Skip to page content
Client Hub Tel 01892 830111

What on earth is NIS2?

By Russell Gower-Leech, Cybersecurity Manager | Published 2 Sep 2024

Another day, another weird tech acronym! This time it’s related to cybersecurity. NIS2 (Network and Information Security version 2) is the latest EU directive that aims to improve the cybersecurity and resilience of organisations that provide particular services. The legislation comes into force on the 18 October 2024 

In this super quick run-through, we’ll explain which types of business could be impacted and what you can do to get your organisation ready. Let’s go… 

What’s new about NIS2?  

NIS2 expands the scope of the previous NIS Directive (from 2016) by covering more sectors and types of entities, including those that are part of the supply chain of Essential or Important services. It also introduces stricter obligations and penalties for non-compliance.  

What sort of businesses are impacted?  

NIS2 classifies organisations into two categories: Essential and Important. Essential businesses are those that provide services that are critical for society and the economy. This includes:  

Banking

Health

Business & finance

Public administration

Digital infrastructure

Space

Drinking water

Transport

Energy

Wastewater

Important entities are those that provide services that support the essential ones, such as: 

Chemical

Digital providers

Food

Manufacturing

Postal services

Research

Waste management

As NIS2 is European legislation, it won’t affect all UK businesses, just those trading with or operating in Europe. Although it is expected the UK government will align with these requirements in the future so UK businesses should consider preparing now.  

What are the main requirements of NIS2?   

There are both broad organisational requirements and 10 minimum cybersecurity measures in NIS2. The minimum cybersecurity measures for affected organisations are:  

  1. Conduct risk assessments and establish security policies for information systems.
  2. Develop policies and procedures to improve the effectiveness of security measures. 
  3. Implement policies and procedures for the use of cryptography and encryption where relevant.
  4. Define a plan for handling security incidents.
  5. Ensure security in the procurement, development, and operation of systems, including vulnerability reporting.
  6. Provide cybersecurity training and maintain basic computer hygiene practices. 
  7. Implement security procedures for employees accessing sensitive data, including data access policies and asset management. 
  8. Manage business operations during and after a security incident, ensuring up-to-date backups and access to IT systems. 
  9. Use multi-factor authentication, continuous authentication solutions, and voice, video, and text encryption. 
  10. Secure supply chains, assessing vulnerabilities and overall security levels for all suppliers. 

What are the possible penalties?   

Essential organisations could face administrative fines of up to €10M or at least 2% of the total annual worldwide turnover in the previous financial year of the company to which the entity belongs, whichever is higher. 

For important entities, the penalties include administrative fines of up to €7M or at least 1.4% of the total annual worldwide turnover in the previous financial year, whichever is higher. 

What can I do now to make sure I’m compliant with NIS2 

Start by working out whether NIS2 applies to your organisation and, if so, whether you are classified as an “important” or “essential” entity. This will impact on the requirements you need to meet. 

Take a thorough look at the NIS2 requirements and the ten minimum measures. Audit your current cybersecurity posture, processes, and technology against the standards to identify any areas that need improvement. 

If you need some help, just let us know. Drop us an email to hello@select-technology.co.uk or give us a call on 01892 830111. 

Contact Us