The Network and Information Systems Directive 2 (NIS 2) is a 2023 EU legislative framework, aimed at enhancing the cyber security and resilience capabilities of in-scope organisations operating within the European Union (EU). It builds upon and clarifies the original NIS Directive, introduced in 2016 and enforced from 2018, and organisations that need to comply with NIS 2 must implement its requirements by 17 October 2024.
Who needs to comply with NIS 2?
NIS 2 is applicable to organisations operating in the EU that are classified as operators of essential services (OES’) or relevant digital service providers (RDSPs), i.e., organisations that contribute towards critical infrastructure and provide essential services. Industries that are in scope of the Directive include water, energy, transportation, healthcare, search engines and social media platforms, to name but a few.
Organisations operating in the UK only, and not in the EU, will not need to comply with NIS 2, as, unlike the Directive’s previous iteration, it has not been implemented into UK law. However, the UK government is expected to release its own NIS update at some point in 2024.
Speak to a Cyber Security Expert
URM can leverage nearly 2 decades of experience assisting organisations to comply with applicable information security, business continuity, data protection and cyber security regulations and standards to help you identify where your organisation is and is not meeting the Directive’s requirements, and how to close any compliance gaps.
What are the requirements of NIS 2?
If your organisation falls within the scope of NIS 2, it will be required to implement appropriate technical, operational and organisational measures (based on an all-hazards approach) to manage the risks posed to your networks and information systems. Measures also need to be implemented to prevent or minimise the impact of incidents on users of your services and on other services, with a view to preserving the continuity of these services. You will also need to report to the relevant competent authority any incidents that significantly impact the delivery of your essential services. Noncompliance with the Directive can lead to enforcement action from the designated competent authority, including monetary penalties and even criminal sanctions on senior management.
NIS Directive vs NIS 2
NIS 2 aimed at strengthening the security of network and information systems across the European Union. It was adopted to address the evolving landscape of cybersecurity threats and build upon the original NIS Directive, which was the first piece of EU-wide cybersecurity legislation. The NIS 2 Directive extends the scope, requirements, and enforcement mechanisms to ensure that key sectors implement appropriate cybersecurity measures.
Expanded Scope and Coverage
Broader Sectoral Coverage:
NIS 2 applies to a wider range of sectors, such as public electronic communications networks or services providers, social media platforms, data centres, postal services, public administration, and more.
Simplified Scoping:
NIS 2 introduces a simpler scoping exercise to determine if an organisation is in scope. Now, any large (250+ staff and €50m+ annual turnover) or medium (50+ staff and €10m+ annual turnover) organisation operating in any of the specified sectors and in the EU will need to comply with the Directive. Small and micro-organisations are largely exempt, with some exceptions.
Strengthened Cyber Security and Risk Management Requirements
The latest version of the NIS Directive sees the introduction of tighter requirements for in-scope organisations, particularly regarding supply chain security, which is a key focus point of NIS 2. NIS-compliant organisations will now be expected to address cybersecurity risks in their supply chains, and within supplier relationships. As such, even organisations that are not in scope of the Directive, but have clients that are, may be affected by this update.
New Categorisation Approach
The Directive introduces a new approach classifying organisations, removing the distinction between operators of digital services (OES’) and relevant digital service providers (RDSPs), and replacing these with ‘important entities’ and ‘essential entities’. Whether an organisation is categorised as ‘important’ or ‘essential’ will depend on its size, and on whether it falls within a ‘critical’ or ‘very critical’ sector. Entities in both categories need to meet the same requirements, but will be subject to different supervisory measures and penalties for noncompliance.
Increased Oversight and Enforcement
NIS 2 introduces more stringent supervisory measures for the national competent authorise, as well as harsher penalties for noncompliance. For organisations classified as ‘essential entities’, noncompliance can led to administrative fines of up to €10m, or at least 2% of the organisation’s annual turnover for the previous year – whichever is higher. ‘Important entities’ can face up to €7m or at least 1.4% of the previous year’s annual turnover (again, whichever figure is higher).
Incident Reporting Requirements
There is a new timeline for reporting incidents in NIS 2, which aims to balance the need for both swift and for in-depth reporting when an incident occurs. Under the new Directive, organisations are required to notify the competent national authorities of any significant cybersecurity incidents that could disrupt the services they provide, taking the following approach:
- Initial report within 24 hours after detecting an incident.
- A full incident report, provided within 72 hours.
- A final report, issued within 1 month of the incident.
Management accountability
Under NIS 2, an organisation’s senior management (C-suite, board members, etc.) is accountable for ensuring the organisation is compliant with the Directive's requirements. This means there must be direct involvement from senior leadership in overseeing cyber security practices and risk management activities. In the event of noncompliance with the Directive, senior management can be held personally liable.
Why URM for NIS 2?
Whether your organisation is looking to transition an existing NIS Directive compliance framework to the new requirements in NIS 2, or if you are one of the many organisations which was not in scope of the original Directive but needs to comply with this latest iteration, URM is ideally placed to support you.
URM can leverage nearly 2 decades of experience assisting organisations to comply with applicable information security, business continuity, data protection and cyber security regulations and standards to help you identify where your organisation is and is not meeting the Directive’s requirements, and how to close any compliance gaps.
Since 2005, we have supported over 400 conformance/certification projects to a range of management system standards, in particular to ISO 27001, the International Standard for Information Security Management Systems (ISMS’), and to ISO 22301, the International Standard for Business Continuity Management Systems (BCMS). In addition, URM is highly experienced in supporting organisations’ compliance with legal and regulatory frameworks, including data protection legislation such as the General Data Protection Regulation (GDPR).
Meanwhile, as a CREST-accredited organisation, we are also adept at delivering penetration testing, providing us with an in-depth understanding of vulnerability identification and remediation, and cyber security best practices in general. In our capacity as an accredited certification body for the Cyber Essentials scheme, and as an Assured Service Provider under the National Cyber Security Centre’s (NCSC’s) Cyber Advisor scheme and Cyber Incident Exercising scheme, we have helped countless organisations enhance their cyber security posture, offering advice and guidance that is fully aligned with the NCSC’s high standards.
This unique combination of governance, risk and compliance and cyber security expertise means that URM possesses the ideal knowledge and experience to help your organisation achieve and/or maintain compliance with NIS 2.
Register your interest below
Please note, we can only process business email addresses.
Webinars & Events
URM has gained a reputation as the preeminent UK provider of live webinars, aimed at delivering valuable and practical insights to organisations looking to improve their information security, risk management, data protection etc. The webinars are delivered by our senior consultants who share hints and tips on topics such as certifying to ISO 27001 and Cyber Essentials, complying with the GDPR. All of our webinars are completely free to attend, and include an opportunity to ask questions at the end.
URM examines why conventional methods often fail to uncover cloud-specific vulnerabilities and explores essential strategies for cloud penetration testing.
URM experts will advise you how to successfully achieve Cyber Essentials and Cyber Essentials Plus Certification
In this webinar, our consultants guide you through all the key changes to Cyber Essentials Scheme which came into force on 24 April 2023.
Cyber Essentials – What’s Changing in 2025?
URM’s blog discusses upcoming changes to Cyber Essentials, including the changes seen in the Willow Question Set and how they may impact your organisation.
URM’s blog discusses the security risks associated with the software supply chain & how both software developers and their clients can mitigate these risks.
URM’s blog explores common pen testing mistakes & how to avoid them, and simple improvements you can immediately implement to enhance your security posture.
URM’s blog outlines the top 10 most common vulnerabilities we identify when conducting pen tests, the associated risks, and how they can be fixed/avoided.
Our team will contact you shortly.