Cookie consent(s)
We use cookies on our website to personalize content and ads, to provide social media features and to analyze traffic to our website. Please click "ACCEPT ALL" to enable us to offer you the best possible experience on our website. By doing so, you consent to the processing and sharing of your information with our social media, advertising and analytics partners. You can revoke your consent at any time on the cookie settings page​.
Privacy statement
lock on laptop keyboard
DEKRA Solutions

What are the requirements of the NIS2 directive? Learn how DEKRA can help you with NIS2 compliance

Contact

NIS2 directive

Cybersecurity for essential organizations with the NIS2 directive

Increasing levels of digital developments are putting pressure on the security of our society and economy. The NIS2 cybersecurity legislation has been drawn up to improve cybersecurity and the resilience of essential services in EU member states. This is the successor to the old NIS directive, that no longer provided adequate protection. The NIS2 directive applies to more sectors, and sets stricter security standards and incident reporting requirements. As a cybersecurity expert, DEKRA offers certifications that enable you to demonstrate compliance with NIS2 guidelines. These are parts of ISO 27001 and IEC 62443, in combination with additional documentation, depending on your situation.

What is the NIS2 directive?

The NIS2 directive is a European directive, and stands for Network and Information Security Directive. NIS2 is the successor to the original NIS legislation, which was introduced in 2016. The aim of the NIS2 directive is to ensure that organisations providing essential services, such as healthcare facilities and energy companies, identify and address their cybersecurity risks. Various monitoring and enforcement measures are also included in the NIS2 directive eu. NIS2 is a law. You are therefore required to comply with this European cybersecurity law from the summer of 2025.

What is covered by the scope of the NIS2 directive?

The NIS2 directive distinguishes between essential entities and important entities. Essential entities can be subjected to random audits. These organisations can be audited without an incident having occurred. Audits can include security scans and on-site inspections. These organisations are under a magnifying glass, so to speak. An essential organisation must be able to demonstrate that it complies with NIS2, bearing the burden of proof for this.
Important entities, on the other hand, will only be audited if there is evidence, an indication or information that they are not compliant. This is done after a cybersecurity breach. But even for them, it is of course mandatory and very important to comply with NIS2 legislation. These entities must be able to prove that the organisation was compliant with cybersecurity regulations at the time of the cybersecurity breach.
NIS2 applies to medium-sized and large companies (50+ employees or an annual turnover of 10 million euros) across various sectors, including. In principle, micro and small businesses are not covered by the NIS2 directive. Exceptions to this rule are trust service providers, which do fall within the scope of NIS2. In addition, the minister of a particular sector can choose to require that a micro or small business comply with the NIS2 directive if the risk assessment shows that this is essential.
The NIS2 directive covers all organisations also covered by the first NIS directive. In addition, a few new sectors have been added that are also included in the scope of NIS2. Below is an overview of all sectors, divided into essential and important entities.
Essential entities:
  • Energy
  • Transport
  • Healthcare
  • Government
  • Space travel
  • Management of ICT services
  • Digital infrastructure
  • Drinking water
  • Waste water
  • Financial market infrastructure
  • Banking
Important entities:
  • Manufacturing
  • Postal and courier services
  • Waste management
  • Foodstuffs
  • Chemicals
  • Research

New: supplier chain also monitored

An important aspect of NIS2 is the emphasis on the responsibility of organisations to also identify and address cybersecurity risks within their supplier chain. This means that businesses need to secure not only their own systems but also those of their partners and suppliers, the full chain. After all, suppliers often also have access to cybersecurity-sensitive information. The ultimate goal is to protect data and create a more resilient digital ecosystem, in which the likelihood of disruption from cyberattacks is significantly reduced.
Your suppliers or service partners may not be active in any of the listed sectors or have fewer than 50 employees, so they may not be designated as 'essential' or 'important'. However, they must still comply with NIS2 at all times. Moreover, the EU may still label these organisations as essential or important in the future.

NIS2 directive timeline

The NIS2 directive is translated from EU directive to national legislation. In November 2022, the NIS2 was adopted by the European Council. Subsequently, in January 2023, the 21-month implementation period began. In the Netherlands, the NIS2 directive will take effect in July 2025. View the full NIS2 directive timeline here​. From that point on, all organizations covered by the NIS2 directive must comply with the duty of care and reporting obligations. If an organization does not comply, enforcement measures such as warnings, binding instructions, and fines will follow.

What are the obligations under the NIS2 directive?

    Organizations subject to the NIS2 Directive are required to implement measures to protect their network and information systems from cyber incidents. This includes not only digital security but also the physical environment in which these systems operate. The goal is to ensure service continuity and safeguard information from disruptions.
    • Risk assessment: Organizations must conduct a comprehensive risk analysis to identify potential threats to their network and information systems.
    • Security measures: Based on this risk assessment, appropriate technical, operational, and organizational measures must be implemented to effectively mitigate the identified risks.
    • Procurement policy: Organizations must ensure that purchased products and systems comply with relevant cybersecurity regulations, such as RED-DA and the upcoming CRA. Independent certifications and test reports from accredited institutions contribute to this compliance.
    • Physical security: In addition to digital measures, the physical locations where systems are housed, such as data centers, must be adequately secured to prevent unauthorized access and sabotage.
    The purpose of this duty of care is to guarantee service continuity and protect information from incidents that could disrupt system operations.

    Why DEKRA for NIS2 directive?

    Enisa is the European Network and Information Security Agency and is responsible for ensuring that Europe becomes cybersecure. They have made it known that there will not be a harmonised NIS standard in the future. Contact one of our experts to discuss how best to get certified for compliance with NIS2.
    You are responsible for working in compliance with the NIS2 directive. However, independent certification by a certification body such as DEKRA will contribute immensely to a solid compliance basis. We provide certificates that allow you to self-certify your compliance with NIS2. Moreover, independent testing gives a much broader insight into the level of your organisation. For example, whether you are fully compliant with the essential quality mark ISO 27001.
    DEKRA has positioned itself as a leading expert in cybersecurity. With in-depth knowledge and extensive experience, DEKRA offers a wide range of services to support organisations in complying with the NIS2 directive. Here are some of the reasons why DEKRA is considered the leading authority in this field:
    1. Extensive Cybersecurity Services
    2. Regulation and Standards Insight
    3. Experience and Certification

    How DEKRA helps organizations with NIS2 compliance

    Complying with the NIS2 directive can be a challenging process, but DEKRA offers a structured approach to guide organizations through this process. Here are some steps DEKRA takes to help organizations achieve NIS2 compliance:

    Contact us without obligation

    NIS2 compliance is a complex and ongoing process that requires organizations to continuously evaluate and improve their security measures. DEKRA's extensive expertise, deep knowledge of regulations and standards, and years of experience in cybersecurity make us the authority in NIS2 compliance. By partnering with DEKRA, organizations can not only comply with the NIS2 directive but also strengthen their overall cybersecurity and be better prepared for the challenges of the digital future.
    For more information on how DEKRA can help your organization comply with the NIS2 directive, contact one of our experts.
    NIS2 blogs

    3 Results

    Oct 28, 2024 Digital & Product Solutions / Cyber Security
    NIS2 requirements
    In this blog, we discuss why DEKRA is an authority on compliance with NIS2 requirements and how we make digital information in organizations safer.
    View article
    Oct 14, 2024 Digital & Product Solutions / Cyber Security
    ISO 27001 and NIS2
    This blog provides a concise understanding of how these cybersecurity pillars help organizations improve their cybersecurity and comply with regulations.
    View article
    Oct 01, 2024 Digital & Product Solutions / Cyber Security
    NIS2 and IEC 62443
    NIS2 and IEC 62443 are at the heart of cybersecurity. Find out how these guidelines help protect your organization from a cyber attack.
    View article