EU NIS2 Directive

Ensure compliance with the Network & Information Security Directive (NIS2)

Meet the requirements of the Network & Information Security Directive (NIS2) with ease using the GRC Toolbox. Protect critical infrastructure, streamline security, and mitigate cyber threats effortlessly.

Network & Information Security Directive (NIS2)
Standard Directive (EU) 2022/2555 (NIS2)
Region Europe
Coming into force 18 October 2024 (no transition period)
Swiss GRC Solution GRC Toolbox

Leading companies rely on our solutions

Network & Information Security Directive (NIS2)

Achieve NIS2 compliance with our solutions

Leverage the powerful features of the GRC Toolbox to meet essential requirements and achieve NIS2 compliance.

Risk Assessment and Management

Enhance your cybersecurity by conducting thorough risk assessments and implementing effective mitigation strategies with our GRC Toolbox.

Incident Reporting and Management

Ensure swift and compliant incident reporting within 24 hours and manage incidents efficiently to minimize impact using our streamlined GRC Toolbox solutions.

Policy Management

Develop, document, and maintain robust cybersecurity policies and procedures that align with NIS2 requirements with the help of our GRC Toolbox.

Information Security Management (ISMS)

Implement and maintain a robust ISMS that aligns with NIS2 standards, ensuring a structured approach to managing and protecting sensitive information with our GRC Toolbox.

Third-Party Risk Management

Secure your supply chain by evaluating and managing cybersecurity risks from third-party vendors and service providers using our comprehensive GRC Toolbox.

Continuous Monitoring and Auditing

Achieve sustained NIS2 compliance with continuous monitoring and regular audits to enhance your overall cybersecurity posture through our GRC Toolbox.

Frequently Asked Questions about NIS2

The Network & Information Security Directive (NIS2) is a crucial regulatory framework designed to enhance cybersecurity and protect critical infrastructure across the European Union (EU). Below are answers to frequently asked questions about NIS2 compliance and its implications.

The EU Network & Information Security Directive (NIS2) is a comprehensive regulatory framework aimed at improving the cybersecurity and resilience of critical infrastructure within the European Union. NIS2 builds on the original NIS Directive, expanding its scope to cover more sectors and imposing stricter security requirements. It mandates that organizations implement robust cybersecurity measures, report significant incidents, and ensure effective risk management to safeguard against cyber threats. The directive’s goal is to create a high common level of cybersecurity across the EU, enhancing the protection of essential services and critical infrastructure.

The key requirements of the Network & Information Security Directive (NIS2) include:

  1. Expanded Scope: NIS2 covers a broader range of sectors, including healthcare, digital infrastructure, public administration, and the food sector, in addition to the sectors covered by the original NIS Directive.
  2. Risk Management and Security Measures: Organizations must implement robust risk management practices and security measures to protect their network and information systems. This includes measures to prevent, detect, and respond to cyber threats.
  3. Incident Reporting: Entities must report significant cybersecurity incidents to relevant authorities within 24 hours of detection. This ensures timely response and coordination to mitigate impacts.
  4. Supply Chain Security: Organizations are required to manage risks associated with their supply chains and service providers, ensuring that third parties also comply with security standards.
  5. Governance and Accountability: NIS2 mandates that organizations designate a responsible person or team for cybersecurity within their executive management to ensure accountability and effective oversight.
  6. Penalties and Enforcement: The directive includes stricter penalties for non-compliance, including significant fines, to ensure adherence to the requirements.
  7. Cooperation and Information Sharing: NIS2 promotes enhanced cooperation and information sharing between member states, relevant authorities, and stakeholders to improve collective cybersecurity resilience.


These requirements aim to bolster the overall cybersecurity posture of critical infrastructure and essential services across the European Union, ensuring a coordinated and robust defense against evolving cyber threats.

The NIS2 Directive emphasizes supervision and enforcement by competent authorities, establishing a clear framework for these activities across Member States. It specifies supervisory measures such as regular audits, on-site and off-site checks, information requests, and access to documents or evidence to ensure effective compliance.

NIS2 differentiates supervisory regimes between essential and important entities to balance obligations. It also introduces a consistent framework for sanctions across the EU, listing minimum administrative penalties for breaches of cybersecurity risk management and reporting obligations. These sanctions include binding instructions, orders to implement security audit recommendations, orders to comply with NIS requirements, and administrative fines.

For fines, NIS2 sets higher penalties for essential entities, with a maximum of €10,000,000 or 2% of total worldwide annual turnover, and for important entities, a maximum of €7,000,000 or 1.4% of total worldwide annual turnover. Competent authorities must consider the specifics of each case, including the nature and severity of breaches and any damages incurred. Additionally, NIS2 holds senior management in covered entities accountable for cybersecurity measures.

The NIS2 directive covers entities from the following sectors:

Essential sectors:

  • Energy (electricity, oil, gas, district heating and cooling, and hydrogen).
  • Transport (air, rail, water, and road).
  • Healthcare
  • Water supply (drinking water, wastewater).
  • Digital infrastructure (telecom, DNS, TLD, cloud service, data centres, trust service providers).
  • Finance (banking, financial market infrastructure)
  • Public administration
  • Space


Important sectors:

  • Digital providers (online markets, search engines, social networks)
  • Postal services
  • Waste management
  • Foods
  • Manufactoring (medical devices, electronics, machinery, transport equipment)
  • Chemicals (production and distribution
  • Research

NIS2 impacts small and medium-sized enterprises (SMEs) by requiring them to:

  1. Comply with cybersecurity standards if they operate in critical sectors.
  2. Implement comprehensive risk management practices.
  3. Report significant cybersecurity incidents within 24 hours.
  4. Manage supply chain cybersecurity risks.
  5. Allocate resources for compliance and security measures.

 

While challenging, NIS2 aims to enhance the overall cybersecurity resilience of SMEs. Member states may offer support and guidance to assist SMEs in meeting these requirements.

The deadline for EU member states to transpose the Network & Information Security Directive (NIS2) into national law is October 17, 2024. By this date, each member state must have adopted the necessary legislative and regulatory measures to ensure the directive is implemented at the national level.

For organizations, the compliance deadline is October 18, 2024. This means that organizations within the EU must meet the NIS2 requirements by this date, following the national transposition by October 17, 2024. Organizations should begin their compliance efforts early to align with both the national regulations and the overall NIS2 framework by these deadlines.

Our GRC Toolbox delivers robust features designed to ensure seamless NIS2 compliance for your organization. This scalable solution empowers proactive management and mitigation of cybersecurity risks through an advanced, data-driven approach. By capturing and analyzing data across the enterprise, it provides a dynamic and comprehensive view of potential threats and vulnerabilities. In the event of a cybersecurity incident, Swiss GRC streamlines the entire incident management process, ensuring compliance with NIS2’s stringent 24-hour reporting requirements. It facilitates rapid response to minimize downtime and severity, and supports thorough root cause analysis to prevent recurrence. The GRC Toolbox also enhances your cybersecurity framework by aiding in the development and enforcement of policies, managing supply chain risks, and conducting regular audits to maintain continuous compliance and strengthen overall cyber resilience.

Insurers like Baloise face complex regulatory challenges that require comprehensive GRC software. Choosing Swiss GRC for information security and implementing the GRC Toolbox were the right steps for us. We were impressed by the straightforward integration, the modularity of the GRC Toolbox and the transparent pricing. Our satisfaction so far encourages us to introduce further modules such as data protection to fully meet our requirements. Swiss GRC is our trusted partner to achieve our GRC goals.

Dominik Mutter
Senior Information Security Officer, Baloise

Dominik Mutter

Discover all our solutions around GRC​

Create the foundation for a successful GRC strategy. With the GRC Toolbox, you can gradually extend your digital governance, risk and compliance processes to all other GRC areas.

Contract Management

Risk Management

Data Protection Management

Internal Control (ICS)

GRC TOOLBOX

Ensure NIS2 compliance with the GRC Toolbox

Find out how we can support you with the implementation and compliance of NIS2.

Mirko Hegi

Mirko Hegi, GRC Expert, PostFinance AG

Right from the start, the cooperation was at eye level and we understood each other, not only on a professional but also on a human level.

Fill out and submit the form, and we will contact you shortly.

    Solution of Interest