How to comply with NIS2?

Understanding NIS2 Compliance

Many CISO's and Boardroom members come to us with questions about how to comply with cybersecurity laws and regulations like NIS2. This is the Network and Information Systems Directive adopted by the EU.

NIS2 requires essential and important companies and organizations in the EU to demonstrate a thorough, risk-based implementation of cybersecurity measures. However, the specifics of how to do this can vary considerably from sector to sector.

How can organizations interpret these regulations in practical terms? At Secura, we're committed to helping your organization comply with applicable law.

About the deadline

The NIS2 Directive, adopted in December 2022, raises the bar for cybersecurity across the European Union. This important legislation strengthens protections for network and information systems, but it's not yet directly enforceable as national law.

EU member states are currently working to transpose NIS2 into their own legal frameworks. While the deadline for this is October 17, 2024, some countries will not meet this deadline. It's important to stay informed about the status of NIS2 transposition in your specific country to ensure a smooth transition for your organization.

Not sure if NIS2 applies to you? Start here

Are you wondering if NIS2 applies to your company or organization? Start with our free NIS2 Self Assessment to find out. It will only take 1-5 minutes of your time.

Take the free NIS2 Self Assessment (1-5 mins)

The NIS2 Self Assessment is a tool designed to help companies and organizations determine their compliance requirements under the NIS2 Directive. By answering a series of targeted questions, you can identify which of the four possible outcomes applies to you.

Four possible outcomes of the NIS2 Self Assessment:

• Considered Essential - indicating the highest level of compliance necessity
• Considered Important - indicating a high level of compliance necessity, but less strict than for essential organizations.
• Not sure - needs an expert view - indicating further professional evaluation is required. This is for example the case when the requirement differs per country.
• Not NIS2 - indicating the organization is not subject to NIS2 regulations (yet). This can change when your organization grows or when you become a supplier to a company that has to comply.

Next steps if "Essential" or "Important"

If your company or organization is considered Essential or Important under NIS2, we advice you to first train your employees, both at the boardroom level and other levels. With the NIS2 Boardroom Training and SAFE Awareness Program, we can help you meet these requirements at all levels.

Next, to determine what steps you need to take to meet the requirements of the NIS2, it is important to have a good idea of what the security maturity levels of different parts of your organization currently are. The NIS2 Gap Assessment measures where you are and where you need to go. With this insight you know which steps you need to take to comply with NIS2.

After determining where you stand and which steps are needed to meet the requirements of NIS2, it is time to implement measures. For example, CISO support or Incident Response services. Our broad range of services can support you both in the implementation and in the interpretation of measures.

After completing these steps, you will be NIS2 compliant and your organization will be more secure in the face of cyber threats. Does this sound complicated? Then consider the CyberCare program, with which we support you throughout the process.