Skip to content
arrow-alt-circle-up icon

Cyber Incident Call

arrow-alt-circle-up icon

00800 1744 0000

arrow-alt-circle-up icon

Our Experts answer your questions

Network and Information Security (NIS) Directive

By Sjoerd Pellegrom and Evi Hagenaars

In November 2022, the European Parliament amended the current Network and Information Security (NIS) Directive. The reasons for this were the increase in cyber security threats and the rapid digitalisation within the EU.   

The decision said that the previous measures were considered outdated. Thus, the directive on protection against cyber attacks was extended for enterprises and public authorities. The so-called NIS2 Directive aims to continue to adequately protect the EU's assets and internal markets.  

European member states must translate the directive into their own national legislation. The member states have until 17 October, 2024 to transpose the directive into national legislation. 

However, this has implications for a large majority of organisations in the EU.  

But which ones exactly?

Our Security and Privacy experts Sjoerd Pellegrom and Evi Hagenaars have worked out answers to the most frequently asked questions about the NIS2. 


What is NIS2?

NIS2 is an update of the Network and Information Security (NIS) Directive. The NIS was the first EU-wide cyber security legislation that aimed to achieve a high common level of cyber security across all member states. The NIS2 Directive is an updated version that aims to help raise the level of cyber security in Europe in the longer term.  

This is achieved by improving NIS2 in four ways. First, the security requirements are further tightened. Secondly, NIS2 addresses the security of supply chains. Thirdly, the reporting requirements are to be streamlined. And finally, NIS2 introduces stricter oversight measures and stricter enforcement requirements, including harmonised sanctions across the EU. 

When is NIS2 applicable for your organisation?

The Member States of the European Union must translate the directive into their own national legislation. The Member States have until October 17th, 2024 to transpose the directive into national legislation.

However, not every organisation is in scope of the NIS2 Directive. The scope includes companies and organisations that provide services that are deemed essential for social and economic activities. In addition, NIS2 is intended for medium or large organisations (more than 50 employees and/or more than €10 million annual turnover).  

Furthermore, NIS2 applies to organisations that are considered critical infrastructure or are the sole provider of a particular service to the EU government. NIS2 applies to organisations, regardless of their size or annual turnover, whenever an organisation provides public services or when an incident could have an impact on public safety.  

To illustrate this, we show the organisation types that fall within the scope of NIS2 in the following overview. 

Essential Entities

Screenshot 2023-10-12 at 16.29.49

Important Entities

Screenshot 2023-10-12 at 16.30.16

*Manufacturing detail:  Medical devices |  Computer, Electronic and Optical products |  Electrical equipment | Machinery | Motor vehicles and (semi-)trailers | Transport equipment)


What is the impact on your organisation?

The NIS2 ensures that organisations comply with strict requirements. This covers the following topics:

  • Security Management. Ensure an active role of the management body of an organization in cyber security risk management. By defining responsibility and accountability in approving cyber security risk management measures, supervision of its implementation and accountability of non-compliance. 
  • Risk Management. Take appropriate measures to manage risks to the security of networks and information systems, by performing risk assessments, implementing risk-mitigating measures, and having sufficient information security policies in place.  
  • Incident management. Ensure that you have measures in place to prevent and detect incidents and that you are also able to report and respond appropriately. NIS2 requires a process for reporting certain, but not all, security incidents to the relevant regulatory authorities, including an initial report within 24 hours of the incident’s discovery.
  • Business continuity and Crisis Management. Take the needed measures to ensure operational continuity in the case of (major) information security incidents and control on the effects of the incidents via adequate crisis management. 
  • Supply Chain Management. Take the needed measures to ensure adequate information security within your supply chain, direct suppliers or service providers considering the vulnerabilities, overall quality of products and cyber security practices.  
  • Secure Acquisition, Development, and maintenance. Keep the environment secure by implementing secure development policies, procedures, and security by design principles for the acquisition, development and maintenance of network components and information systems.  
  • Encryption. Define policies and procedures for the use of cryptography and encryption measures to protect the confidentiality of your data stored on an information system or transferred over the internet. 
  • Training of employees. Management, essential entities, and employees are required to follow training on a regular basis, to gain sufficient knowledge and skills to behave safe, to identify risks and assess impact for their services.  

Who is responsible?

The NIS2 has strict guidelines on the financial penalties that can be imposed on organisations that do not comply with the requirements of the legislation. The amount can be up to 10 million EUR or 2% of the annual turnover of the previous financial year.  

The NIS2 also ensures that management is responsible for ensuring the organisation complies with the legislation. Failure to do so can result in fines and a temporary ban from performing management duties, including the C-level of senior management.  

Given the above implications, it is important that every organisation understands the NIS2 Directive and whether the directive applies to their organisation and if they need to take (additional) measures to comply with it. This is where we at Northwave can help. Read the following section to find out what we could mean for you. 

Where do you start?

With a complicated and impactful change in regulations, it is always advised to involve a knowledgeable partner to guide you through the process of becoming compliant. To avoid a long and complex implementation process and even penalties, we have already set up action plans at Northwave that could support organisations to check the requirements, assess possible gaps and implement the appropriate measures 

5 Step Preparation Plan

Screenshot 2023-10-12 at 16.34.50

What can Northwave do for you?

Northwave takes a hands-on approach: we become an extension of your organisation. We can help you determine whether your company falls within the scope of NIS2. If so, we can support your organisation in assessing the extent to which the organisation is NIS2 compliant and identify areas of shortfall to give you the tools you need to become fully NIS2 compliant.  

Northwave offers a comprehensive NIS2 gap assessment service for organisations to determine your status and gap to the requirements of the directive. We understand the importance of ensuring the security and protection of your organisation's systems and data, and we want to help you prepare for NIS2 compliance.  

If you are unsure whether the NIS2 Directive applies to your business, you should contact us. Our team of experts will guide you through the process and provide insight and reasoning as to whether your business falls within the scope.   

Don't hesitate to call on our expertise and experience. Contact us today to find out more about our NIS2 gap assessment service and how we can help your organisation take the necessary steps to stay in control and gain peace of mind.