What is NIS2

Last updated: 2025-05-02

Was this article helpful?

83 of total 85 found this helpful.

NIS2 (Network and Information Security 2) is an EU-wide directive on cybersecurity, it encompasses the security of networks, information systems, applications, software and information. NIS2 goal is to increase the resilience of organizations against cyber attacks. It provides legal measures to boost the overall level of cybersecurity in the EU. It establishes common rules for the states of the European Union and the organizations to which these rules will compulsorily apply. These entities must comply with a number of regulations on network and information security established by the NIS Directive. What they need to do in order to comply with the NIS2 obligations can be summarised in the following ten points:

know what data you have and where and what other assets it depends on (see assets)
know what your weaknesses and risks are, i.e. put in place risk assessment and management
ensure the security and protection of, and access to, data and information
train staff, particularly in cyber security
ensure the security of your IT and information systems - applications, software, hardware and other IT equipment
manage the IT services you buy and the suppliers you use, including cloud services
protect against attacks and know how to respond to attacks and incidents
ensure the recovery of your business and processes in the event of an attack or disaster
implement information security guidelines
ensure the ongoing operation and improvement of the above

It is up to individual countries to decide how to implement the Directive.

The different parts of NIS2 can be visualized in the fish diagram. People and training as the back fin set everything in motion. The policies as the dorsal fin together with the processes fin stabilize the whole system. Data, information, information technology and services are the innards. The risk management system is the brain. Audits and control as the watchful eye. Measures are the head behind which the whole system moves forward.

Who is responsible for NIS2 and what are the risks to organizations if they fail to comply with the law?

The law establishes the direct responsibility of statutory bodies
Failure to comply could result in a fine of up to €10 million or 2% of annual turnover

What organizations must comply with NIS2

The obligations arising from the NIS2 directive apply to operators of essential services in the energy, transport, banking, financial market, infrastructure, healthcare and digital infrastructure sectors. Entities are divided into two basic groups: essential entities and important entities.

Essential entities are all organizations from the following sectors

energy (electricity, district heating and cooling, oil, gas and hydrogen)
transport (air, rail, water and road)
banking and financial market infrastructure
healthcare and production of pharmaceutical and medical devices
drinking water and waste water
digital infrastructure, Internet exchange nodes, DNS service providers, Internet Top Level Domain (TLD) registries
cloud computing service providers, data center service providers, content delivery networks
providers of trust-building services and public electronic communications networks and electronic communications services
public administration
universities

Important entities include those that fall into these industries

postal and courier services
waste management
chemical manufacturing
foodstuffs
production of other medical devices, computers and electronics, machinery and motor vehicles
digital providers (internet marketplaces, internet search engines and social network service platforms)

Basic NIS2 obligations for companies and organizations

Businesses and organizations under NIS2 are obligated to implement, secure and document their information security management processes, technical, and organizational measures. This means implementing appropriate technical, organizational, and educational measures and document it.

Technical measures for NIS2

secure your information systems, applications, software
ensure network security and the security of other technical IT infrastructure
physically secure the technical IT infrastructure
ensure the resilience of the internal network and information systems
introduce detection and evaluation of cyber threats
implement data protection such as backup, encryption or other measures
ensure technical measures to increase network and information security

Process, management and organizational measures for NIS2

implement internal information security processes
to ensure the continuity of services and operation of its information system and applications
record and report every security incident that has a significant impact on the functioning of the organization
carry out a cyber security risk assessment and implement a risk management system
implement appropriate and adequate organizational security measures to increase network and information security

Measures in documentation and training of workers

have security documentation such as a Security Policy
ensure the training of users and employees in the field of information security
provide documentation to demonstrate compliance with NIS2

NIS2 compliance documentation

Therefore, each organization must implement measures and maintain adequate documentation about it so that it can demonstrate compliance with NIS2. As an integrated risk management and compliance management system with NIS2, Aptien will help with complete compliance documentation management, incident information management, and managing your measures that follow audit findings, risk analysis, or arise from specific incidents.

management of security guidelines
documentation of information security management processes
awareness and training of employees and other workers with security guidelines
maintaining a register of information assets and IT infrastructure
IT infrastructure documentation
security documentation of the applications and software used
documentation of technical and organizational measures to increase network and information security
maintaining a register of cyber security risks, threats and vulnerabilities
registration and management of incidents
management of audits
management of measures and continuous improvement

Keeping records of your assets - information and IT equipment

maintaining information about your primary assets and their dependencies on supporting assets
maintaining information and documentation on your supporting assets, IT equipment and infrastructure
documentation security of applications and software used
maintaining information about IT services and their suppliers
keeping documentation of stored backups, test plans and maintenance

Management of primary and supporting assets for NIS2

Introducing a risk management system into the organization

maintaining a risk register in accordance with the requirements of the Cyber Security Act
maintaining an overview of threats and vulnerabilities
maintaining an overview of primary and supporting assets and their context

Process support

maintaining information about your employees' permissions and access
an overview of who has access to where and why (who has what key or access card)
digital handover of keys and cards to employees with a simple app
maintaining information about the access and permissions of your employees and suppliers
documentation of your processes around information security management

Security Incident Logging

records and incident handling (incident management and response)

Managing your suppliers

maintaining information on service providers
maintaining information on suppliers' methodology
maintaining information about your employees' access to services (e.g. cloud services)
maintaining information on the security of purchased services