With extensive experience at the intersection of certification and cybersecurity, Kiwa can assist your organization in complying with the NIS2 directive. Kiwa possesses in-depth expertise in testing, inspecting and certifying. By combining this knowledge with our knowledge in the field of cybersecurity, IoT consumer electronics and Industrial Automation and Control Systems (IACS), Kiwa helps organizations enhance their cyber resilience and obtain certifications in accordance with standards such as ISO 27001, NEN 7510, and IEC 62443.

What is NIS2?

The starting point of NIS2 is a risk-based approach to an organization's information security. However, the intended information security described in the NIS2 directive is broader than just the measures mentioned in NIS2. It sets a level of information security that must be achieved without fully specifying the associated measures.

‘The Member States shall ensure that essential and important entities take appropriate and proportionate technical, operational and organizational measures to manage the risks to the security of the networks and information systems they use for their activities or for the provision of their services and to prevent incidents or limit the consequences of incidents for the consumers of their services and for other services.’

NIS2 objectives:

  • Enhancing cyber resilience
  • Improving awareness levels
  • Mitigating cyber attacks

Is NIS2 applicable to your organization?

Is your organization active in sectors that are vital to society? Then, starting from 18 October 2024, you must comply with the NIS2 directive. What types of organizations are distinguished?

1. Essential entities

  • Large organizations operating in a sector listed in Annex 1 of the NIS2 directive (see table below).
  • An organization is considered 'large' based on the following criteria:
    1. More than 250 employees; or
    2. A net turnover of more than €50 million and a balance sheet total of more than €43 million.

2. Important entities

  • Medium-sized organizations operating in a sector listed in Annex I and organizations operating in a sector listed in Annex 2.
  • An organization is considered 'medium-sized' based on the following criteria:
    1. At least 50 employees; or
    2. An annual turnover or balance sheet total of more than €10 million.

NIS2: Classification of sectors 

Sectors annex 1
Sectors annex 2
  • Energy
  • Transportation
  • Banking
  • Financial market infrastructure
  • Healthcare
  • Drinking water
  • Digital infrastructure
  • Wastewater
  • Government services
  • Aerospace
  • ICT service management
  • Digital service providers
  • Postal and courier services
  • Waste management
  • Food
  • Chemicals
  • Research
  • Manufacturing industry

The NIS2 directive brings several significant changes in the realm of cybersecurity. Requirements regarding rule enforcement are tightened and sanctions will apply across the EU. Additionally, the scope is expanded to include new sectors. Companies and organizations falling under the directive must take measures in cybersecurity risk management, penetration testing, incident response and recovery. Failure to comply with the NIS2 directive puts organizations at risk of financial sanctions, based on global turnover.

Organizations seeking to be well-prepared for the arrival of the NIS2 directive are advised not to wait until the legal framework is fully clear. After all, the risks to organizations and systems already exist. Taking action now not only protects against existing risks but also better preparation for the new legislation. Start off on the right foot with the following steps:

  1. Identify physical and digital risks that could disrupt your organization's continuity. 
  2. Implement measures to mitigate these risks.
  3. Establish procedures enabling your organization to detect, monitor, resolve and report incidents that may disrupt business processes.

NIS2 obligations

  • Duty of care: According to the NIS2 directive, entities must fulfill a duty of care by conducting their own risk assessment. Based on this, they must take appropriate measures to ensure their services and network and information systems are safeguarded.
  • Reporting obligation: Entities must report incidents that could significantly disrupt the provision of essential services within 24 hours to the regulator. In the case of a cyber incident, it is also required to report it to the relevant Computer Security Incident Response Team (CSIRT) for possible assistance. Factors making an incident reportable include the number of affected individuals, the duration of the disruption and potential financial losses.
  • Registration requirement: Entities under the NIS2 directive must register obligatorily. This registration contributes to a European overview of the number of entities falling under NIS2.
  • Oversight: Organizations required to comply to the directive are subject to supervision to ensure compliance with the directive, including the duty of care and reporting obligation. Currently, it is being determined which sectors fall under which regulator.

When does NIS2 come into effect?

The NIS2 came into effect on 16 January 2023. Member states have until 17 October 2024 to implement the associated measures into their national legislation. It is expected that the law will come into force by the end of 2024 after parliamentary treatment. From that moment on, organizations falling under the NIS2 directive must comply with the duty of care and reporting obligation.