Blog

NIS2: Who is concerned and which obligations should be anticipated?

Cyberattacks are multiplying and now affect all types of organisations. In response to this growing threat, the European Union introduced the NIS2 Directive, particularly for critical sectors, in order to raise the overall level of cybersecurity and improve companies’ resilience against cyber risks. Which organisations are concerned by NIS2? The NIS2 Directive significantly broadens its […]

Cyberattacks are multiplying and now affect all types of organisations. In response to this growing threat, the European Union introduced the NIS2 Directive, particularly for critical sectors, in order to raise the overall level of cybersecurity and improve companies’ resilience against cyber risks.

Which organisations are concerned by NIS2?

The NIS2 Directive significantly broadens its scope compared with the previous version. It no longer targets only critical infrastructures, but now applies to a large number of companies and organisations.

Highly critical sectors, considered essential to the functioning of society, include in particular:

• Energy
• Transport
• Banking and financial market infrastructures
• Healthcare
• Drinking water and wastewater
• Digital infrastructure, such as cloud services, data centres, DNS, etc.
• ICT service management
• Public administrations
• Space sector

Beyond the sector of activity, the size of the organisation is the second eligibility criterion under the NIS2 Directive. A company is generally concerned if it meets at least one of the following criteria:

• At least 50 employees
• An annual turnover exceeding €10 million
• A balance sheet total exceeding €10 million

This means that, in practice, many companies that did not previously consider themselves to be critical actors are now concerned by NIS2.

What are the main obligations?

For the organisations concerned, the NIS2 Directive is not limited to their identification. It also requires the implementation of concrete cybersecurity measures.

Article 21 notably provides for the establishment of structured cyber risk management.

The main obligations include:

• Incident management, with capabilities for detection, response and rapid notification
• Business continuity, through disaster recovery and business continuity plans
• Supply chain security, including the monitoring of suppliers and service providers
• Vulnerability management, with the identification and correction of weaknesses
• Protection of systems and networks, through appropriate technical measures
• Awareness-raising and training of teams regarding cyber risks

These requirements show that cybersecurity can no longer be approached solely as a technical matter.

It is becoming a strategic issue involving several functions within the organisation, including IT, legal, risk management and senior management.

Take action with TPO Solutions

With compliance deadlines varying depending on the situation, calculated over 18 or 30 months from the entry into force of the NIS2 framework or from identification by the CCB, NIS2 is much more than a regulatory obligation: it is an opportunity to structure your cybersecurity in a sustainable way.

Our multidisciplinary team supports you in understanding your obligations, structuring your cyber governance and implementing a concrete and effective approach to NIS2 compliance.

Would you like to go further?

👉 Contact us:
Sabine Mersch
info@tpo.solutions
+32 87 71 02 00
www.tpo.solutions

Back