NIS 2 Directive

Comply with the legislation, protect your information systems, prevent attacks and ensure the security of your services.

  • We are expert consultants in Information Security.
900 897 931
Request a quote

What is the NIS 2 Directive?

NIS 2 (Network and Information Security)also known as Directive (EU) 2022/2555, establishes certain obligations to be met in the Member States of the European Union to ensure a high common level of cybersecurity.

Obligated companies must implement technical, operational and organizational measures to manage the security risks of networks and information systems.

These obligations include:

  • Obligations for cybersecurity risk management.
  • Notification obligations for entities within its scope.
  • Obligations regarding the exchange of cybersecurity information.

  • Monitoring and enforcement obligations for Member States.

What does NIS 2 Directive entail?

The NIS 2 Directive promotes cooperation and coordination between EU countries on information security, requiring Member States to:

  • Adopt cybersecurity strategies.
  • Designate or establish competent authorities.
  • Name cybersecurity crisis management authorities.
  • Indicate single points of contact on cybersecurity.
  • Form computer security incident response teams (CSIRTs).

In addition, other bodies have been created such as the European Cyber ​​Crisis Liaison Organisation Network (EU-CYCLONe) and the European Union Agency for Cybersecurity (ENISA).

Sectors to which the NIS 2 Directive applies

The NIS 2 Directive distinguishes between two types of sectors of application: “High Criticality Sectors” and “Other Critical Sectors”.

In total, there are 18 sectors to which the NIS 2 Directive applies, with 11 being high criticality sectors and 7 being other critical sectors.

In addition, the NIS 2 Directive divides some sectors into specific subsectors that facilitate identification by the entities themselves.

In addition, NIS 2 distinguishes between two types of entities:

  • Companies belonging to highly critical sectors.
  • Qualified trust service providers and top-level domain name registries
    DNS service providers, regardless of their size.
  • Providers of public electronic communications networks.
  • Providers of publicly available electronic communications services that are considered medium-sized companies
    Public administration entities.
  • Any other entity belonging to other critical sectors that the Member State identifies as an essential entity.
  • Critical entities identified by the CER Directive.
  • Entities identified as operators of essential services in accordance with the previous NIS Directive.

  • All entities that belong to highly critical sectors or other critical sectors that cannot be considered essential entities.
Sectors NIS2 applies

Which companies are affected by the NIS 2 Directive?

There are 3 criteria that define which organizations must comply with the NIS 2 Directive:

  • Location: whether companies supply or carry out activities in any EU country, whether or not they are located there.

  • Size:

    • Medium-sized companies: between 50 and 250 people and whose annual turnover does not exceed 50 million euros or whose annual balance sheet does not exceed 43 million euros.
    • Large companies: more than 250 people and companies whose annual turnover does not exceed 50 million euros or whose annual balance sheet does not exceed 43 million euros.

  • Sector: if it operates in any of the 18 sectors listed in the law.

Furthermore, regardless of size, NIS 2 will apply to entities when:

  • Providers of public electronic communications networks or publicly available electronic communications services.
  • Trusted service providers.
  • Top-level domain name registries and domain name system service providers.
  • Entities that are the sole provider in a Member State of an essential service.
  • Entities where a disruption of the service provided could have significant repercussions on public security, public order or public health.
  • Entities where a disruption of the service provided could include significant systemic risks, in particular for sectors where such a disruption could have cross-border repercussions.
  • Entities that are critical in light of their specific importance at national or regional level;
    Entities of central or regional public administration as defined by a Member State.
  • Entities identified as a critical entity under the “Directive (EU) 2022/2557 on the resilience of critical entities” (hereinafter, CER Directive).
  • Entities providing domain name registration services;
    If so provided by the Member State, local public administration entities or educational institutions, in particular when carrying out critical research activities.

Bodies linked to the NIS 2 Directive

They will provide assistance to essential entities affected by any incident.

They will carry out inspections, security analyses or audits for companies interested in the Directive.

Formed by representatives of the CSIRTs and the Computer Emergency Response Team of the institutions, bodies, offices and agencies of the Union (CERT-EU), to exchange information on incidents, cyber threats and other things of interest.

Formed by the Cybersecurity Crisis Management Authorities of the Member States and the Commission, to support the coordinated management of large-scale cybersecurity incidents and crises in the event of cyber incidents.

It shall ensure cross-border cooperation between all designated Competent Authorities in that State.

Composed of representatives of the Member States, the Commission and ENISA, to provide competent authorities with guidance with the transposition and implementation of the Directive, development and implementation of policies on coordinated disclosure of vulnerabilities, exchange of good practices and information related to the implementation of the Directive, cyber threats, vulnerabilities, etc.

Organismos vinculados Nis 2

Penalties for non-compliance with the
NIS 2 Directive

EU Member States may impose penalties on companies that do not comply with the requirements of the NIS 2 Directive (particularly those set out in Articles 21 and 23, relating to measures for managing cybersecurity risks and notification obligations respectively)

These penalties will vary depending on the type of entity:

  • For essential entities, penalties of up to €10 million or a maximum of 2% of the total annual worldwide turnover of the previous financial year.
  • For important entities, penalties of up to €7 million or a maximum of 1.4% of the total worldwide annual turnover of the previous financial year.

Member States will have until 17 January 2025 to notify the European Commission of the regime of penalties applicable to non-compliance.

Entry into force of the NIS 2 Directive

Member States have until 17 October 2024 to transpose and adopt and publish the measures necessary to comply with the provisions of the NIS 2 Directive.

How to implement NIS 2 Directive?

If you want to guarantee the security of your services and protect the interests of the European Union in terms of information security, you must implement the NIS 2 Directive in your entity.

At Grupo Ingertec we offer you our help and advice throughout the process.

Request a quote

Complete this form and you will instantly receive an estimate of our services in your email.