The information provided on this webpage is intended for general informational purposes only and should not be construed as legal advice. For specific advice related to compliance with NIS2 or other legal matters, please consult with a qualified legal professional or regulatory expert. Darktrace makes no warranties or representations regarding the accuracy, reliability, or completeness of the information provided and accepts no responsibility for any errors or omissions. Any reliance you place on such information is strictly at your own risk. This document may contain links to external websites or resources for additional information. Darktrace does not endorse or assume responsibility for the content, privacy practices, or any other aspect of these external sites. For further details on NIS2 compliance and obligations, please refer to the official EU legislation or consult with your regulatory body.

NIS2 stands for Network and Information Security (NIS) 2 Directive, which aims to strengthen cybersecurity across the European Union by ensuring essential and important entities implement appropriate measures to manage risks to their network and information systems.

In January 2023, the European Parliament introduced NIS2 as a successor to the original Network and Information Security (NIS) Directive. By October 17th 2024, all member states needed to implement national legislation to comply with this European Directive - a process currently ongoing.

NIS2 affects both public and private entities providing critical services or products. The measures seek to prevent or reduce the impact of incidents on service recipients and interconnected services.

For a comprehensive guide to NIS2 download the Darktrace NIS2 resource kit here.

The primary purpose of the NIS2 Directive is to establish a unified level of cybersecurity resilience across the EU. The new NIS2 Directive seeks to boost cyber security in the EU to a higher standard. Though the objectives remain the same, NIS2 hopes to remove the limitations with several core goals:

• Move away from the legacy OES and DSP definitions and instead widen and standardize the scope of entities covered.
• Improve and introduce consistency in the security requirements, reporting process, and sanctions across nations and company types.
• Tighten cooperation and collaboration across member states and agencies for broader awareness.
• Ensure member state preparedness by requiring them to be appropriately equipped with a Computer Security Incident Response Team (CSIRT) and relevant national information security authority in the event of national and international incident response to a large-scale threat.

NIS2 also addresses the shortcomings of the original NIS Directive by resolving inconsistencies in its implementation across member states. Its overarching goal is to protect critical infrastructure and services, ensuring a coordinated, effective response to incidents that could disrupt the EU economy and society.

To strengthen Europe’s defense against evolving cyber threats, the NIS2 Directive establishes new obligations for organizations across four key areas: risk management, corporate accountability, reporting obligations, and business continuity.

Risk assessment management‍

Organizations must implement measures to reduce cyber risks, including incident management, supply chain security, network protection, access control, and encryption.

Incident response and reporting‍

NIS2 mandates that corporate management be directly involved in overseeing and approving cybersecurity strategies. They must also receive cybersecurity training, with potential penalties for non-compliance, including personal liability and temporary bans from management roles.

Reporting obligations‍

Entities must establish procedures for promptly reporting significant security incidents. The Directive sets strict timelines, including a 24-hour early warning for major incidents.

Business continuity‍

Organizations are required to develop plans for maintaining operations during cyber incidents, covering system recovery, emergency protocols, and establishing a crisis response team.

The NIS2 Directive introduces significant additional measures to the requirements of the original NIS Directive, expanding its scope, enhancing security measures, and strengthening enforcement. Key differences include:

• Expanded Scope: NIS focused on "operators of essential services" (OES) and certain "digital service providers" (DSPs) in sectors like energy, banking, and healthcare. NIS2 broadens this scope to cover 18 sectors, including new areas like public administration, space, and food production. It also introduces a two-tier system, distinguishing between essential entities (EE) with stricter obligations and important entities (IE), both requiring strong cybersecurity but with varying degrees of enforcement.‍
• Stricter Security Requirements: NIS required general security measures, but NIS2 establishes more specific, prescriptive obligations. These include risk management strategies, incident response plans, and stronger supply chain security.‍
• Incident Reporting: NIS2 tightens incident reporting standards. While NIS had vague guidelines for reporting significant incidents, NIS2 clarifies these criteria, including service disruption and economic or societal impact. It introduces a stricter reporting timeline—an initial notification must be submitted within 24 hours of becoming aware of an incident, followed by a detailed report within 72 hours of becoming aware of an incident, and a final report within a month of the incident notification submission.‍
• Improved Collaboration: NIS2 enhances cross-border cooperation by establishing the European Cyber Crisis Liaison Organization Network (EU-CyCLONe), which facilitates coordinated responses during large-scale cyber incidents. This new Cooperation Group strengthens information sharing and preparedness across member states, addressing the fragmented approach seen under NIS.‍
• Stronger Enforcement and Penalties: NIS2 introduces harsher penalties for non-compliance, with fines up to the greater of (i) €10 million or (ii) 2% of global annual turnover for essential entities; and up to the greater of (i) €7 million or (ii) 1.4% of turnover for important entities. It also aims to improve the consistency of enforcement by giving national authorities clearer oversight and enforcement mechanisms.

NIS2 represents a major evolution from NIS by expanding its scope, imposing stricter security and reporting obligations, improving collaboration across borders, and enforcing stronger penalties to boost the EU’s cybersecurity resilience.

“Duty of Care” - A moral and legal obligation to ensure safety, trust, and a dedicated effort towards security measures.

Article 21 of NIS2 refers to a number of “appropriate measures” which entities subject to NIS2 should consider implementing as they assess their compliance with its requirements. These include the following:

1. Develop policies on risk analysis and for information system security.
2. Establish dedicated incident handling processes.
3. Put business continuity measures in place. These should include backup management, disaster recovery, and crisis workflows.
4. As part of an internal risk assessment, address supply chain security, including the security relationships between organizations and any direct suppliers or service providers.
5. Prioritize security in network and information systems acquisition, development, and maintenance. Ensure you practice vulnerability handling and third-party disclosure.
6. Implement policies and procedures to assess the effectiveness of cybersecurity risk-management measures.
7. Have active cyber hygiene practices and cybersecurity training.
8. Provide procedures regarding the use of cryptography and encryption where relevant.
9. Develop security around human resources, including access control policies and asset management.
10. Use multi-factor authentication or continuous authentication solutions.
11. Where appropriate, utilize secured voice, video, and text communications.

By requiring organizations to implement appropriate practices, NIS2 will help ensure that businesses and customers receive continuity of both their operations and services, and protect the information that flows between them.

There are 18 sectors covered by the NIS2 directive. Of these 18 the NIS2 directive classifies in-scope organizations into two categories: essential and important entities. While both groups are subject to the same cybersecurity requirements, they differ in how they are supervised and penalized for non-compliance.

Essential Entities

Essential entities are organizations in highly critical sectors, such as energy, transport, banking, healthcare, and digital infrastructure. These include:

• Organizations with over 250 employees, annual revenue exceeding €50 million, or a balance sheet of over €43 million.
• Providers of public electronic communications networks or services with 50-250 employees or over €10 million in revenue.
• Trust service providers, top-level domain (TLD) registries, and DNS service providers, regardless of size.
• Public administration entities and any other organization where service disruption would have a significant societal impact.

‘Essential’ – Companies with the most significant impact on society and business if compromised by a cyber attack. They are subject to potentially higher sanctions and receive both ongoing and post-incident supervision to ensure they are in compliance with NIS2.

Important Entities

‘Important’ – Organizations that could cause damaging impacts to society if they are victim to a cyber attack. As compared to ‘essential’ entities, they are subject to high but slightly lower sanctions and receive only post-incident supervision on their compliance status.

Examples include:

• Postal and courier services.‍
• Waste management
• Manufacturers of chemicals, food, and medical devices.
• Digital service providers such as online marketplaces, search engines, and social media platforms.

By default, NIS2 does not apply to the smallest enterprises with fewer than 50 employees and less than a €7 million turnover, however national authorities are empowered to include them on an individual basis if they provide an important service. As a best practice, and regardless of their size, all organizations within the NIS2 sectors should consider whether to follow its guidance.

The NIS2 Directive introduces a clear framework for penalties to address non-compliance, which can include non-monetary remedies, administrative fines, and even criminal sanctions. These penalties apply to both essential and important entities for failures such as not meeting cybersecurity requirements or not reporting incidents.

For essential entities: penalties can reach up to €10,000,000 or 2% of the company's total global annual turnover from the previous fiscal year, whichever amount is greater.
For important entities: penalties can be as high as €7,000,000 or 1.4% of the total global annual turnover of the company from the previous fiscal year, whichever amount is greater.

How to Prepare for NIS2 Compliance

If your company falls under the scope of the NIS2 Directive, it's essential to start preparing for compliance as soon as possible. Here are some suggested key steps to help your organization get ready:

1. Determine if your company is covered

The first step is to assess whether your company is subject to the NIS2 Directive by determining if you operate in critical sectors or provide services to organizations that do and determine ‘essential’ versus ‘important’ status within the guidelines laid out by NIS2.

2. Map your business processes

After confirming coverage, invest time in assessing your IT infrastructures, tooling, and how data is stored and shared.

3. Risk assessment

Perform a comprehensive internal risk assessment to determine active or future vulnerabilities, including supply chain risk

4. Develop an Implementation and Maintenance Plan

Develop an organizational cyber security strategy to plan ahead for NIS2 ‘duty of care’ obligations and assess how NIS2 interacts with other relevant legislation with GDPR.

Consider the unique needs of your employees – to ensure that any new practices or hires enhance security without hindering business operations. Prioritize employee education on NIS2.

5. Implement Security Measures

Develop or improve your existing incident response and recovery workflows to ensure they fulfill NIS2 requirements. And, register with your national authority before 17th April 2025.

Darktrace helps organizations implement measures following the NIS2 Directive.

The NIS2 Directive encourages the use of artificial intelligence, machine learning, and automation, which are central to Darktrace’s cyber security approach. Specifically, the Darktrace ActiveAI Security Platform™ leverages detailed insights into the external and internal IT assets to under- stand and advise on risk management and enable proactive and automated protection techniques.

Visibility and incident reporting are two key aspects of the NIS2 directive. For more information on how Darktrace aids in providing security teams support with improved visibility and incident reporting, download the NIS2 Guide.