• See What Our Team Is Up To

  • Contact Us
Contact Us

NIS2

The Network and Information Systems Directive (NIS1) has been in effect across Europe since May 2018. Although NIS1 certainly helped secure networks across the European Union (EU), its limitations—including only covering a small set of organizations, allowing member states to implement varying levels of security postures, and permitting organizations to underreport incidents due to insufficient requirements—weakened its overall ability to secure and protect members.

As a result, the new and improved NIS2 passed in October 2024 with the aim of raising the baseline of security standards from the foundation of NIS1. While the directive contains extensive details, this article will provide you with a brief overview of what you need to know.

NIS2 Expertise

Cybersecurity Risk Assessment

Conducting thorough risk assessments to identify vulnerabilities in network and information systems

Regular Cybersecurity Audits and Reviews

Conducting periodic audits and reviews to evaluate the effectiveness of cybersecurity measures

Cybersecurity Policy Development

Developing and enforcing policies for assessing the effectiveness of cybersecurity risk management

Business Continuity Planning

Developing and maintaining plans for business continuity, including backup management and disaster recovery processes

Data Protection and Privacy Compliance

Ensuring compliance with data protection and privacy regulations, in alignment with cybersecurity measures

Contact Us - Europe

Reach out to us today for help building your security program

Select the services you are interested in
What services are you interested in learning more about?
By submitting this form, you agree to our Terms of service. View our Privacy Statement.

Who must comply with NIS2?

NIS2 expands the radius of companies in scope for this security directive outside of the EU to include any company that operates in or provides services to the EU within certain key business sectors. For example, a US-based cloud services provider with customers in the EU would need to comply with the directive. 

And it is this change in scope that provides one of the biggest evolutionary shifts from NIS1 to NIS2. Where NIS1 covered only 7 critical sectors, NIS2 covers 18 total sectors classified as Essential Entities and Important Entities—meaning more third-party suppliers will fall under this scope. Below is a breakdown of the different sectors that will now fall under NIS2.

Essential entities

250 employees or more than €50 million in revenue.

Important entities

  • Energy
  • Health
  • Transport
  • Drinking Water
  • Financial Markets
  • Digital Infrastructure
  • Banking

50 – 249 employees or more than €10 million in revenue.

  • Public Admin
  • Space
  • Waste Water
  • Digital Providers
  • Postal Services
  • Chemical Production
  • Manufacturing
  • Research
  • Waste Management
  • Food Production

Risk Management

As a result of the increase in scope, member states must ensure that essential and important entities implement appropriate measures to manage risks to the security of their network and information systems. These measures would include policies for risk analysis, incident handling, business continuity, and even specific details about implementing multi-factor authentication (MFA) on critical systems.

This responsibility to adapt now falls to senior management to approve these risk management measures, as the directive states that these decision makers may be held liable if there are any infringements of Article 21.

Incident Reporting Timeframe

One of the major components in Risk Management include updates to the incident reporting standards organizations must follow. Previously, NIS1 required reporting significant incidents within a wide span of 72 hours. Article 23 of the new directive, however, breaks reporting into 3 phases.

The first phase of incident reporting mandates that organizations issue an initial alert within 24 hours of detecting a significant incident, ensuring that relevant authorities are promptly notified. 

The second phase involves submitting a comprehensive incident report within 72 hours, providing detailed information about the incident’s nature, impact, and any mitigation measures taken. 

The final phase requires that at the one-month mark, a final report be developed detailing the incident’s impact, the measures taken to mitigate it, and any lessons learned to prevent future occurrences.

Penalities

The penalties for non-compliance have gotten stricter as well. If an organization were to be found non-compliant with the directive, it could face hefty fines. An Essential Entity can be penalized up to €10 million or 2% of their total worldwide annual revenue, while an Important Entity could be penalized up to €7 million or 1.4% of their revenue—an additional incentive that organizations stay in compliance with the directive.

Implementation

- Development and Maintenance of Cybersecurity Frameworks : Creating and updating frameworks for managing cybersecurity crises and incidents. Training and Awareness Programs: Conducting regular cybersecurity training and awareness programs for staff at all levels. Implementation of Security Measures: Ensuring the adoption and implementation of appropriate security measures, including elements like multi-factor authentication, to prevent or minimize the impact of cyber incidents. Cross-border and Cross-sectoral Cooperation: Facilitating cooperation within and across sectors and borders, especially in information sharing and response coordination

Management And Reporting

Vulnerability Management and Reporting: Detecting, reporting and managing vulnerabilities, including maintaining an anonymous reporting process Incident Response and Reporting: Establishing and executing incident response plans, including timely reporting of significant incidents to designated authorities Monitoring and Analysis of Cyber Threats: Continuously monitoring and analyzing cyber threats and incidents, disseminating information about these threats Supply Chain Security Management: Securing the supply chain, including evaluating the cybersecurity practices of suppliers and service providers

Supervision

NIS 2 empowers supervisory authorities in EU member states with enforcement capabilities to regulate cybersecurity and information security across both private and government entities. The following supervisory measures are introduced for essential and important entities:

Essential: ex-ante and ex-post supervision, onsite inspections and offsite supervision, regular and targeted security audits, security scans and information requests, and ad hoc audits.

Important: ex-post supervision, onsite inspections and offsite ex-post supervision, targeted security audits, security scans and information requests.

How Zaviant Can Help

Zaviant serves as a trusted NIS2 compliance partner for some of the world’s largest companies. We can help your organization:

Cybersecurity Risk Assessment

Regular Cybersecurity Audits and Reviews

Cybersecurity Policy Development

Business Continuity Planning

Data Protection and Privacy Compliance

speak to an expert

Related Services

CCPA/CPRA

We tailor strategies to your unique risks and compliance needs, ensuring robust protection against cyber threats.

ISO 27001/2

As organizations continue to navigate the complexities of an increasingly interconnected digital world,.

NIST CSF

In 2013, the National Institute of Standards and Technology (NIST) added a Cybersecurity Framework, known as NIST CSF.

Trusted by Leaders of Industry

Our team of expert consultants works closely with Fortune 500 companies, mid-market businesses, and not-for-profit organizations spanning industries including retail, manufacturing, finance, technology, and more.

Get In Touch

We look forward to hearing from you

speak to our experts