Everything you need to prepare for the NIS 2 Directive

Navigate your NIS 2 Compliance Journey with Sophos

What is NIS 2?Are you affected?

 

The NIS2 directive became effective in January 2023. EU Member States had been given a deadline of October 17, 2024, to integrate NIS2 security requirements into their national legislation. By this date, all companies falling under the scope of NIS2 must ensure compliance with the updated requirements.

Sophos solutions for NIS 2

strengthen-your-nis2-cybersecurity-strategy-with-sophos

What’s new with NIS 2?

NIS 2 replaces the original NIS Directive introduced in 2016, which was the first piece of EU-wide legislation on cybersecurity. NIS 2 widens the scope of the initial framework to include more industries, introduces stringent supervisory measures for national authorities, places greater focus on supply chains, creates stricter enforcement and stricter penalties for non-compliance.

nis-vs-nis2-compare

Who does NIS 2 apply to?

The original NIS Directive primarily applied to critical infrastructure organizations, pulling into the Directive’s requirements only 7 industry sectors as Operators of Essential Services and 3 industry sectors as Digital Services. NIS 2 significantly expands the scope to include 11 industry sectors as Essential Entities and 7 industry sectors as Important Entities.

Essential Entities are subject to a more intensive supervision regime in which both ex-ante and ex-post compliance are monitored (meaning that entities will be required to meet supervisory requirements as of the introduction of NIS 2.) Important Entities are subject to a lighter form of supervision, only ex-post (meaning that action is only taken if and when authorities receive evidence of non-compliance).

An organisation is covered by the NIS 2 Directive if:

  • The organization provides services or carries out activities in any of the EU member states
  • With exceptions, the organization has at least 50 employees or an annual turnover or balance sheet of over €10 million
  • The organization operates in one of the 18 sectors specified by NIS 2 under Annex I and Annex II

NIS 2 identifies organizations operating in the following 18 sectors as essential entities and important entities depending on the total annual revenue and size of the organization:

*Essential Entities:

These are typically medium and large organizations seen as critical to the economy and operating in a sector listed in the left column above.

**Important Entities:

These are typically medium and large organizations seen as important to the economy but not critical and operating in a sector listed in the right column above.

Exceptions: Companies that are the sole provider of a particular service within an EU member state or disruption of their service could have a significant impact may be classified as an essential entity or important entity regardless of size.

Typical criteria for an organization to be considered large:

  • 250 employees or more; or
  • An annual turnover of €50 million or more and a balance sheet total of €43 million or more

Criteria for an organization to be considered medium:

  • 50 employees or more; or
  • An annual turnover and balance sheet total of €10 million or more

Small or micro-organizations are not excluded from the scope of NIS 2. Member States can extend NIS 2 requirements if an entity fulfils specific criteria as a key player in society, the economy, or sectors or types of service.

nis2-industries
test-icon

Not sure if NIS 2 applies to your organization?

Take our NIS 2 self-assessment test to find out.

Take the test

Penalties for NIS 2 non-compliance

NIS 2 introduces stricter penalties for non-compliance by Essential Entities and Important Entities for their failure to meet security requirements or failure to report incidents. Although the specific fines may vary depending on the Member State, NIS 2 aims to harmonise penalties across all Member States by establishing a minimum list of administrative sanctions. The various types of penalties for non-compliance include:

Non-monetary penalties

NIS 2 gives more power to the national supervisory authorities to supervise and enforce compliance with non-monetary remedies, including:

  • Compliance orders (regulators can issue an order to implement specific actions)
  • Binding instructions (regulators can require a company to take specific actions)
  • Security audit implementation orders (regulatory orders implementing a security measure)
  • Threat notification orders to entities’ customers (public notice of non-compliance)
  • Temporary prohibitions (regulatory orders prohibiting management from carrying out managerial functions)

Administrative fines

  • For Essential Entities: a maximum fine level up to €10,000,000 or 2% of the global annual revenue, whichever is higher.
  • For Important Entities: a maximum up to €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

Personal liability for managers of Essential Entities and Important Entities

NIS 2 includes new measures that allow Member States to hold senior management (e.g., board members, directors, leadership executives) of Essential Entities and Important Entities personally liable for NIS 2 requirements. This includes requiring the company to make compliance violations public, publicly stating the nature of the violation that occurred and the person(s) at fault, and temporarily barring individuals from holding management positions. Also, management personnel may be held personally liable when having exercised gross negligence for failing to fulfil responsibilities for cybersecurity management.

Sophos solutions for NIS 2

Free webinar on NIS 2

Register for our on-demand webinar, where the experts decode NIS 2 for you. Find out how Sophos can support you in meeting the new rules.

Watch webinar on-demand

Achieve NIS 2 compliance with Sophos

Compliance with NIS 2 is an opportunity for organizations to strengthen their security posture and resilience against cyber threats, thereby contributing to a stronger digital landscape in the EU.

Sophos can help you meet the NIS 2 requirements with confidence. Our extensive cybersecurity capabilities can help you cover key NIS 2 compliance requirements.

 

Sophos Endpoint

Sophos Firewall

Sophos MDR

Sophos XDR

Policies on risk analysis

 

 

 

 
Incident handling

 

 

 

 

Business continuity

 

 

 

 

Supply chain security

 

 

 

 

Ensure security of the network and information systems, including Vulnerability handing and disclosure 

 

 

 

Assess effectiveness of cybersecurity risk management measures

 

 

 

 
Policies regarding use of cryptography and encryption 

 

  
Human resources security, access control policies and asset management 

 

 

 

Use of multi-factor authentication 

 

  
Reporting obligations  

 

 

To learn more about Sophos’ intuitive security solutions that can support your NIS 2 compliance needs, download Sophos solutions for NIS 2.

Comparing NIS 2 with other cybersecurity regulations

NIS 2 is just one of the many cybersecurity regulations to which EU operators must comply. Here’s a look at the NIS 2 Directive’s relationship with other frameworks and how they overlap:

 

NIS 2

GDPR

DORA

CER

EU Directive(EU) 2022/2555(EU) 2016/679(EU) 2022/2554(EU) 2022/2557
Directive NameNetwork and Information Security Directive 2General Data Protection RegulationDigital Operational Resilience ActCritical Entities Resilience Directive
ScopeApplies to organizations that are Essential Entities and Important Entities; replaces NIS1 (EU) 2016/1148Applies to any organization that processes the personal data of individuals who live in the EU and the EEAApplies to all financial entities in the EUApplies to organizations that are considered critical according to Member State decision
PurposeDesigned to improve the cybersecurity and resilience of network and information systems across the European UnionProtects the fundamental rights and freedoms of individuals, specifically their right to privacy and the protection of personal dataIn addition to cybersecurity requirements, this Directive places emphasis on the overall resilience of financial institutionsWith an emphasis on the resilience and business continuity of Critical Entities designated within the Directive and provides guidance about defenses against non-cyber-related risks
Compliance status with respect to NIS 2-Organisations covered by NIS 2, which are also data controllers or data processors under the EU GDPR, must comply with both the EU GDPR and the EU NIS 2 DirectivesDORA and NIS 2 are designed to work together to strengthen cybersecurity requirements; each has distinct requirements, both of which are required by financial institutionsCritical Entities must also comply with NIS 2 when it comes to cybersecurity and the CER Directive for non-cyber incidents.
Effective dateOctober 17, 2024May 25, 2018January 17, 2025October 18, 2024
SanctionsIncludes non-monetary penalties (such as compliance orders), administrative fines and criminal sanctions. Non-compliance fines for Essential Entities can reach up to 2% of total worldwide annual turnover or €10 million (whichever is higher) whilst fines for Important Entities can be up to 1.4% of total worldwide annual turnover or €7 millionViolations of GDPR provisions may be enforced by substantial penalties, including up to €10 million or 2% of global annual turnover (Tier 1 monetary penalties) or up to €20 million or 4% of the annual global turnover (Tier 2 monetary penalties), depending on the nature of the violationFinancial penalties for breaches of DORA can be imposed, but the exact amount depends on the provisions violated and the severity of the breach. Also, regulators may take other actions, including warnings, operational restrictions, or regulatory orders that restrict operations until proof of compliance.The penalties for non-compliance will vary by Member State but are likely to include fines, public notification, remediation, and withdrawal of authorization

Disclaimer: Specifications and descriptions are subject to change without notice. Sophos disclaims all warranties and guarantees regarding this information. The use of Sophos products alone does not comprise legal advice and does not guarantee legal compliance. The information in this document does not constitute legal advice. Customers are solely responsible for compliance with all laws and regulations and should consult their own legal counsel for advice regarding such compliance.

 

For more information on how to achieve your NIS 2 compliance goals before the deadline, contact us today.

Contact Us

Are you impacted by NIS 2? Complete this form to receive a quick self-assessment link.

 

Country