How do you prepare for NIS2?

NIS2 aims to strengthen the cybersecurity of critical organisations in Europe. Apply it from January 2025 to avoid fines of up to 2% of your global turnover. Find out in this article what NIS2 is, who is affected and how to prepare by capitalising on what already exists. 

NIS2, definition and status

What is NIS2?

NIS2 aims to proactively assess and implement security measures, but also to react more effectively and in a coordinated fashion in the event of a proven cyber security incident. 
The clearly stated aim is to mitigate the risk of cyber attacks and improve the associated resilience.
NIS2 is a European directive that must be transposed at national level in each member country. Some countries will comply minimally, while others will implement more comprehensive measures.
Compared with NIS1, version 2 extends the sectors of activity of the companies concerned (Health, Energy, Transport, etc.), implies the responsibility of the management board with stricter penalties, and introduces deadlines for issuing reports. It also requires greater cooperation between Member States.

Who is affected by NIS2?

There are 18 sectors identified by the NIS2 directive, including the energy, transport, health, digital infrastructure, ICT and public administration sectors. 
All organisations with more than 50 employees and revenues in excess of €10m are covered (with some exceptions). 
Organisations are classified into two categories: essential entities or important entities, depending on the criticality of the sector and the size of the organisation. Please note that this is not an exhaustive list. Consultations are underway and transposition at national level will provide a clearer picture.

From when? 

The directive will be transposed into national law in October 2024 and will apply from January 2025. 

What are the consequences of non-compliance? 

If organisations fail to comply with the directive, they face administrative fines that vary according to their classification. For essential entities: fines of up to €10 million or 2% of worldwide turnover. For large entities, the fines are up to €7 million or 1.4% of worldwide turnover. Organisations may also be subject to sanctions such as the publication of public announcements or proceedings against their legal representatives. 

How can we capitalise on what already exists to implement NIS2? 

The aim of NIS1, which has been taken up in NIS2, is to create cybersecurity capabilities throughout the European Union, to mitigate threats to the networks and information systems used to provide essential services in key sectors and to ensure the continuity of these services in the event of incidents, thereby contributing to the security of the Union and the smooth functioning of its economy and society.
At first sight, the scope may seem vast, but using standards that define good market practice makes it possible to establish a solid basis for meeting the challenges of the NIS2 directive. 

At first glance, the scope may seem vast, but using standards that define best market practice will provide a solid foundation for meeting the challenges of the NIS2 directive. 
How can this be done? ISO 27001 and ISO 22301 are international standards that enable in-depth analyses of business needs and risks. They integrate the principles of cybersecurity and continuity into the corporate culture, as well as the principles of continuous improvement, with the famous ‘Plan/Do/Check/Act’ or PDCA approach. 
These standards make it possible to commit the management bodies and therefore to have a governance framework. Implementing these practices provides a solid foundation and helps to reduce the NIS2 adoption effort. 

Expert support for implementing NIS2

Our expertise enables you to capitalise on your existing systems to meet the requirements of the NIS2 directive and facilitate its adoption. 
Our structured cyber-resilience approach will not only help you to check whether you are affected by the NIS2 directive, but also to identify your critical processes, analyse your cyber risks, review your security measures and BCPs/PRAs and, finally, monitor and measure their effectiveness.