The Network and Information Security 2 Directive (NIS2) is a significant piece of legislation aimed at improving cyber security and protecting critical infrastructure across the European Union (EU).
NIS2 seeks to further enhance the work started in the NIS Directive, expanding its scope to new sectors and enhancing security requirements, including more timely reporting obligations to cyber security incidents, supply chain security, and stricter risk management capabilities.
Compliance with the NIS2 Directive is crucial for businesses operating in the EU to safeguard their systems, mitigate cyber threats, and build a high standard level of cyber security across the EU.
Learn how to solve your NIS2 challenges.
Download our guide to understand the key steps to meet the requirements and manage NIS2 compliance.
Will my organisation be affected?
NIS2 applies to all member states and organisations providing services within the EU, and the Directive applies to both public and private entities.
To determine if your organisation will be affected by NIS2, consider three key factors: its sector, size, and whether it is categorised as essential or important.
What requirements does my organisation have to meet?
Under NIS2, your organisation must comply with a range of cyber security requirements to ensure the security and resilience of its operations. These requirements include:
- Accountability for top management for non-compliance
- Essential and important organisations are required to take security measures
- Organisations are required to notify incidents within a given time frame
To discover the specific security measures your organisation needs, download our NIS2 Guide.
Timeline: When will the NIS2 Directive come into force?
The European Union adopted the NIS2 Directive on November 28, 2022. EU Member States have until October 17, 2024, to transpose the Directive into their national legislation, making this the effective date for NIS2 to come into force across the EU.
However, timelines may vary due to the alignment of national laws with the Directive and how the Directive will be enforced in each Member State.
What are the consequences of violating NIS2?
NIS2 provides national authorities with a range of enforcement powers and specifies penalties for non-compliance, including:
• Non-monetary remedies
• Impose administrative fines
• Criminal sanctions
These penalties can be imposed on essential or important entities for infractions such as failure to meet security requirements and failure to report incidents.
The exact fines will differ based on the Member State, which will levy financial penalties on organisations that do not comply within the specified timeframe.
- Essential Entity—A maximum of at least 10,000,000 EUR or up to 2% of the total worldwide annual turnover of the undertaking to which the ESSENTIAL ENTITY belongs in the preceding financial year, whichever is higher.
- Important Entity—A maximum of at least 7,000,000 EUR or 1.4% of the total worldwide annual turnover of the undertaking to which the IMPORTANT ENTITY belongs in the preceding financial year, whichever is higher.
Getting prepared for NIS2 compliance
You might be aware of the changes required to comply with NIS2, but concerned about the time, expertise, and resources needed. Alternatively, you may be starting from scratch.
NCC Group can help you understand, prepare, and meet your compliance deadline on time.
• Identify your requirements
• Understand how the regulation will affect you and what penalties are involved
• Adopt a proactive approach to NIS2 compliance
Whatever your situation, NCC Group is here to help. We've assisted organisations worldwide, spanning various industries, in meeting their compliance requirements and regulatory deadlines.
Please get in touch to discuss your specific compliance requirements and explore how you can benefit from our service
Find expert support for all of your NIS2 compliance challenges.
Further reading
Spotlight on NIS & NIS2: Regulating the cyber security of critical infrastructure across the EU & the UK
Mick Flitcroft, Global Lead for Government Compliance Services at NCC Group, explores the similarities and differences between UK and EU regulatory stances and also what they may mean in practice, drawing on his experience supporting organisations across the economy comply with the NIS framework.