NIS2 Directive
What is the NIS2 Directive?
The NIS2 directive is also known as the NIS2 Directive. NIS stands for Network and Information Security, and NIS2 is the successor to the cybersecurity directive previously established within the EU (NIS1). NIS2 expands and improves many elements to strengthen the digital resilience of organizations in the European Union. The European directive will be implemented in the Netherlands as the new Cybersecurity Act, which has been in development since January 2023. Once that NIS2 legislation is ready, it will replace the existing Network and Information Systems Security Act (Wbni). But what exactly is NIS2? We explain that in this article.
What does the NIS2 Directive entail?
With advancing digitalization and collaboration between companies and countries, our society is becoming increasingly vulnerable to cyber threats. The impact of a single hack at, for example, an energy company, a bank, or an airport can make the news, and this is even more the case if multiple organizations are hit by IT issues at the same time. The NIS2 directive is intended to protect organizations that are important or even essential to the economy or society as a whole. Together with NIS2, we make the Netherlands more secure.
NIS legislation also creates a level playing field within the EU. Previously, countries used different security guidelines and measures, which significantly hindered collaboration between countries and organizations. With the introduction of the NIS2 directive, we establish a consistent security baseline in the various member states so we can defend as a single bloc. We saw in the National Security Trend Analysis 2024 that the threat from state actors and criminal organizations is increasing, and this is one of the measures to prepare for it.
Background to NIS2
Given current threats, NIS1 had become too limited. The scope of the NIS2 legislation is therefore clearly broader than the original directive. More sectors are included and, in those sectors, medium-sized and sometimes even smaller organizations are included as well. NIS2 also sets stricter requirements for included organizations, including cyber risk management, control and oversight, and business continuity. We describe the NIS2 obligations in more detail below.
Who does NIS2 apply to?
First question: Does NIS2 legislation apply to my organization? The NIS2 implementation targets organizations that, as noted, are important or even essential to the social and economic functioning of countries. The sectors covered by NIS2 are strictly defined and represent a significant expansion compared to NIS1. A distinction is made between highly critical sectors and other critical sectors:
Highly critical NIS2 sectors include, for example, energy companies, transportation, financial institutions, healthcare, water supply, IT infrastructures, and government. In short, the backbone that the country relies on.
Other critical NIS2 sectors include digital service providers, courier services, food, and manufacturing. These are sectors that are not infrastructure services per se but are crucial for the continued functioning of the country.
In addition to the sector in which an organization or company operates, size is also relevant. In general, NIS2 applies to large and medium-sized companies and organizations:
Large organizations have more than 250 employees. Or an annual turnover of at least 50 million euros and a balance sheet total of 43 million euros.
You are medium-sized if you have at least 50 employees. Or an annual turnover and a balance sheet total both above 10 million euros.
There are exceptions. Micro and small businesses do not in principle fall under the NIS2 directives, but a ministry responsible for a particular sector can still place such companies under NIS2 if that company is critical to the Dutch economy or society. Regardless of size, government bodies, providers of public electronic communications networks and services, trust service providers, top-level domain registries, DNS service providers, and domain registration service providers always fall under NIS2.
For an individual organization, it is therefore not always completely clear whether you fall within the NIS2 framework. The government has therefore created a self-assessment. This NIS2 checklist helps you determine whether your organization falls under the NIS2 directive.
Essential or important entities in NIS2
With that same self-assessment, you can also determine whether your organization is an essential entity or an important entity within NIS2. This distinction is important because it determines which oversight regime applies to your organization:
Under NIS2, all large organizations in highly critical sectors are classified as essential entities. The same applies to certain categories of digital infrastructure providers, regardless of size. All government organizations are also essential entities.
The other organizations that fall under NIS2 are classified as important entities. This generally includes medium-sized organizations in highly critical sectors and all organizations in the other critical sectors.
If you feel overwhelmed by highly or other critical sectors, essential or important entities, and also the distinction between micro, small, medium-sized, and large organizations, then the NIS2 checklist is your first starting point. In addition, the National Cyber Security Centre (NCSC) has a NIS2 brochure available that summarizes all classifications in a clear overview.
NIS2 obligations and oversight
If your organization falls under the NIS2 directive, you automatically face three obligations:
You are legally required to register in the entities register. The NCSC is developing and managing an online registration facility where organizations can register themselves and enroll as a NIS2 entity. All EU member states have such a registry to provide a European overview.
The bill includes a duty of care. Organizations must perform a risk analysis and, based on that, implement appropriate and proportionate measures to secure all network and information systems that they use for their services.
There is a reporting obligation. Entities must report significant incidents within 24 hours to the CSIRT (Computer Security Incident Response Team) and the supervisory authority. This concerns incidents that can significantly disrupt the organization’s services.
The Cybersecurity Act also governs oversight of entities. This concerns the organization as a whole, and individual executives may be investigated where necessary. In NIS2 oversight, you see the key difference between important and essential entities:
For essential entities, there is proactive oversight. This means compliance with the obligations is monitored regardless of whether incidents have occurred.
For important entities, oversight is reactive only. The regulator can decide to initiate an investigation after, for example, a cyber incident or reports from external auditors or other organizations.
Financial penalties may also be higher for essential entities than for important entities.
NIS2 delayed
We already noted that NIS2 is an EU directive that the Netherlands must implement in Dutch law, the Cybersecurity Act. The legislation is complex, partly because more sectors are included, the requirements are high, and more oversight is needed. The original deadline of October 17, 2024 was not feasible, and the Rutte IV cabinet had already announced a delay. The expectation is that implementation of the NIS2 directive will now be completed in the second or third quarter of 2025.
Preparing for the NIS2 implementation
Does your organization fall under NIS2? Ensure timely preparation. In our blog we explain more about preparing for NIS2. We also explain how Tools4ever helps you become and remain NIS2 compliant.