Request checklist: Is my company affected?
Table of contents
- NIS 2.0 Cyber Security Directive at a glance
- When does the new EU directive come into force?
- Who is affected by NIS2: essential and important facilities
- Who is affected by NIS2: large and medium-sized companies
- Who is affected by NIS2: small businesses in individual cases
- Required risk management measures
- Reporting obligations for affected companies
- Sanctions and liability in the event of violations
- NIS 2 vs. DORA: what is the difference?
- Do you have any questions?
The NIS2 Directive (Network and Information Security Directive 2) is an EU directive aimed at strengthening cybersecurity in the European Union. In essence, NIS2 extends the scope of the previous NIS Directive and covers not only critical infrastructure (such as energy and transport systems) but also important digital service providers. Affected organizations must implement strict security measures and are required to conduct risk assessments. To ensure the implementation of the directive, EU member states must establish a national cybersecurity authority.
The NIS2 Directive entered into force on January 16, 2023 , replacing the current directive. Before NIS2 can have an impact on companies, it must be implemented by the member states in national laws and regulations. Member states have until October 17, 2024, to do so.
Large and medium-sized companies (see definition below) from sectors with high criticality and other critical sectors are affected. Within these sectors, the terms “essential facilities” and “important facilities” are used:
Essential facility | Important facility |
---|---|
Large companies:
|
Medium-sized companies:
Large & medium-sized :
|
Medium-sized companies in sectors with a high criticality are therefore considered to be important facilities. Both essential and important facilities must implement the requirements. There are differencesin the way they are inspected by the authorities and in the sanctions imposed. While regular safety inspections are conducted “ex-ante” for essential facilities, inspections of important facilities are only conducted if there is reasonable suspicion.
NIS2 categorizes companies by size:
Sizes according to NIS2 | Employees | Annual turnover | |
---|---|---|---|
Small company | < 50 | AND | < 10 mil. Euro |
Medium-sized company | < 250 | AND | < 50 mil. Euro |
Large company | > 250 | OR | > 50 mil. Euro |
Note: The annual balance sheet total can also be used instead of the annual turnover, whereby the threshold between medium-sized and large companies is already 43 million (instead of 50 million).
Example: A company with 40 employees and a turnover of 12 million euros is therefore already considered a medium-sized company. If this company offers, for example, “digital services” (see above), it is considered an important institution according to NIS2 and must implement a series of risk management measures.
Small companies (see definition above) are not covered by NIS2, but there are exceptions. The following companies fall within the scope of the directive, regardless of their size:
Request checklist: Is my company affected?
In the event of significant incidents and threats, an early warning must be issued immediately, i.e., within 24 hours of becoming aware of the incident. An official report of the security incident must be submitted within 72 hours. A final report must be submitted to the authorities one month after this report has been submitted.
The fine for major organizations is 10 million euros or 2 percent of global revenue.
For important organizations, the sanctions are a little less severe and amount to 7 million euros or 1.4 percent of global revenue.
The NIS2 Directive and the Digital Operational Resilience Act (DORA) are both legal instruments of the European Union that deal with different aspects of cybersecurity.
NIS2 is a directive, which means that it must be transposed into national law by the EU member states. Member states have some leeway in the transposition to take into account the specific needs and circumstances of their country. DORA is a regulation, which means that it is directly applicable in all EU member states as soon as it enters into force. No national implementation is required.
NIS2 concerns operators of essential services (see definition above) and, unlike NIS1, digital service providers are now also considered to be such operators. The directive aims to ensure a high level of cybersecurity throughout the EU. DORA focuses on the resilience of the financial system in the EU. It primarily affects financial institutions and organizations in the financial sector. NIS2 and DORA are therefore different legal
How can you best approach the topic of NIS2 in your organization? We are here to help!
We are here to support you in building or enhancing your digital projects. Get in touch with us and find out how we can help bring your vision to life!