NIS2 (EU Directive 2022/2555) is the EU's framework for improving cybersecurity across member states. It sets requirements for how organizations protect their network and information systems - with a focus on confidentiality, integrity, availability and recovery. NIS2 replaces the original NIS Directive from 2016 and expands both scope and requirements.
NIS2 applies to two categories of organizations:
Essential entities - e.g. energy, transportation, health, drinking water/wastewater, finance, digital infrastructure, etc.
Important entities - e.g. mail/couriers, waste, food production, manufacturing of critical products, providers of certain digital services, etc.
The scope depends on industry/sector, size (typically medium and above) and criticality, among other factors.
In short: managing risk, governance and evidence. This means, among other things:
Risk management & controls: appropriate technical and organizational measures (access management, patching, backup/restore, logging/monitoring, cryptography, vendor management, emergency response).
Management responsibility: top management has formal responsibility for cybersecurity, including approving policies and overseeing implementation.
Incident reporting: obligation for rapid notification via national contact points (early warning, followed by status and final report).
Vendor/chain risks: requirement to assess and manage third-party and cloud risks.
Monitoring and sanctions: authorities can monitor; non-compliance can trigger injunctions and significant fines.
We make NIS2 operational - from gap analysis and roadmap to implementation, exercises and reporting:
Mapping scope and category (essential/important) and relevant national requirements.
Establishing governance model, policies and controls (mapped to NIS2).
Incident Response setup and reporting flows, including exercises.
Supplier and chain risk program.
Management reporting, KPIs and audit preparation.