Definition and purpose

The primary purpose of NIS2 is to strengthen the security requirements, expand the scope of sectors and services covered, and enhance cooperation among member states. It aims to ensure that critical and important entities adopt appropriate measures to manage cybersecurity risks, report incidents, and secure their network and information systems against cyber threats.

Governing Body

NIS2 is governed by the European Union, with oversight and implementation managed by national regulatory authorities within each member state. The European Union Agency for Cybersecurity (ENISA) plays a significant role in supporting the directive's implementation.

Last updated

NIS2 was adopted by the European Parliament in 2022. The implementation and transposition into national law by EU member states are ongoing, with a set deadline for full compliance.

Applies to

NIS2 applies to a broad range of sectors that provide essential and important services, including:

• Energy
• Transport
• Banking
• Financial market infrastructures
• Health sector
• Drinking water supply and distribution
• Digital infrastructure
• Public administration
• Space

Additionally, it includes digital service providers such as online marketplaces, online search engines, and cloud computing services.

Controls and requirements

NIS2 includes several key requirements, including:

• Risk Management Measures: Entities must implement appropriate and proportionate technical and organizational measures to manage risks posed to the security of network and information systems.
• Incident Reporting: Entities must notify the relevant national authority of any significant incidents without undue delay.
• Security Policies: Adoption and implementation of comprehensive security policies covering risk management, incident handling, business continuity, and crisis management.
• Supply Chain Security: Measures to assess and ensure the security of supply chains and service providers.
• Cooperation and Information Sharing: Participation in information-sharing networks and cooperation with other entities and national authorities.
• Audit and Compliance: Regular audits and assessments to ensure compliance with NIS2 requirements.

For a complete list of controls and requirements, please refer to the official NIS2 documentation.

Audit type, frequency, and duration

Audits for NIS2 compliance typically involve assessments by national regulatory authorities or external auditors. These audits may include reviews of cybersecurity policies, procedures, incident response plans, and technical controls. The frequency of audits is determined by national regulatory authorities, but regular audits are expected to ensure ongoing compliance with NIS2 requirements.

The duration of an audit depends on the size and complexity of the organization, the scope of services provided, and the depth of the audit.