Everything you need to prepare for the NIS 2 Directive

Navigate your NIS 2 Compliance Journey with Sophos

What is NIS 2?Are you affected?

 

The NIS2 directive became effective in January 2023. EU Member States had been given a deadline of October 17, 2024, to integrate NIS2 security requirements into their national legislation. By this date, all companies falling under the scope of NIS2 must ensure compliance with the updated requirements.

Sophos solutions for NIS 2

strengthen-your-nis2-cybersecurity-strategy-with-sophos

What’s new with NIS 2?

NIS 2 replaces the original NIS Directive introduced in 2016, which was the first piece of EU-wide legislation on cybersecurity. NIS 2 widens the scope of the initial framework to include more industries, introduces stringent supervisory measures for national authorities, places greater focus on supply chains, creates stricter enforcement and stricter penalties for non-compliance.

nis-vs-nis2-compare

Who does NIS 2 apply to?

The original NIS Directive primarily applied to critical infrastructure organizations, pulling into the Directive’s requirements only 7 industry sectors as Operators of Essential Services and 3 industry sectors as Digital Services. NIS 2 significantly expands the scope to include 11 industry sectors as Essential Entities and 7 industry sectors as Important Entities.

Essential Entities are subject to a more intensive supervision regime in which both ex-ante and ex-post compliance are monitored (meaning that entities will be required to meet supervisory requirements as of the introduction of NIS 2.) Important Entities are subject to a lighter form of supervision, only ex-post (meaning that action is only taken if and when authorities receive evidence of non-compliance).

An organisation is covered by the NIS 2 Directive if:

  • The organization provides services or carries out activities in any of the EU member states
  • With exceptions, the organization has at least 50 employees or an annual turnover or balance sheet of over €10 million
  • The organization operates in one of the 18 sectors specified by NIS 2 under Annex I and Annex II

NIS 2 identifies organizations operating in the following 18 sectors as essential entities and important entities depending on the total annual revenue and size of the organization:

*Essential Entities:

These are typically medium and large organizations seen as critical to the economy and operating in a sector listed in the left column above.

**Important Entities:

These are typically medium and large organizations seen as important to the economy but not critical and operating in a sector listed in the right column above.

Exceptions: Companies that are the sole provider of a particular service within an EU member state or disruption of their service could have a significant impact may be classified as an essential entity or

Typical criteria for an organization to be considered large:

  • 250 employees or more; or
  • An annual turnover of €50 million or more and a balance sheet total of €43 million or more

Criteria for an organization to be considered medium:

  • 50 employees or more; or
  • An annual turnover and balance sheet total of €10 million or more

Small or micro-organizations are not excluded from the scope of NIS 2. Member States can extend NIS 2 requirements if an entity fulfils specific criteria as a key player in society, the economy, or sectors or types of service.

nis2-industries
test-icon

Not sure if NIS 2 applies to your organization?

Take our NIS 2 self-assessment test to find out.

Take the test

Penalties for NIS 2 non-compliance

NIS 2 introduces stricter penalties for non-compliance by Essential Entities and Important Entities for their failure to meet security requirements or failure to report incidents. Although the specific fines may vary depending on the Member State, NIS 2 aims to harmonise penalties across all Member States by establishing a minimum list of administrative sanctions. The various types of penalties for non-compliance include:

Non-monetary penalties

NIS 2 gives more power to the national supervisory authorities to supervise and enforce compliance with non-monetary remedies, including:

  • Compliance orders (regulators can issue an order to implement specific actions)
  • Binding instructions (regulators can require a company to take specific actions)
  • Security audit implementation orders (regulatory orders implementing a security measure)
  • Threat notification orders to entities’ customers (public notice of non-compliance)
  • Temporary prohibitions (regulatory orders prohibiting management from carrying out managerial functions)

Administrative fines

  • For Essential Entities: a maximum fine level up to €10,000,000 or 2% of the global annual revenue, whichever is higher.
  • For Important Entities: a maximum up to €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

Personal liability for managers of Essential Entities and Important Entities

NIS 2 includes new measures that allow Member States to hold senior management (e.g., board members, directors, leadership executives) of Essential Entities and Important Entities personally liable for NIS 2 requirements. This includes requiring the company to make compliance violations public, publicly stating the nature of the violation that occurred and the person(s) at fault, and temporarily barring individuals from holding management positions. Also, management personnel may be held personally liable when having exercised gross negligence for failing to fulfil responsibilities for cybersecurity management.

Sophos solutions for NIS 2

Free webinar on NIS 2

Register for our on-demand webinar, where the experts decode NIS 2 for you. Find out how Sophos can support you in meeting the new rules.

Watch webinar on-demand

Achieve NIS 2 compliance with Sophos

Compliance with NIS 2 is an opportunity for organizations to strengthen their security posture and resilience against cyber threats, thereby contributing to a stronger digital landscape in the EU.

Sophos can help you meet the NIS 2 requirements with confidence. Our extensive cybersecurity capabilities can help you cover key NIS 2 compliance requirements.

 

Sophos Endpoint

Sophos Firewall

Sophos MDR

Sophos XDR

Policies on risk analysis

 

 

 

 
Incident handling

 

 

 

 

Business continuity

 

 

 

 

Supply chain security

 

 

 

 

Ensure security of the network and information systems, including Vulnerability handing and disclosure 

 

 

 

Assess effectiveness of cybersecurity risk management measures

 

 

 

 
Policies regarding use of cryptography and encryption 

 

  
Human resources security, access control policies and asset management 

 

 

 

Use of multi-factor authentication 

 

  
Reporting obligations  

 

 

To learn more about Sophos’ intuitive security solutions that can support your NIS 2 compliance needs, download Sophos solutions for NIS 2.

Comparing NIS 2 with other cybersecurity regulations

NIS 2 is just one of the many cybersecurity regulations to which EU operators must comply. Here’s a look at the NIS 2 Directive’s relationship with other frameworks and how they overlap:

 

NIS 2

GDPR

DORA

CER

EU Directive(EU) 2022/2555(EU) 2016/679(EU) 2022/2554(EU) 2022/2557
Directive NameNetwork and Information Security Directive 2General Data Protection RegulationDigital Operational Resilience ActCritical Entities Resilience Directive
ScopeApplies to organizations that are Essential Entities and Important Entities; replaces NIS1 (EU) 2016/1148Applies to any organization that processes the personal data of individuals who live in the EU and the EEAApplies to all financial entities in the EUApplies to organizations that are considered critical according to Member State decision
PurposeDesigned to improve the cybersecurity and resilience of network and information systems across the European UnionProtects the fundamental rights and freedoms of individuals, specifically their right to privacy and the protection of personal dataIn addition to cybersecurity requirements, this Directive places emphasis on the overall resilience of financial institutionsWith an emphasis on the resilience and business continuity of Critical Entities designated within the Directive and provides guidance about defenses against non-cyber-related risks
Compliance status with respect to NIS 2-Organisations covered by NIS 2, which are also data controllers or data processors under the EU GDPR, must comply with both the EU GDPR and the EU NIS 2 DirectivesDORA and NIS 2 are designed to work together to strengthen cybersecurity requirements; each has distinct requirements, both of which are required by financial institutionsCritical Entities must also comply with NIS 2 when it comes to cybersecurity and the CER Directive for non-cyber incidents.
Effective dateOctober 17, 2024May 25, 2018January 17, 2025October 18, 2024
SanctionsIncludes non-monetary penalties (such as compliance orders), administrative fines and criminal sanctions. Non-compliance fines for Essential Entities can reach up to 2% of total worldwide annual turnover or €10 million (whichever is higher) whilst fines for Important Entities can be up to 1.4% of total worldwide annual turnover or €7 millionViolations of GDPR provisions may be enforced by substantial penalties, including up to €10 million or 2% of global annual turnover (Tier 1 monetary penalties) or up to €20 million or 4% of the annual global turnover (Tier 2 monetary penalties), depending on the nature of the violationFinancial penalties for breaches of DORA can be imposed, but the exact amount depends on the provisions violated and the severity of the breach. Also, regulators may take other actions, including warnings, operational restrictions, or regulatory orders that restrict operations until proof of compliance.The penalties for non-compliance will vary by Member State but are likely to include fines, public notification, remediation, and withdrawal of authorization

Disclaimer: Specifications and descriptions are subject to change without notice. Sophos disclaims all warranties and guarantees regarding this information. The use of Sophos products alone does not comprise legal advice and does not guarantee legal compliance. The information in this document does not constitute legal advice. Customers are solely responsible for compliance with all laws and regulations and should consult their own legal counsel for advice regarding such compliance.

 

For more information on how to achieve your NIS 2 compliance goals before the deadline, contact us today.

NIS2 Directive

Prepare for compliance

Download Whitepaper Contact Us

nis2-banner

Neue Vorschriften für viele Branchen

Die europäische NIS2-Richtlinie bringt neue und strengere Vorschriften zur Cybersicherheit für viele Branchen – auch für solche, die von bisherigen Regelungen nicht betroffen waren. Betroffene Unternehmen und Organisationen müssen die neuen Vorschriften bis spätestens Herbst 2024 erfüllen – sonst drohen hohe Strafen.

 

Jetzt informieren und vorbereiten

Nutzen Sie unsere Info-Materialien, um zu erfahren, worum genau es bei der NIS2-Richtlinie geht, ob Ihr Unternehmen oder Ihre Organisation betroffen ist, welche Strafen drohen und was Sie tun müssen, um die Vorschriften zu erfüllen.

Whitepaper

Erfahren Sie in diesem Whitepaper – erstellt in Zusammenarbeit mit Rechtsanwalt Dr. Paul Vogel:

  • Welche neuen und erweiterten Anforderungen die NIS2-Richtlinie mit sich bringt
  • Welche Risikomanagement-Maßnahmen ergriffen werden müssen
  • Welche Haftungsrisiken für die Geschäftsführung bestehen
  • Wie Sophos-Lösungen Sie beim Erfüllen der neuen Anforderungen unterstützen können
Jetzt lesen

Webinar-Aufzeichnung

Erfahren Sie von Rechtsanwalt Dr. Paul Vogel und Cybersecurity-Experte Martin Weiß:

  • Worum es bei der NIS2-Richtlinie geht und ob Ihr Unternehmen oder Ihre Organisation betroffen ist
  • Welche Risikomanagement-Maßnahmen ergriffen werden müssen
  • Welche Strafen bei Nichteinhaltung drohen
  • Wie Sophos-Lösungen Ihnen helfen, die Vorschriften zu erfüllen
Jetzt ansehen

Podcast

Erfahren Sie im Experten-Talk von Rechtsanwalt Dr. David Bomhard und Sophos Sales Engineer Martin Weiß, was die neue Richtlinie genau mit sich bringt und was jetzt auf den To-Do-Listen von betroffenen Unternehmen und Organisationen stehen sollte.

Jetzt anhören

Lösungs-Übersicht

In diesem Dokument wird erläutert, wie Sophos-Lösungen Unternehmen und Organisationen bei der Umsetzung von Kapitel IV der NIS2-Richtlinie, Risikomanagementmaßnahmen und Berichtspflichten im Bereich der Cybersicherheit, unterstützen und ihnen bei der Einhaltung der NIS2-Richtlinie helfen.

Jetzt informieren

Anwenderberichte

Lesen Sie, wie sich unsere Kunden mit Sophos-Lösungen vor Cyberbedrohungen schützen.

AG Barr

Sophos has enabled AG Barr’s IT teams to undertake more proactive tasks instead of being drawn into managing security challenges.

Learn More

HammondCare

Sophos extended HammondCare’s existing security practice - eliminating the need for them to build up their own in-house capability.

Learn More

Contact Us

Are you impacted by NIS 2? Complete this form to receive a quick self-assessment link.

 

Country