Information Security

What is NIS2?

At the end of 2024, the NIS2 directive will be active. This directive is going to set stricter requirements for the information security of organizations. But what exactly is the NIS2? Who has to comply with it and how can you comply? What are the consequences of not complying? In this blog, we answer all these questions.
This article was last updated on
31/10/2024

What is the NIS2?

The NIS2 is a cybersecurity directive and the successor to the 2018 NIS1. This new directive has a greater impact and covers more organizations. Although it is called a directive, it is actually a mandate from the EU to its member states (including the Dutch government) to implement these directives into law.

When is the NIS2 in effect?

The European Council set the NIS2 guidelines in November 2022. An Internet consultation period for the draft bill will start in the fall of 2023, where anyone can provide feedback. NIS2 is expected to take effect in the fall of 2024.

Who must comply with the NIS2?

The NIS2 Directive applies to all of the following types of organizations within the EU:

Essential and important organizations:

  • Essential organizations: These include utilities such as energy and water companies, financial institutions, government services such as hospitals and government agencies, transportation services such as aviation and railroads, and communications services such as telecom providers
  • Key organizations: These are companies that provide critical services to essential organizations, companies that handle a root number of people, and companies that operate important infrastructure, such as water mains and electrcity networks.
  • Large organizations:
    o At least 250 employees OR
    o An annual turnover of more than 50 million euros and a balance sheet total of more than 43 million.
  • Medium-sized organizations:
    o At least 50 employees OR
    o An annual turnover and balance sheet total greater than 10 million

It is important to note that micro and small businesses are in principle not covered by the NIS2 Directive. In exceptional cases, based on a risk assessment by the responsible minister, these companies may nevertheless be covered if their services are critical to the economy or society. This also applies to certain micro and small companies operating in specific sectors, think of:

  • Trust service providers (electronic seals/signatures)
  • Registries for top-level domain names (.nl/.com/org)
  • Domain name registration service providers.
  • Providers of public electronic communications networks/communications services
  • Small private disability care facilities

The ministry has developed a tool that allows organizations to check whether they are covered by this directive.

What does the NIS2 entail?

There will be a registry in which organizations must register, managed by the National Cyber Security Center (NCSC). The NIS2 directive includes a duty of care with 10 measures, to be further elaborated by the Ministry:

  1. Risk Analysis: Conduct a thorough risk analysis to identify and assess cyber risks to the organization.
  2. Incident handling: Report significant cyber incident among others to the National Cybersecurity Authority.
  3. Business continuity: Establish backup management, contingency plans and crisis management.
  4. Supply chain security: Set higher standards for suppliers and conduct supplier reviews.
  5. Network and Information Systems: Secure systems when acquiring, developing and maintaining the network and information systems.
  6. Measure effectiveness of measures: Measure and monitor measures, record and evaluate whether they have the desired effect.
  7. Cyber hygiene and training: The board of the organization is responsible for cybersecurity, not just the IT department (as we often see it today). Make sure the board is trained on this.
  8. Cryptography and encryption: Establish policies and procedures for the use of cryptography and encryption.
  9. Physical security: Consider access policies, personnel and asset management.
  10. Use of MFA: Use multifactor authentication or continuous authentication solutions, secure voice, video and text communications, and secure emergency communications systems.

How can you comply with the NIS2?

Organizations are taking several steps to comply with the NIS2 directive:

  1. Cybersecurity Expertise: Hiring a cybersecurity expert to evaluate the directive and develop a plan to meet the requirements.
  2. Implementation of measures: Implementing appropriate information security measures, such as a security policy, incident management plan, and continuity plan. Following the ISO 27001:2022 guideline is highly recommended.
  3. Incident Reporting: Report significant incidents to the organization's supervisor and CISRT (Computer Security Incident Response Teams) within 24 hours. The thresholds of these incidents will be further defined. There will also be a central reporting desk. The obligation to report to the Personal Data Authority (AP) will remain in effect.
  4. Regular evaluation: Conduct regular tests and exercises to assess the effectiveness of cyber security measures taken.

Consequences of not complying with the NIS2

Failure to comply with NIS2 can have serious consequences, including:

  1. Warning: First follows a warning for non-compliance.
  2. Exhortation: In the event of persistent noncompliance, an Exhortation may be issued.
  3. Fines: As a final sanction, fines can be imposed, with a maximum of 10 million euros or 2% of annual turnover.

Beware! The consequences can become even more serious if your organization becomes a victim of hacking and confidential information is out in the open, which can lead to liability.

Do you meet the NIS2 if you are ISO27001 or NEN7510 certified?

No, meeting ISO 27001 or NEN7510 does not guarantee compliance with NIS2. Although much of it is similar, the NIS2 imposes additional requirements not included in these standards.

  • ISO27001 is an international standard for information security management systems. It sets a number of general requirements for implementing an information security policy and management system that are very similar to the requirements from NIS2.
  • NEN7510 is a Dutch standard for information security in the healthcare sector. It sets specific requirements for the security of personal data in the healthcare sector.

The NIS2 sets additional requirements for essential and key organizations such as:

  • Reporting significant cyber incidents to the National Cybersecurity Authority.
  • Conducting regular tests and exercises to evaluate cyber security measures.

The new NIS2 guideline puts more emphasis on risk management, supplier management and incident management. Precisely the framework of the ISO 27001 provides a good basis. The additional requirements of the NIS2 are easy to implement to this framework. This way, your organization has one effective Information Security Management System (ISMS).

Need help implementing an ISO 27001 standard and additional requirements to comply with NIS2? Schedule a no-obligation consultation or call:

What is ISO 27001? See what your organization needs to comply with. Get the ISO 27001 guide for free!
Download free whitepaper
Mathijs Oppelaar
Information Security Consultant
085 773 60 05
To news overview
KAM Certifications is now Fendix

We are a partner of