audits, to on-site inspections and off-site supervision, including random checks, all carried out by competent authorities.
If a company is found to be in infringement of the NIS2 Directive member states will impose administrative fines. These fines are supposed to be effective and dissuasive, but also take into account the circumstances of each individual case. Fines also depend on whether the company is considered an essential or an important entity.
You can’t protect what you don’t know. Lansweeper’s unrivaled discovery casts a wide net when it comes to asset data. Monitor the usage of data encryption, AV installations, software that is out-of-date, unauthorized local admins, backup creation, and more. Any details you may need to keep your network clean, Lansweeper has it.
Combined with this deep-dive discovery of your IT estate, Lansweeper’s risk insights let you perform risk analysis and increase information system security by discovering misconfigurations. Had a security incident? Use Lansweeper to identify other potentially vulnerable machines.
The NIS2 Directive is a comprehensive EU-wide cybersecurity legislation designed to enhance overall cybersecurity within the European Union. It replaces the initial NIS Directive introduced in 2016, offering a broader scope to address the challenges posed by increased digitization and evolving threat landscapes.
Organizations under NIS2 must implement “appropriate and proportionate technical, operational, and organizational measures” to manage cybersecurity risks and minimize the impact of incidents on their services and recipients.
A company is in scope if it operates in one of the (sub)sectors and types of services listed below AND is of a specific size.
Below is an overview of all sectors included in the NIS2 scope. The sectors in bold are newly added and didn’t fall under the scope of the first NIS directive but are included under NIS2.
The NIS2 Directive applies to any large and medium-sized entities in the sectors listed above.
Most small or micro enterprises are excluded from the scope of the NIS2 Directive.
Exceptions: Each member state will determine certain small enterprises and micro-enterprises that fulfill “specific criteria that indicate a key role for society, the economy, or for particular sectors or types of service to fall within the scope of this Directive.” Again, this is up to the member states to determine, so keep an eye on your country’s legislation for more details.
If your organization is not established in the EU but offers services within the EU, NIS2 still applies to you under the same rules listed above. In that case, you are required to designate a representative in the EU. You will do so in one of the member states where your services are offered. You will then be considered under that member state’s jurisdiction.
If you fail to establish a representative, any member state where you offer your services can take legal action against your organization for infringement of the NIS2 Directive.
Essential Entities
Essential entities may face administrative fines of either a maximum of at least EUR 10,000,000 or at least 2% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
Important Entities
Important entities may be subject to administrative fines of either a maximum of at least EUR 7,000,000 or at least 1.4% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
Explore all our features, free for 14 days.