Find answers to commonly asked questions about the NIS2 directive and its impacts.
What is NIS2?
The European Network and Information Security (NIS2) directive outlines cybersecurity requirements for organizations operating in the European Union (EU) to ensure that there is a high, common level of protection across Member States. It addresses the limitations of the initial NIS directive established in 2016 with stricter requirements, an expanded scope of entities and sectors that must comply, and penalties for noncompliance.
An estimated 350,000 organizations across the EU are be affected by the NIS2 directive. Organizations, especially those engaging with NIS for the first time, will need to invest significant resources in understanding their responsibilities and ensuring compliance.
When will this take effect?
Member States have been targeted to transpose the EU NIS2 directive into applicable national law before October 17, 2024. Once the local law has been ratified by the individual Member States, the NIS2 requirements will be enforced. Member States have until April 17, 2025 to finalize the list of organizations that must comply.
How will NIS2 impact businesses?
Businesses that fall under the scope of NIS2 need to comply with stricter cybersecurity requirements, including risk management measures, response times, and incident reporting obligations. They may also be subject to more rigorous inspections and higher penalties for non-compliance.
Who does this impact?
In the initial version of the NIS directive, Member States were responsible for designating the organizations that were subject to the regulation. Now, not only does NIS2 apply to more sectors, all organizations with more than 50 employees and annual revenues of over €10M, whether public or private, are impacted. Member States can decide to add smaller entities to the list if they are considered to have a key role in the local economy or society.
The NIS2 scope is described in two annexes that list industry sectors to which the directive automatically applies. Annex I lists highly critical sectors. Annex II lists other critical sectors.
Figure 1. Industry sectors categorized as Annex I and Annex II under NIS2
What are the penalties for non-compliance with NIS2?
Penalties can vary by member state, but NIS2 sets a maximum fine of at least €10 million or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Which parts of the organizations are touched by NIS2?
NIS2 affects different pillars within an organization. It does not limit itself to just technology; it also looks at organizational and operational aspects of cybersecurity. People, processes, procedures, and tools all fall under the NIS2 measures.
How can organizations prepare for NIS2?
Cisco Security Services can help organizations to understand the status of their current security controls, identify gaps, and provide actionable recommendations to become and remain compliant with the NIS2 regulations by offering:
- NIS2-focused organizational, operational, and technical maturity assessments
- Assistance with testing and improving detection capabilities
- Infrastructure design review and recommendations, including network segmentation controls to limit the impact of attacks and reduce operational downtime
- Security Operations Center processes, procedures, and tools optimization, including incident response exercises to adequately and quickly respond to cybersecurity issues.
To learn more about Cisco’s Security Services, request help from a Cisco specialist.
For more information on the NIS2 directive, explore the following resources:
