Support for NIS2 compliance
Simplify your compliance journey. We guide you step by step to meet the requirements of the new NIS2 Directive, while strengthening your cybersecurity resilience!
What is the NIS Directive?
The NIS Directive stands for Network & Information Security. Its purpose is to strengthen digital security measures in response to the growing number of cyberattacks, by establishing a common framework across all European Union member states. As such, the Directive applies at the European level.
Since when has the NIS2 Directive been applicable?
The NIS2 Directive succeeds NIS1 and has been applicable since October 2024.
What is the difference between NIS1 and NIS2?
Compared to NIS1, the NIS2 Directive is much stricter, with enhanced security measures, risk management plans, penetration testing, mandatory incident reporting, and additional governance requirements. While NIS1 applied to Operators of Essential Services (OES) and Digital Service Providers (DSPs), the focus has now shifted to Important Entities (IEs) and Essential Entities (EEs). Penalties for non-compliance are also significantly higher.
Which organizations are affected by NIS2?
NIS2 applies to entities considered Essential Entities (EEs) and Important Entities (IEs). It therefore affects thousands of companies, organizations, and their subcontractors.
Here is the list of affected sectors:
→ Healthcare institutions
→ Public administration
→ Banking
→ Transport and space
→ Energy
→ Drinking water and wastewater supply
→ Digital infrastructure
→ Waste management
→ Industry & chemicals
→ Agri-food
→ Telecommunications and social media platforms
→ Digital service providers
→ Postal services
Among these sectors, only organizations with more than 50 employees and/or an annual turnover exceeding €10 million are concerned.
Some exceptions apply: trust service providers, DNS service providers, top-level domain name registries, providers of public or publicly accessible electronic communications networks and services, and public administrations.
How can you prepare for NIS2?
1. Train the entire executive committee to ensure the leadership team is fully accountable
2. Identify all your digital risks
3. Implement a risk management plan
4. Integrate the supply chain into your prevention strategy
5. Establish clear procedures to be prepared in the event of cyberattacks
What are the 3 phases of compliance for risk analysis?
Phase 1: Scoping, Assessment & Risk Analysis
Scoping and assessment of the current situation, understanding the context, scope, objectives, and stakeholders involved in the implementation of the ISMS (Information Security Management System).
Establishment of a maturity assessment of the available documentation corpus, along with a risk analysis.
Phase 2: Documentation Upgrade
Identification and improvement of documentation considered “unsatisfactory”, known as the “build” phase.
Correction, completion, and refinement of documentation to meet the requirements of the NIS2 regulation.
Phase 3: ISMS Implementation (Run) and Audit (if required)
Implementation of the regulation, known as the “run” phase, and execution of a mock audit upon the client’s request.
Verification of the following points:
• The directive is properly implemented and meets all regulatory requirements.
• Procedures are adopted by teams and aligned with operational realities (correlation with the context and scope).
• Continuous improvement of cybersecurity is effectively in place.
• The expected evidence required by the NIS2 regulation is properly produced.
What are the penalties for non-compliance with NIS2?
For Essential Entities (EEs): €10 million or 2% of annual turnover.
For Important Entities (IEs): €7 million or 1.4% of annual turnover.