NIS2 DirectiveWhat you need to know to make your business compliant!

The NIS2 Directive is an updated and extended version of the original NIS Directive adopted by the EU in 2016 and must be implemented by October 24, 2024 in Norway and by January 1, 2025 in Sweden. The purpose of the directive is to achieve a high level of cybersecurity and protect critical infrastructure that is essential to the functioning of society and the economy. NIS2 introduces a number of new requirements and standards. This is essential to meet the ever-increasing level of cyberthreats we encounter today. Read how NIS2 will affect your business and what measures you need to take to avoid the risk of being fined.

Here is what you need to know about the changes from NIS1 to NIS2:

 

Sanctions in the event of non-compliance

NIS2 Directives must be adopted by October 24, 2024 in Norway and by January 1, 2025 in Sweden. If a business is not compliant with the requirements set out in the NIS2 Directive, this will lead to significant fines of up to EUR 10 million or 2% of annual turnover, whichever is higher.

Extended scope

NIS2 covers a wider range of sectors and businesses, including healthcare, energy, transport, banking, digital infrastructure and public administration.

Enhanced collaboration

The directive emphasises increased collaboration and information-sharing between member states to better manage cyberthreats and incidents.

Unified standards

NIS2 introduces uniform security requirements across the EU, which will contribute to reducing variations in how member states implement cyber security measures. This ensures that all businesses operating within the EU will encounter the same high security standards.

Improved compliance control

Stricter mechanisms have been introduced for supervision and enforcement of security requirements, including stricter sanctions for non-compliance.

NIS2 has a significantly extended scope, covers more industries and larger company types and imposes specific location requirements.

The directive expands affected industries to include: 

  • The energy sector (such as electricity, oil and gas) 
  • The transport sector (aviation, rail, marine and road transport) 
  • The banking and finance sector (including insurance and payment systems) 
  • The healthcare sector (hospitals, private clinics, laboratories) 
  • Water supply and sewage 
  • Digital infrastructure (internet service providers, data storage, cloud services) 
  • Public administration (central and regional authorities) 

Does NIS2
apply to you? 

The directive not only requires large companies to comply with new security standards, but also many small and medium-sized businesses (SMB) operating within the aforementioned critical sectors. The requirements apply in particular to companies that:

  • Have more than 50 employees
  • Have an annual turnover or balance of more than €10 million
  • Are important for critical supply chains or services

The directive applies to all businesses operating within the EU regardless of whether or not the business is based in the EU. This means that international businesses that supply services to the EU market also need to comply with NIS2 requirements. Key points include:

  • All EU member states must implement the directive in national legislation.
  • Businesses outside the EU that offer services to customers in the EU must comply with NIS2 requirements.

What new requirements and standards do you have to adhere to?

Risk assessments and security policy
Management of security incidents and continuity plans
Security and training
Encryption and maintenance


  • You need to regularly conduct risk assessments to identify and analyse risks that may affect the security of network and information systems. On the basis of the risk assessment, you need to ensure that appropriate measures are developed.


  • You need to implement a cyber security policy covering organisational and technical measures to protect your network and information systems. Such measures must be in accordance with the level of risk identified through risk assessments.


  • You need to establish procedures to detect, manage and report security incidents. You need to have the ability to quickly identify and respond to security incidents and initiate recovery measures to reduce the impact on systems and services.


  • The development and maintenance of continuity and recovery plans for services is also required. This entails having strategies and processes in place to ensure rapid recovery of critical functions during and after incidents.


  • You need to consider security in the supply chain. This entails ensuring that your suppliers and partners have adequate security measures in place and are able to manage cyber security risks effectively.


  • You also need to ensure that any employees working with critical functions receive proper cyber security training. Another recommendation is to promote an organisational culture that is conscious of cyber security.


  • The implementation of cryptographic methods to protect data during storage and transmission is a requirement. The organisation needs to ensure that appropriate encryption technologies are used to protect the confidentiality, integrity and availability of data.


  • You also need to ensure that security is integrated throughout the entire life cycle of the systems and applications – from design to decommissioning. This also entails ensuring that systems are regularly updated and maintained to defend against new threats.

    • In addition to the NIS2 Directive, the EU is also implementing several important regulations to strengthen digital security and govern new technologies. The CER (Critical Entities Resilience Directive) focuses on improving the resilience of critical entities against both physical and digital threats, while the AI Act establishes rules for the use and development of artificial intelligence to ensure that AI systems safeguard and respect fundamental rights. These measures complement NIS2 and reflect the EU’s comprehensive approach to managing challenges in the digital landscape.

    Read more about the NIS2 Directive here: https://www.nis-2-directive.com

    Want to know more?

    Get in touch for a non-binding chat about how you can use our services and IT solutions to optimise and streamline your business!

    A form was hidden because it requires statistics and marketing cookies to be accepted to load. Please click here to update your cookie preferences to view the form.

    Webinar

    Modern cloud-based SaaS services for critical infrastructure

    See also the webinar “Modern cloud-based SaaS solutions for critical infrastructure” delivered by Embriq Product Director Jens Haug and Principal Security Strategist at AWS, Paul Ahlgren. Here, you can learn more about how current and upcoming requirements for security and compliance are met, including the NIS2 Directive. 

    Find out more

    Contacts

    • Jens Haug

      Director Products and Platforms

      (+47) 913 61 495

      Contact me

    A form was hidden because it requires statistics and marketing cookies to be accepted to load. Please click here to update your cookie preferences to view the form.