Lansweeper gives IT and security a shared view of every asset in scope, so NIS2 requirements are backed by defensible evidence, incidents are investigated with accurate asset data, and supervisory audits don’t require a sprint to prepare for.
NIS2 Directive
Ensure your organization remains compliant with the EU’s NIS2 Directive as well as your country’s NIS2 legislation and meets ongoing cybersecurity, reporting, and audit obligations.
On the 17th of October 2024, the European Union implemented its NIS2 directive. Unlike most cybersecurity frameworks, this one is not optional. All member states have transposed the directive into their national law. Enforcement has begun and is set to ramp up in 2026, and the fines for non-compliance are steep.
The NIS2 Directive is an EU-wide cybersecurity legislation meant to boost the overall cybersecurity of the EU. Every member state has converted the directive into national law. NIS2 replaces the first NIS (Network and Information Security) Directive that was introduced in 2016. It is much broader in scope and has been updated to keep up with increased digitization and the evolving threat landscape.
Each member state has implemented this directive into their own national laws. As such, requirements may vary between countries, including reporting timelines, formats, supervisory authorities, and enforcement practices.
It’s crucial to mark your calendar for critical implementation dates. While most of the deadlines set by the EU have since passed, national laws are taking effect everywhere. Make sure to keep your eye on enforcement dates set by your national government. Supervisory authorities are ramping up oversight. In many countries, enforcement actions and compliance checks are accelerating throughout 2025–2026. Make sure that you can prove compliance at any moment and be prepared for audits or reporting deadlines.
By July 17 2024 and every 18 months thereafter, EU-CyCLONe* shall submit to the European Parliament and to the Council a report assessing its work.
*The European Cyber Crises Liaison Organisation Network
By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.
Member States will apply the measures they have published.
The Cooperation Group will establish, with the assistance of the Commission and ENISA, and, where relevant, the CSIRTs network, the methodology and organisational aspects of peer reviews.
Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and update that list on a regular basis and at least every two years.
By 17 April 2025 and every two years thereafter, the competent authorities shall notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.
By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council.
The scope for NIS2 is much wider than it was for the NIS1 directive. Make sure to check if you are in scope, even if you weren’t before. A company is in scope if it operates in one of the (sub)sectors and types of services listed below AND is of a certain size.
Even if you don’t fall into the scope, it is still advisable to try and follow the NIS2 security requirements. They are a good guideline for increasing your cybersecurity and risk-management strategies.
Under the NIS2 regulation, all member states are in charge of ensuring the compliance of all companies in the scope of the directive. To do so they have several tools at their disposal. These range from simple requests for information, data, or evidence of implementation of cybersecurity policies, to regular or ad-hoc audits, to on-site inspections and off-site supervision, including random checks, all carried out by competent authorities.
If a company is found to be in infringement of the NIS2 Directive member states will impose administrative fines. These fines are supposed to be effective and dissuasive, but also take into account the circumstances of each individual case. Fines also depend on whether the company is considered an essential or an important entity.
How it works
Discover every asset, understand what’s at risk, and push trusted data to the tools that take action.
Continuously discover and classify every asset across IT, OT, cloud, and IoT — managed, unmanaged, and shadow — without manual effort.
Normalize and apply context, vulnerability data, and lifecycle signals to assess risk, forecast spend, and surface optimization opportunities.
Deliver trusted asset intelligence to ITSM, CMDB, and security tools so actions are accurate, scoped, and prioritized.
INTEGRATIONS
Lansweeper feeds trusted, continuously updated asset intelligence into the tools that take action.
Explore the full platform, free for 14 days.
No credit card required.
The NIS2 Directive is a comprehensive EU-wide cybersecurity legislation designed to enhance overall cybersecurity within the European Union. It replaces the initial NIS Directive introduced in 2016, offering a broader scope to address the challenges posed by increased digitization and evolving threat landscapes.
Organizations under NIS2 must implement “appropriate and proportionate technical, operational, and organizational measures” to manage cybersecurity risks and minimize the impact of incidents on their services and recipients.
A company is in scope if it operates in one of the (sub)sectors and types of services listed below AND is of a specific size.
Below is an overview of all sectors included in the NIS2 scope. The sectors in bold are newly added and didn’t fall under the scope of the first NIS directive but are included under NIS2.
The NIS2 Directive applies to any large and medium-sized entities in the sectors listed above.
Most small or micro enterprises are excluded from the scope of the NIS2 Directive.
Exceptions: Each member state will determine certain small enterprises and micro-enterprises that fulfill “specific criteria that indicate a key role for society, the economy, or for particular sectors or types of service to fall within the scope of this Directive.” Again, this is up to the member states to determine, so keep an eye on your country’s legislation for more details.
If your organization is not established in the EU but offers services within the EU, NIS2 still applies to you under the same rules listed above. In that case, you are required to designate a representative in the EU. You will do so in one of the member states where your services are offered. You will then be considered under that member state’s jurisdiction.
If you fail to establish a representative, any member state where you offer your services can take legal action against your organization for infringement of the NIS2 Directive.
Essential Entities
Essential entities may face administrative fines of either a maximum of at least EUR 10,000,000 or at least 2% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
Important Entities
Important entities may be subject to administrative fines of either a maximum of at least EUR 7,000,000 or at least 1.4% of the total worldwide annual turnover in the preceding financial year, whichever is higher.
NIS2 imposes strict timelines for reporting significant incidents to national authorities. When an incident occurs, Lansweeper enables rapid identification of impacted assets, giving teams an accurate picture of blast radius, affected systems, and configuration states at the time of the incident. This accelerates evidence-gathering for initial notification deadlines and supports the detailed technical reporting required in follow-up submissions.
NIS2 requires organizations to implement appropriate technical and operational measures to manage cybersecurity risks, and to demonstrate those measures when supervisory authorities ask. Lansweeper provides the continuously validated asset intelligence that makes this possible: complete discovery across IT, OT, IoT, and cloud environments, patch status, encryption, and configuration states, and on-demand audit-ready reporting that holds up under external examination.
