Frequently Asked Questions
Understanding NIS and NIS2 is a challenge for most organizations. Our experts are here to help you understand and meet the new requirements.
We Have the Answers to Your Questions About NIS & NIS2
How do I know if my organization must comply with NIS2?
The first step to compliance with NIS2 is understanding whether your organization must comply. We recommend looking at our NIS2 guide and referring to your local authority's guidance.
Which sectors does NIS2 apply to?
The listed sectors must comply with NIS2, except for some smaller organizations (looking at the number of employees and annual turnover).
Please look at the NIS2 guide for more details.
Sectors in NIS version 1:
- Healthcare
- Digital infrastructure
- Transport
- Water supply
- Digital distributors (service providers)
- Banking
- Financial market
- Energy
Added in NIS2:
- Public administration
- Digital infrastructure
- Wastewater
- Waste management
- Production and manufacturing
- Chemicals production, processing, and distribution
- Food and food distribution
- Space
- Postal and courier services
What is the key purpose of NIS2?
Increasing Cyber Security Resilience
NIS2 encourages EU member states and critical infrastructure operators to enhance their cyber security resilience and preparedness to respond to, and recover from, cyber incidents effectively.
Harmonizing Cyber Security Standards
It seeks to harmonize cyber security standards and practices across the EU to ensure a consistent and high level of security across the digital landscape.
Mandatory Reporting of Incidents
NIS2 mandates the reporting of significant cyber incidents to national authorities and establishes a coordinated mechanism for sharing information on cyber threats and incidents among member states.
Critical Infrastructure Protection
The Directive places a special focus on protecting critical infrastructure sectors, such as energy, transportation, healthcare, and digital infrastructure by requiring them to meet specific cyber security requirements.
Enforcement and Penalties
NIS2 introduces measures for effective enforcement of cyber security requirements and penalties for non-compliance, thereby incentivizing organizations to invest in cyber security measures.
Cooperation and Information-sharing
It promotes cooperation and information sharing among member states and between the public and private sectors to enhance collective cyber security defense.
When will NIS2 come into effect?
The NIS2 Directive is set to be ratified by all EU member states by 17 October 2024. This is a crucial date for businesses to take note of, as failure to comply with the Directive can result in severe consequences such as financial penalties and damage to reputation. That said, it's essential that companies gear up and make necessary preparations to ensure full compliance well before the deadline. Don't wait until it's too late - act now to avoid any potential negative consequences.
What is the difference between essential & important entities?
The difference between them lies not in which requirements they must meet, as these remain the same for both entities, but rather which supervisory measures and penalties will apply. Entities in both categories will have to meet the same requirements. However, the distinction will be in the supervisory measures and penalties. Essential entities will be required to meet supervisory requirements as of the introduction of NIS2, while the important entities will be subject to ex-post supervision, meaning that action is only taken if and when in case authorities receive evidence of non-compliance.
What are the NIS2 fines?
The NIS2 Directive takes a nuanced approach to administrative fines, differentiating between the two types of entities.
Essential Entities:
A maximum of 10,000,000 EUR or 2% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher.
Important Entities
A maximum of 7,000,000 EUR or 1.4% of the total worldwide annual turnover of the undertaking to which the organization belongs in the preceding financial year, whichever is higher.
How can Holm Security help my organization comply with NIS2?
Implementing risk-based cyber security practices is one of the most important areas of NIS and NIS2. Holm Security helps organizations that must comply with NIS and NIS2:
- Perform automated and continuous (systematic) risk assessments.
- Create a proactive approach towards cyber security.
- Implement basic cyber hygiene practices and cyber security training.
- Provide the tools needed to secure the supply chain.
- Help management supervise the implementation of risk management.
- Demonstrate compliance based on data and reports.
Is vulnerability management required for compliance with NIS2?
Regarding the requirements put down by the EU and local authorities, vulnerability scanning, or security scanning, is a requirement as part of risk assessment. The National Cyber Security Centre (NCSC) of Ireland and The Swedish Civil Contingencies Agency (MSB) refer to vulnerability management as a key element in compliance with the NIS2 Directive.
When complying with NIS/NIS2, what must we consider regarding our suppliers?
One of the focus areas of NIS2 is securing the supply chain. This means that both your organization and your suppliers must meet the criteria of NIS2 compliance. It is your responsibility to make sure that your suppliers do so.
We’re happy to tell you more about our solutions for securing your supply chain.
I’m a supplier to an organization that must comply with NIS/NIS2 – what should I consider?
What is the difference between NIS/NIS2 and DORA?
The Digital Operational Resilience Act, or DORA, is a European Union (EU) regulation that creates a binding, comprehensive information and communication technology (ICT) risk management framework for the EU financial sector. DORA has many similarities with NIS and NIS2, like the risk-based approach, but is limited to the financial sector, while NIS2 applies to many industries indispensable to society.
Directive & regulation
NIS is a directive, whereas DORA is a regulation.
A directive sets a course, and cannot be applied as it stands in every EU Member State. It must first be transposed into the national law of each country.
A regulation, on the other hand, applies unchanged in all Member States as soon as it comes into force. It is a binding legislative act and must be enforced in its entirety.
So, what more is different?
The NIS2 Directive harmonizes the global level of cybersecurity across the EU. Its goal is to ensure that the companies and organizations most important to the smooth running of our society achieve a high level of digital security.
The DORA regulation aims to strengthen the financial sector's digital operational resilience. Its role is to ensure that financial entities can withstand and operate even during a cyber attack. The availability and integrity of financial services are at the very core of the regulation.
In practice, the two texts complement rather than compete with each other. NIS2 aims to strengthen the overall level of cybersecurity in the EU, while DORA ensures that the financial system remains functional even during a cyberattack.
Download our
NIS2 reference guide
We'll Help You Comply with the NIS/NIS2 Directive.
We'll Help You Get Started Instantly.
Getting You Ready for NIS2 Compliance
What Is NIS2 & How Will It Affect Your Organization?
Under the NIS2 Directive, more entities and sectors will be required to take steps that will aid in improving cyber security in Europe. In addition to addressing supply chain security, NIS2 streamlines reporting obligations introduces stricter supervisory measures, and introduces more enforcement requirements.
How the NIS2 Cyber Security Directive Will Impact You
As part of this webinar, we will be joined by Anders Jonson, a Cyber Security Expert and Senior Advisor at ENISA, who has been involved in the development of NIS2 for the EU.
Lessons on NIS2 Compliance: A Guide to Securing Critical Infrastructure
Discover how to navigate the scope of the NIS2 Directive and comply with the requirements to prevent and respond to cyberattacks.