lock on laptop keyboard
Scope of NIS2

What are the requirements of the NIS2 directive EU? Learn how DEKRA can help you with NIS2

HomepageSolutionsCybersecurityNIS2 Directive

NIS2 directive EU

Cybersecurity for essential organizations with the NIS2 directive EU

Increasing levels of digital developments are putting pressure on the security of our society and economy. The NIS2 cybersecurity legislation has been drawn up to improve cybersecurity and the resilience of essential services in EU member states. This is the successor to the old NIS directive, that no longer provided adequate protection. The NIS2 directive EU applies to more sectors, and sets stricter security standards and incident reporting requirements. As a cybersecurity expert, DEKRA offers certifications that enable you to demonstrate compliance with NIS2 guidelines. The NIS2 scope consists of (parts of) ISO 27001, IEC 62443 and NIST Cybersecurity Framework (CSF), in combination with additional documentation, depending on your situation.

What is the NIS2 directive EU?

The NIS2 directive EU is a European directive, and stands for Network and Information Security Directive. NIS2 is the successor to the original NIS legislation, which was introduced in 2016. The aim of the NIS2 directive EU is to ensure that organisations providing essential services, such as healthcare facilities and energy companies, identify and address their cybersecurity risks. Various monitoring and enforcement measures are also included in the NIS2 directive EU. NIS2 is a law. You are therefore required to comply with the NIS2 directive EU since the summer of 2025.

Harmonization of the NIS2 directive EU

ENISA is the European Network and Information Security Agency and is responsible for ensuring that Europe becomes cybersecure. They have made it known that there will not be a harmonised standard for the NIS2 scope in the future.

From the NIS2 Directive to the Cybersecurity Law

The NIS2 Directive is European legislation that sets out the minimum cybersecurity obligations that organizations must comply with. In the Netherlands, NIS2 is being transposed into national legislation: the Cybersecurity Law. This Law makes the NIS2 obligations legally binding for organizations that fall within its scope. This means that regulators can enforce and impose sanctions when organizations fail to demonstrate compliance with the requirements for cybersecurity, incident reporting, and risk management.
When the Cybersecurity Law takes effect, it will replace the current Network and Information Systems Security Law (Wbni).

Whitepapers

Contact

What is covered by the scope of the NIS2 directive EU?

The NIS2 directive EU distinguishes between essential entities and important entities.

Essential entities

Essential entities can be subjected to random audits. These organisations can be audited without an incident having occurred. Audits can include security scans and on-site inspections. These organisations are under a magnifying glass, so to speak. An essential organisation must be able to demonstrate that it complies with the EU directive of NIS2, bearing the burden of proof for this.

Important entities

Important entities, on the other hand, will only be audited if there is evidence, an indication or information that they are not compliant with the NIS2 directive EU. This is done after a cybersecurity breach. But even for them, it is of course mandatory and very important to comply with NIS2 legislation. These entities must be able to prove that the organisation was compliant with cybersecurity regulations at the time of the cybersecurity breach.

Company size

The NIS2 directive EU applies to medium-sized and large companies (50+ employees or an annual turnover of 10 million euros) across various sectors, including. In principle, micro and small businesses are not covered by the NIS2 directive EU. Exceptions to this rule are trust service providers, which do fall within the scope of NIS2. In addition, the minister of a particular sector can choose to require that a micro or small business comply with the NIS2 directive EU if the risk assessment shows that this is essential.

Industries and the NIS2 directive EU

The NIS2 directive EU covers all organisations also covered by the first NIS directive. In addition, a few new sectors have been added that are also included in the scope of NIS2. Below is an overview of all sectors, divided into essential and important entities.
Essential entities:
  • Energy
  • Transport
  • Healthcare
  • Government
  • Space travel
  • Management of ICT services
  • Digital infrastructure
  • Drinking water
  • Waste water
  • Financial market infrastructure
  • Banking
Important entities:
  • Manufacturing
  • Postal and courier services
  • Waste management
  • Foodstuffs
  • Chemicals
  • Research

New: supplier chain also monitored

An important aspect of the NIS2 scope is the emphasis on the responsibility of organisations to also identify and address cybersecurity risks within their supplier chain. This means that businesses need to secure not only their own systems but also those of their partners and suppliers, the full chain. After all, suppliers often also have access to cybersecurity-sensitive information. The ultimate goal is to protect data and create a more resilient digital ecosystem, in which the likelihood of disruption from cyberattacks is significantly reduced.
Your suppliers or service partners may not be active in any of the listed sectors or have fewer than 50 employees, so they may not be designated as 'essential' or 'important'. However, they must still comply with the NIS2 directive EU at all times. Moreover, the EU may still label these organisations as essential or important in the future.
With this tool (in Dutch) from the Dutch government, you can quickly check whether the EU directive of NIS2 applies to your organization.
Read more about NIS2 and the transportation industry.
Must-read whitepapers

Cybercrime in the EU

Discover how your organization plays a crucial role in strengthening the EU's digital resilience. In this whitepaper we discuss the impact of cybercrime.
Request whitepaper

Cybersecurity legislation overview

Are you prepared for the latest European cybersecurity legislation? This whitepaper provides a clear overview of NIS2, RED-DA, and CRA compliance.
Request whitepaper
Personn on laptop, receiving NIS2 directive updates
NIS2: Stay informed
Don't miss important updates on the latest developments surrounding NIS2. Subscribe and automatically receive the latest information directly in your inbox.

What are the obligations under the NIS2 directive EU?

Why DEKRA for NIS2 directive EU?

You are responsible for working in compliance with the NIS2 scope. However, independent certification by a certification body such as DEKRA will contribute immensely to meet the NIS2 scope. We provide certificates that allow you to self-certify your compliance with NIS2. Moreover, independent testing gives a much broader insight into the level of your organisation. For example, whether you are fully compliant with the essential ISO 27001 directive.

Cybersecurity expertise

DEKRA has positioned itself as a leading expert in cybersecurity. With in-depth knowledge and extensive experience, DEKRA offers a wide range of services to support organisations in complying with the NIS2 directive EU. Here are some of the reasons why DEKRA is considered the leading authority in this field:

How we support you in meeting the NIS2 directive

Complying with the NIS2 directive EU can be a challenging process, but DEKRA offers a structured approach to guide organizations through this process. Here are some steps DEKRA takes to help organizations achieve the EU directive NIS2:
  • Risk Analysis: DEKRA starts with a comprehensive risk analysis and gap analysis to evaluate the current situation. This includes identifying potential weaknesses and assessing the effectiveness of existing security measures.
  • Implementation of Security Measures: Based on the findings from the analyses, DEKRA assists organizations in implementing the necessary security measures. This can range from policy adjustments to staff training.
  • Continuous Monitoring and Evaluation: The NIS2 directive EU requires continuous monitoring and evaluation of security measures. DEKRA offers services for regular audits and assessments to ensure organizations remain compliant with the directive and can quickly respond to new threats.
  • Incident Response and Recovery: In the event of a security incident, a quick and effective response is crucial. DEKRA helps organizations develop and evaluate incident response plans and recovery strategies to minimize the impact of incidents and resume operations quickly.

Let's get in touch

Meeting the NIS2 directive is a complex and ongoing process that requires your organization to continuously evaluate and improve its security measures. By partnering with DEKRA, you enhance your digital resilience and are better prepared to face the challenges of applicable laws and regulations.
Would you like to learn more about how DEKRA can support your organization in the field of cybersecurity? Simply contact us via the form below.
NIS2 directive blogs
3 Results
No results found.
NIS2 cyber legislation
Oct 28, 2024Digital & Product Solutions / Cyber Security

NIS2 requirements

What is NIS2? And what are NIS2 requirements for cybersecurity? Read all about the directive here
View article
ISO 27001 and NIS2
Oct 14, 2024Digital & Product Solutions / Cyber Security

ISO 27001 and NIS2

Why are ISO 27001 and NIS2 critical to your organization's cybersecurity? Find out in this blog.
View article
NIS2 and IEC 62443
Oct 01, 2024Digital & Product Solutions / Cyber Security

NIS2 and IEC 62443

NIS2 & IEC 62443: The two critical pillars for cybersecurity and cyber resilience. Find out more here.
View article
Whitepapers
Cybersecurity whitepapers
Contact
Contact