CrowdStrike Update Causes BSOD Issues Globally – Audit Available 🛡️ Learn more

TRY NOW

Prepare for NIS2 Compliance
NIS2 Directive

Prepare for NIS2 Compliance

On the 17th of October 2024, the European Union will be implementing its NIS2 directive. Unlike most cybersecurity frameworks, this one is not optional. All member states will transpose the directive into their national law and the fines for non-compliance are steep.

  • The first step in regulatory compliance is knowing what you have.
  • Gain complete visibility of your IT estate with Lansweeper.

What is the NIS2 Directive_

What is the NIS2 Directive?

The NIS2 Directive is an EU-wide cybersecurity legislation. Every member state is required to convert the directive into national law to boost the overall cybersecurity of the EU. NIS2 replaces the first NIS (Network and Information Security) Directive that was introduced in 2016. It is much broader in scope and has been updated to keep up with increased digitization and the evolving threat landscape.

Each member state is responsible for the conversion of this directive into national law. As the deadline of October 17, 2024 approaches, make sure to pay attention to any communication surrounding NIS2 from your government.

Critical NIS2 Deadlines Ahead

  • By 17 October 2024, Member States are required to adopt and publish measures in compliance with the NIS2 Directive.
  • The following day, on 18 October 2024, these measures will be put into action.

It’s crucial to mark your calendar for the subsequent dates as well: By 17 April 2025, the listing of essential and important entities will be established, and by 17 October 2027, the NIS2 Directive will undergo its first review. Stay prepared for these milestones to ensure compliance with the evolving cybersecurity framework.

  • 17 Jul, 2024 – Start EU-Cyclone Assessment Reporting

    By July 17 2024 and every 18 months thereafter, EU-CyCLONe* shall submit to the European Parliament and to the Council a report assessing its work.

    *The European Cyber Crises Liaison Organisation Network

  • 17 Oct, 2024 – Publication National Measures

    By 17 October 2024, Member States must adopt and publish the measures necessary to comply with the NIS 2 Directive.

  • 18 Oct, 2024 – Application National Measures

    Member States will apply the measures they have published.

  • 17 Jan, 2025 – Establishment Peer Reviews

    The Cooperation Group will establish, with the assistance of the Commission and ENISA, and, where relevant, the CSIRTs network, the methodology and organisational aspects of peer reviews.

  • 17 Apr, 2025 – Listing of Important and Essential Entities

    Member States shall establish a list of essential and important entities as well as entities providing domain name registration services. Member States shall review and update that list on a regular basis and at least every two years.

    By 17 April 2025 and every two years thereafter, the competent authorities shall notify the Commission and the Cooperation Group of the number of essential and important entities for each sector.

  • 17 Oct, 2027 – Start NIS2 Directive Review

    By 17 October 2027 and every 36 months thereafter, the Commission shall review the functioning of this Directive, and report to the European Parliament and to the Council.

Webinar

Webinar: NIS2 Directive Legislation

Watch our webinar as we dissect specific articles from the legislation, providing tangible insights on how to prepare and navigate the complex terrain of NIS2 compliance.

  • What is NIS2?
  • How will NIS2 be implemented?
  • How Lansweeper can help you prepare for NIS2 compliance
  • Q&A

Scope – Does NIS2 apply to your organisation

Scope – Does NIS2 apply to your organisation?

The scope for NIS2 is much wider than it was for the NIS1 directive. Make sure to check if you are in scope, even if you weren’t before. A company is in scope if it operates in one of the (sub)sectors and types of services listed below AND is of a certain size.

Even if you don’t fall into the scope, it is still advisable to try and follow the NIS2 security requirements. They are a good guideline for increasing your cybersecurity and risk-management strategies.

The Impact of Non-compliance

The Impact of Non-compliance

Audits

Under the NIS2 regulation, all member states are in charge of ensuring the compliance of all companies in the scope of the directive. To do so they have several tools at their disposal. These range from simple requests for information, data, or evidence of implementation of cybersecurity policies, to regular or ad-hoc audits, to on-site inspections and off-site supervision, including random checks, all carried out by competent authorities.

Fines

If a company is found to be in infringement of the NIS2 Directive member states will impose administrative fines. These fines are supposed to be effective and dissuasive, but also take into account the circumstances of each individual case. Fines also depend on whether the company is considered an essential or an important entity.

Security and Vulnerability Insights

Get Ready for NIS2 with Lansweeper

You can’t protect what you don’t know. Lansweeper’s unrivaled discovery casts a wide net when it comes to asset data. Monitor the usage of data encryption, AV installations, software that is out-of-date, unauthorized local admins, backup creation, and more. Any details you may need to keep your network clean, Lansweeper has it.

Combined with this deep-dive discovery of your IT estate, Lansweeper’s risk insights let you perform risk analysis and increase information system security by discovering misconfigurations. Had a security incident? Use Lansweeper to identify other potentially vulnerable machines.

  • What is the NIS2 Directive? +

    The NIS2 Directive is a comprehensive EU-wide cybersecurity legislation designed to enhance overall cybersecurity within the European Union. It replaces the initial NIS Directive introduced in 2016, offering a broader scope to address the challenges posed by increased digitization and evolving threat landscapes.

    Organizations under NIS2 must implement “appropriate and proportionate technical, operational, and organizational measures” to manage cybersecurity risks and minimize the impact of incidents on their services and recipients.

  • Who does the NIS2 Directive apply to? +

    A company is in scope if it operates in one of the (sub)sectors and types of services listed below AND is of a specific size.

    1. Which sectors are in scope?

    Below is an overview of all sectors included in the NIS2 scope. The sectors in bold are newly added and didn’t fall under the scope of the first NIS directive but are included under NIS2.

    Essential Entities

    • Energy (electricity incl. e.g., district heating and cooling, also: oil, gas, hydrogen)
    • Transport (air, rail, water road)
    • Banking
    • Financial market infrastructures
    • Health (healthcare providers, EU reference laboratories, drug research and development, basic pharmaceutical products and preparations, emergency medical devices)
    • Drinking water
    • Wastewater
    • Digital infrastructure
    • ICT Service Management
    • Public administration
    • Space

    Important Entities

    • Postal and courier services
    • Waste management
    • Manufacture, production and distribution of chemicals
    • Production, processing and distribution of food
    • Manufacturing of medical devices; computer, electronic, and optical products; electrical equipment; machinery and equipment; motor vehicles, trailers, and semi-trailers; other transport equipment
    • Digital providers (online marketplaces, online search engines, social networking services platforms)
    • Research

     

    2. Size of the Organisation

    Large and Medium-sized Entities

    • More than 50 Employees
    • OR an annual turnover of over €10 million.

    The NIS2 Directive applies to any large and medium-sized entities in the sectors listed above.

    Small and Micro-entities

    • Fewer than 50 employees
    • AND an annual turnover (or annual balance sheet total) of less than €10 million.

    Most small or micro enterprises are excluded from the scope of the NIS2 Directive.

    Exceptions: Each member state will determine certain small enterprises and micro-enterprises that fulfill “specific criteria that indicate a key role for society, the economy, or for particular sectors or types of service to fall within the scope of this Directive.” Again, this is up to the member states to determine, so keep an eye on your country’s legislation for more details.

     

    3. Non-EU Entities

    If your organization is not established in the EU but offers services within the EU, NIS2 still applies to you under the same rules listed above. In that case, you are required to designate a representative in the EU. You will do so in one of the member states where your services are offered. You will then be considered under that member state’s jurisdiction.

    If you fail to establish a representative, any member state where you offer your services can take legal action against your organization for infringement of the NIS2 Directive.

  • What non-compliance fines apply under NIS2? +

    Essential Entities

    Essential entities may face administrative fines of either a maximum of at least EUR 10,000,000 or at least 2% of the total worldwide annual turnover in the preceding financial year, whichever is higher.

    Important Entities

    Important entities may be subject to administrative fines of either a maximum of at least EUR 7,000,000 or at least 1.4% of the total worldwide annual turnover in the preceding financial year, whichever is higher.

NO CREDIT CARD REQUIRED

Ready to get started?
You’ll be up and running in no time.

Explore all our features, free for 14 days.