Are you ready for NIS 2?

Inconsistent application across Member States

Current implementation of the prior NIS Directive has led to differences in local requirements (e.g., expected measures, in scope sectors) creating uncertainty and inefficiencies for organizations operating across Member States.

Weak enforcement by Member States

Under the previous NIS Directive, fines and penalties were rarely presented to supervised organizations. This has had a negative effect on the attention, rigor and priority given to cyber resilience.

Limited set of sectors

COVID-19 and increased digitization required expansion of critical and important sectors.

Lack of joint response

NIS 2 increases the expectations on Member States, including national Computer Security Incident Response Teams (CSIRTs). In the past, there were gaps identified for cross Member State responses to cyber threats and incidents.

Harmonization of minimum expectations

NIS 2 creates a minimum baseline of expectations for organizations and Member States to uphold, including management involvement, supply chain security and incident management (including the Lex Specialis principle).

New enforcement mechanisms incl. fines

Expansion of supervisory powers to strengthen attention to cyber resilience including fines of up to 2% of turnover or €10 million.

Expansion of included sectors and entities

Additional sectors are included in scope of the directive, including simplification of applicability using minimum thresholds based on size of the organization.

NIS 2 is applicable to all companies in EU where: 

• There is a minimum of 50+ employees and annual turnover and/or balance sheet is €10 million
• Services are provided within the EU
• Services are provided as defined in Annex I & II of NIS 2 Directive

New & strengthened pan-European cooperation

New networks and structures are proposed to handle cross-European incidents, themes and threats (including union level supply chain assessments).