Everything you need to prepare for the NIS 2 Directive
Navigate your NIS 2 Compliance Journey with Sophos
What is NIS 2?Are you affected?
The NIS2 directive became effective in January 2023. EU Member States had been given a deadline of October 17, 2024, to integrate NIS2 security requirements into their national legislation. By this date, all companies falling under the scope of NIS2 must ensure compliance with the updated requirements.
What’s new with NIS 2?
NIS 2 replaces the original NIS Directive introduced in 2016, which was the first piece of EU-wide legislation on cybersecurity. NIS 2 widens the scope of the initial framework to include more industries, introduces stringent supervisory measures for national authorities, places greater focus on supply chains, creates stricter enforcement and stricter penalties for non-compliance.
Who does NIS 2 apply to?
The original NIS Directive primarily applied to critical infrastructure organizations, pulling into the Directive’s requirements only 7 industry sectors as Operators of Essential Services and 3 industry sectors as Digital Services. NIS 2 significantly expands the scope to include 11 industry sectors as Essential Entities and 7 industry sectors as Important Entities.
Essential Entities are subject to a more intensive supervision regime in which both ex-ante and ex-post compliance are monitored (meaning that entities will be required to meet supervisory requirements as of the introduction of NIS 2.) Important Entities are subject to a lighter form of supervision, only ex-post (meaning that action is only taken if and when authorities receive evidence of non-compliance).
An organisation is covered by the NIS 2 Directive if:
- The organization provides services or carries out activities in any of the EU member states
- With exceptions, the organization has at least 50 employees or an annual turnover or balance sheet of over €10 million
- The organization operates in one of the 18 sectors specified by NIS 2 under Annex I and Annex II
NIS 2 identifies organizations operating in the following 18 sectors as essential entities and important entities depending on the total annual revenue and size of the organization:
*Essential Entities:
These are typically medium and large organizations seen as critical to the economy and operating in a sector listed in the left column above.
**Important Entities:
These are typically medium and large organizations seen as important to the economy but not critical and operating in a sector listed in the right column above.
Exceptions: Companies that are the sole provider of a particular service within an EU member state or disruption of their service could have a significant impact may be classified as an essential entity or important entity regardless of size.
Typical criteria for an organization to be considered large:
- 250 employees or more; or
- An annual turnover of €50 million or more and a balance sheet total of €43 million or more
Criteria for an organization to be considered medium:
- 50 employees or more; or
- An annual turnover and balance sheet total of €10 million or more
Small or micro-organizations are not excluded from the scope of NIS 2. Member States can extend NIS 2 requirements if an entity fulfils specific criteria as a key player in society, the economy, or sectors or types of service.
Penalties for NIS 2 non-compliance
NIS 2 introduces stricter penalties for non-compliance by Essential Entities and Important Entities for their failure to meet security requirements or failure to report incidents. Although the specific fines may vary depending on the Member State, NIS 2 aims to harmonise penalties across all Member States by establishing a minimum list of administrative sanctions. The various types of penalties for non-compliance include:
Non-monetary penalties
NIS 2 gives more power to the national supervisory authorities to supervise and enforce compliance with non-monetary remedies, including:
- Compliance orders (regulators can issue an order to implement specific actions)
- Binding instructions (regulators can require a company to take specific actions)
- Security audit implementation orders (regulatory orders implementing a security measure)
- Threat notification orders to entities’ customers (public notice of non-compliance)
- Temporary prohibitions (regulatory orders prohibiting management from carrying out managerial functions)
Administrative fines
- For Essential Entities: a maximum fine level up to €10,000,000 or 2% of the global annual revenue, whichever is higher.
- For Important Entities: a maximum up to €7,000,000 or 1.4% of the global annual revenue, whichever is higher.
Personal liability for managers of Essential Entities and Important Entities
NIS 2 includes new measures that allow Member States to hold senior management (e.g., board members, directors, leadership executives) of Essential Entities and Important Entities personally liable for NIS 2 requirements. This includes requiring the company to make compliance violations public, publicly stating the nature of the violation that occurred and the person(s) at fault, and temporarily barring individuals from holding management positions. Also, management personnel may be held personally liable when having exercised gross negligence for failing to fulfil responsibilities for cybersecurity management.
Free webinar on NIS 2
Register for our on-demand webinar, where the experts decode NIS 2 for you. Find out how Sophos can support you in meeting the new rules.
Achieve NIS 2 compliance with Sophos
Compliance with NIS 2 is an opportunity for organizations to strengthen their security posture and resilience against cyber threats, thereby contributing to a stronger digital landscape in the EU.
Sophos can help you meet the NIS 2 requirements with confidence. Our extensive cybersecurity capabilities can help you cover key NIS 2 compliance requirements.
Sophos Endpoint | Sophos Firewall | Sophos MDR | Sophos XDR | |
Policies on risk analysis | ||||
Incident handling | ||||
Business continuity | ||||
Supply chain security | ||||
Ensure security of the network and information systems, including Vulnerability handing and disclosure | ||||
Assess effectiveness of cybersecurity risk management measures | ||||
Policies regarding use of cryptography and encryption | ||||
Human resources security, access control policies and asset management | ||||
Use of multi-factor authentication | ||||
Reporting obligations |
To learn more about Sophos’ intuitive security solutions that can support your NIS 2 compliance needs, download Sophos solutions for NIS 2.
Comparing NIS 2 with other cybersecurity regulations
NIS 2 is just one of the many cybersecurity regulations to which EU operators must comply. Here’s a look at the NIS 2 Directive’s relationship with other frameworks and how they overlap:
NIS 2 | GDPR | DORA | CER | |
EU Directive | (EU) 2022/2555 | (EU) 2016/679 | (EU) 2022/2554 | (EU) 2022/2557 |
Directive Name | Network and Information Security Directive 2 | General Data Protection Regulation | Digital Operational Resilience Act | Critical Entities Resilience Directive |
Scope | Applies to organizations that are Essential Entities and Important Entities; replaces NIS1 (EU) 2016/1148 | Applies to any organization that processes the personal data of individuals who live in the EU and the EEA | Applies to all financial entities in the EU | Applies to organizations that are considered critical according to Member State decision |
Purpose | Designed to improve the cybersecurity and resilience of network and information systems across the European Union | Protects the fundamental rights and freedoms of individuals, specifically their right to privacy and the protection of personal data | In addition to cybersecurity requirements, this Directive places emphasis on the overall resilience of financial institutions | With an emphasis on the resilience and business continuity of Critical Entities designated within the Directive and provides guidance about defenses against non-cyber-related risks |
Compliance status with respect to NIS 2 | - | Organisations covered by NIS 2, which are also data controllers or data processors under the EU GDPR, must comply with both the EU GDPR and the EU NIS 2 Directives | DORA and NIS 2 are designed to work together to strengthen cybersecurity requirements; each has distinct requirements, both of which are required by financial institutions | Critical Entities must also comply with NIS 2 when it comes to cybersecurity and the CER Directive for non-cyber incidents. |
Effective date | October 17, 2024 | May 25, 2018 | January 17, 2025 | October 18, 2024 |
Sanctions | Includes non-monetary penalties (such as compliance orders), administrative fines and criminal sanctions. Non-compliance fines for Essential Entities can reach up to 2% of total worldwide annual turnover or €10 million (whichever is higher) whilst fines for Important Entities can be up to 1.4% of total worldwide annual turnover or €7 million | Violations of GDPR provisions may be enforced by substantial penalties, including up to €10 million or 2% of global annual turnover (Tier 1 monetary penalties) or up to €20 million or 4% of the annual global turnover (Tier 2 monetary penalties), depending on the nature of the violation | Financial penalties for breaches of DORA can be imposed, but the exact amount depends on the provisions violated and the severity of the breach. Also, regulators may take other actions, including warnings, operational restrictions, or regulatory orders that restrict operations until proof of compliance. | The penalties for non-compliance will vary by Member State but are likely to include fines, public notification, remediation, and withdrawal of authorization |
Disclaimer: Specifications and descriptions are subject to change without notice. Sophos disclaims all warranties and guarantees regarding this information. The use of Sophos products alone does not comprise legal advice and does not guarantee legal compliance. The information in this document does not constitute legal advice. Customers are solely responsible for compliance with all laws and regulations and should consult their own legal counsel for advice regarding such compliance.
For more information on how to achieve your NIS 2 compliance goals before the deadline, contact us today.