The Impact and Scope of NIS2

The NIS2 directive from the EU will be implemented in European legislation in the near future for a wide range of companies and organizations. The directive includes stricter legal requirements for network and information security in selected sectors.

On this page, you will get much wiser about the impact and scope of NIS2.

What is NIS2 and why is there a new directive?

NIS2 is the successor to the original directive, Network and Information Security (NIS), from 2016. The background for revising the directive is the increasing cyber threats that pose a risk to the efficiency of the internal market. These threats and the actors behind them range from mere amateurs to cyber criminals and state-sponsored actors.

The damages that these threats can cause can spread through vulnerable supply chains and critical infrastructure, thereby devastating society, the economy, and businesses. Therefore, there is a need to protect at a new and uniform level.

The revised NIS2 directive aims to ensure:

  • A consistent selection of relevant sectors across the EU.
  • Consistency in security requirements.
  • Uniform handling of major cyber incidents.

When should the NIS2 directive be implemented in legislation?

The directive should be implemented in legislation by October 2024, and thereafter, compliance with the legislation is required by the affected companies. There has not yet been a specific timetable announced by the authorities.

What is the difference between NIS and NIS2 Compliance?

There are several changes compared to the previous NIS directive. The changes can be divided into those that have implications for national authorities and those that have implications for individual companies.

For national authorities, there are several changes and initiatives that strengthen cooperation across borders in the EU. This includes the establishment of organizations that will work on preventive measures, including close collaboration with ENISA (European Network and Information Security Agency), and corrective measures that ensure that major cyber incidents can be managed at an EU level through a newly established entity called "EU CyCLONe" (Cyber Crises Liaison Organization Network).

For organizations and companies, the changes are related to four areas:

  1. Risk management and security measures
    There are stricter requirements to base control measures on risk assessments.

  2. Notification obligations
    There are uniform requirements regarding the timing and recipients of reporting a cyber incident. The incident must be reported to the supervisory authority within 24 hours if it's deemed critical. A report summarizing the incident, including how it was handled, must be provided within 72 hours. Finally, a final report must be submitted within one month.
    NIS2 incident response timeline - when to do what

  3. Management commitment
    Greater emphasis is placed on management's insight into the prevention and handling of cyber incidents, both nationally and within companies. This means that members of the company's management can be held directly and personally accountable for security breaches under the NIS2 directive.

  4. Supervision, enforcement, and sanctions
    Similar to GDPR, there is the possibility of imposing fines on organizations and companies for non-compliance. Organizations or companies may potentially face fines of up to 10 million euros or 2% of the organization's annual global turnover.

What does NIS2 mean for you as an Information Security Manager?

If your company is subject to the NIS directive and therefore required to comply with NIS2, you may have many questions that you would like to have answered.

  1. What will happen next?
  2. Where should you allocate additional InfoSec resources?
  3. How do you do it correctly and most effectively?
  4. What are the consequences if you fail to comply with NIS2 on time?

The good news is that if your company is subject to NIS2 requirements, you are likely already working with ISO 27001/2. That's because if you comply with ISO 27001/2, you have already made significant progress in terms of NIS2 compliance.

If you are not already working with ISO 27001/2, that's precisely where you should start. We can certainly assist you with that. Book a non-binding meeting with us here.

If you want to read more about the measures and changes that you, as an Information Security Officer, should consider if you are subject to NIS2 regulations, read the article "How will NIS2 impact an Information Security Manager?"

Who is responsible for the NIS2 supervision of companies?

Currently, there is sector responsibility for the prevention of cyber incidents as practiced today. However, in the future, it is expected that a common supervisory authority (CSIRT) will be appointed, and supervision will be carried out through this authority. Guidance and advice are also expected from this or other EU-organized knowledge and competence centers.

Our best guess for an organization that will have broad supervisory responsibility for Danish companies that need to comply with NIS2 is the Center for Cyber Security. We believe that this organization in Denmark has the best expertise to fulfill this task.

Which sectors and companies are covered by the NIS2-directive?

NIS2 has different criteria for determining who is covered by the directive. Your company is covered by the NIS2 directive if it falls into one of the following categories:

  1. Criteria for significant or essential organizations and companies.

  2. Size criteria.

  3. If your company is a supplier to a company falling under the first two categories.

Criteria for significant or essential organizations and companies:

The following sectors and industries have been selected in the category of significant organizations and companies:

  • Energy
  • Transport
  • Financial institutions
  • Market infrastructure
  • Healthcare
  • Drinking water
  • Wastewater
  • Digital infrastructure and providers
  • Public administration
  • Space activities

In the category of essential organizations and companies, the following sectors and industries have been selected:

  • Postal services
  • Waste management
  • Chemical products
  • Manufacturing, distribution, and production of food
  • Manufacturing and production of pharmaceuticals, electronics, optical equipment, machinery, vehicles

Size criteria:

The size criteria prescribe (with few exceptions) that a company is covered by NIS2 if all three of the following sub-criteria are met:

  • The company falls within the sectors mentioned above.
  • The company has over 50 employees.
  • The company has an annual turnover of over 10 million euros.

You may be indirectly covered by NIS2 if...

Please note that you may be indirectly covered by the directive even if you do not fall within the aforementioned sectors. This applies in cases where you provide critical services or deliver to significant or critical companies. In other words, if you are a subcontractor to a company covered by NIS2.


Read about what NIS2 means for you as an Information Security Manager here.

air greenland
dolphinics logo