Call Us
NIS2 Regulation: Are you ready?
NIS2 regulation is a new directive of the European Union whose purpose is to significantly increase the cybersecurity measures of many organizations considered critical.
Important Dates
16-1-2023 NIS2 came into effect
17-10-2024 EU states must have established laws related to NIS2 enforcement
17-4-2025 EU states shall have published lists with essential and important entities
Important Dates
16-1-2023 NIS2 came into effect
17-10-2024 EU states must have established laws related to NIS2 enforcement
17-4-2025 EU states shall have published lists with essential and important entities

What does NIS2 mean for you?
If you are one of the affected organizations, then you are obliged to comply with the NIS2 directive.
If you are an ICT organization, then you may need to comply, but new sales can also arise. The NIS2 regulation provides many new opportunities for you to offer cybersecurity solutions and services to your customers who are affected.
Organizations Affected
Entities of a type referred to in Annex I or II, as well as for entities identified as critical entities under Directive (EU) 2022/2557
Essential entities
Large organization listed in Annex I of NIS2.
At least 250 employees or annual turnover at least 50 million or annual balance sheet at least 43 million.
Important enterprises
Medium sized from Annex I and medium/large from Annex II
At least 50 employees or annual turnover or annual balance sheet at least 10 million.
Affected regardless of size or turnover
Entities of a type referred to in Annex I or II, where:
(a) services are provided by:
(i) providers of public electronic communications networks or of publicly available electronic communications services;
(ii) trust service providers;
(iii) top-level domain name registries and domain name system service providers;
(b) the entity is the sole provider in a Member State of a service which is essential for the maintenance of critical societal or economic activities;
(c) disruption of the service provided by the entity could have a significant impact on public safety, public security or public health;
(d) disruption of the service provided by the entity could induce a significant systemic risk, in particular for sectors where such disruption could have a cross-border impact;
(e) the entity is critical because of its specific importance at national or regional level for the particular sector or type of service, or for other interdependent sectors in the Member State;
(f) the entity is a public administration entity:
(i) of central government as defined by a Member State in accordance with national law; or
(ii) at regional level as defined by a Member State in accordance with national law that, following a risk-based assessment, provides services the disruption of which could have a significant impact on critical societal or economic activities.
3. Regardless of their size, this Directive applies to entities identified as critical entities under Directive (EU) 2022/2557.
4. Regardless of their size, this Directive applies to entities providing domain name registration services.
The Fines
For essential entities: At least 2% of annual turnover, or 10M whichever higher.
For important entities: At least 1,4% of annual turnover, or 7M whichever higher.
Natural persons who represent an essential or important entity may also be held liable.
NIS2 Requirements
(a) policies on risk analysis and information system security;
(b) incident handling;
(c) business continuity, such as backup management and disaster recovery, and crisis management;
(d) supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers;
(e) security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure;
(f) policies and procedures to assess the effectiveness of cybersecurity risk-management measures;
(g) basic cyber hygiene practices and cybersecurity training;
(h) policies and procedures regarding the use of cryptography and, where appropriate, encryption;
(i) human resources security, access control policies and asset management;
(j) the use of multifactor authentication or continuous authentication solutions, secured voice, video and text communications and secured emergency communication systems within the entity, where appropriate.
For more information, Inter Engineering has prepared a document for you which provides all the relevant parts of the official EU paper on NIS2 and translations of those into practical conclusions and measures to take.
You can find the document here.
Inter Engineering added value
We are here to help you with everything you need to comply with the NIS2 directive.
If you are interested in collaborating with us on the NIS2 regulation, please get in touch with us.
If you are interested in developing activities with us for NIS2 as a partner, we are more than willing to collaborate. Please contact us.
*ORGANIZATIONS AFFECTED - ANNEX I (OF NIS2 PAPER)
High Criticality
Energy (production, distribution)
Transport (air, rail, water, road) including companies responsible for the infrastructure
Finance
Health
Drinking water
Waste water
Digital infrastructure (ISPs, DNS, cloud infra & apps, data centers, Cas)
ICT Services (b2b managed services)
Public Administration
Space
**ORGANIZATIONS AFFECTED - ANNEX II (OF NIS2 PAPER)
Other critical sectors
Postal & Courier services
Waste management
Chemicals production, storage, distribution
Food production, processing, distribution
Manufacturing
a. Manufacturing of medical devices
b. Computer, electronic and optical products
c. Electrical equipment
d. Machinery
e. Motor vehicles & trailers
f. Other transport equipment
Digital providers (online marketplace, search engines, social networking)
Research