What is NIS2?

NIS2 (Network and Information Security Directive) is the EU-wide legislation on cybersecurity. Coming into force on October 17th, 2024, it provides legal measures to boost cybersecurity in the EU.

NIS2 will modernise the EU’s position on cyber security and allows the region to stay on top of increased digitisation and an evolving threats. This directive builds on the original NIS, and most importantly expands the scope of the cybersecurity rules to new sectors and entities.

It is intended that NIS2 introduces a culture of security across sectors that are vital for the functioning of the economy and wider society.

What’s new in NIS2?

  • The NIS2 Directive builds on the three main pillars that were the basis of the NIS1 Directive:
  • The NIS2 Directive requires Member States to adopt a national cybersecurity strategy.
  • The NIS2 promotes swift and effective operational cooperation between national CSIRTs (Computer Security Incident Response Team).
  • The NIS1 Directive covered seven sectors: energy, transport, banking, financial market infrastructures, drinking water, healthcare and digital infrastructure. NIS2 expands this coverage significantly.

Want a free initial NIS2 compliance assessment?

Contact us now

Is your organisation in scope for NIS2?

Fill in the form below for a free assessment of your organisation

Who is affected?

The Directive expands the scope of the previous rules set out in NIS1 by adding new sectors. These additions are based on the relative degree of digitalisation and interconnectedness as well as how critical they are deemed to be for the economy and society to function.

The NIS2 covers entities from the following sectors:
  • Energy (electricity, district heating and cooling, oil, gas and hydrogen)
  • Transport (air, rail, water and road); banking; financial market infrastructures
  • Health including manufacture of pharmaceutical products including vaccines
  • Drinking water
  • Waste water
  • Digital infrastructure (internet exchange points; DNS service providers
  • TLD name registries
  • Cloud computing service provider
  • Data centre service providers
  • Content delivery networks
  • Trust service providers
  • Providers of public electronic communications networks and publicly available electronic communications services)
  • ICT service management (managed service providers and managed security service providers)
  • Public administration
  • Space

NIS2 also includes other sectors deemed critical:

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food
  • Manufacturing of medical devices, computers and electronics, machinery and equipment, motor vehicles, trailers and semi-trailers and other transport equipment;
  • Digital providers (online market places, online search engines, and social networking service platforms)
  • Research organisations

In addition to expanding the sectors in scope, NIS2 offers a clear sizing threshold to determine what kind of organisations are in scope. This means that all medium and large-sized companies in the selected sectors will be automatically included in the scope. But it also allows for a certain amount of leeway for each Member State to identify smaller entities with a high security risk profile that should also be covered by the obligations of the new Directive.


What can you do?

The first thing you need to do is to ascertain whether or not your organisation is within the scope of NIS2, given that its remit is now much broader that the scope set out in the original NIS Directive.

If you are in scope, you need to understand the Directive and your obligations towards becoming compliant. This is regardless of the whether or not your own government has legislated for NIS2 yet or not. Organisations need to be fully prepared for NIS2 being enforced from the date set out by the European Union of 17th October.

Read our NIS2 News Article

How can Ekco help?

Ekco has decades of experience working in the cyber security compliance sector and has worked with a number of customers on compliance of the original NIS Directive and is currently working with customers as they move towards compliance with NIS2.

Ekco can help you determine if you are impacted by NIS2 and define the criteria required for compliance. Our expert advisory team know the finer detail in NIS2 and can have developed Ekco NIS2 accelerators to fast-track compliance. We have the knowledge and practical experience of all Cyber Frameworks (ISO27001, NIST, IEC 62443 etc).

We can manage all your Governance, Risk and Compliance requirements. Ekco has the largest certified cyber security consultancy team in Ireland. We pride ourselves in being your trusted cyber Security advisors.

Let Ekco do the heavy lifting to fast track your compliance.

Contact us now