NIS2

Companies and organizations must implement technical, operational, and organizational measures to minimize the risk in their networks and systems and be better prepared for a cyberattack. Companies that do not comply with the requirements after 2025-01-01, may be fined up to 10 million euros or 2% of the total turnover in the EU, whichever is higher.

Who is covered by NIS2

NIS2, or the Second Network and Information System Directive, is a new EU directive that establishes a new minimum standard for how companies in particularly vulnerable sectors handle cyber threats and incident management. Companies and organizations covered by this directive have until October 18, 2024, to comply with the requirements. Companies with more than 50 employees or a balance sheet total or turnover exceeding 10 million euros in these sectors will be affected. Additionally, there are companies that will be affected regardless of turnover and number of employees. Key suppliers to these companies may also be included. Contact us for more information.

Critical entities
  • Energy
  • Transportation
  • Banking
  • Financial market infrastructure
  • Healthcare Supply
  • Distribution of drinking water
  • Digital infrastructure
Important entities
  • Wastewater management
  • Management of ICT services
  • Public administration
  • Space
  • Postal and courier services
  • Waste management
  • Manufacture, production, and distribution of chemicals
  • Manufacture, processing, and distribution of food
  • Manufacturing
  • Digital providers
  • Research

What do you as a company need to do?

EU recommends that organizations establish and maintain an information security management system enabling them to manage their cyber risks and enhance resilience against cyberattacks. Below are the points that need to be in place to comply with NIS2 requirements.

Prevent threats

Identity and access management, multi-factor authentication, secure software development, vulnerability management and reporting, firewalls and gateway controls.

Detect and respond to threats

Monitoring with action, investigation and incident management, as well as reporting and recovery.

Minimize disruption during serious incidents

Incident management governance, processes and manuals, exercises and improvement, business continuity management.

Continuous monitoring & Model threats

Risk-based penetration testing and review. Exposure of critical assets, impact and likelihood of intrusion, mitigation options, and residual risk.

Identify assets

Attack surface and vulnerability scanning, mapping of data and assets to identify critical assets.

Assess risks from third parties

Identify critical suppliers, prescribe and monitor compliance with agreed security policies, meet key customer policies.

Our packages

All companies are different and have different needs. We always start with an analysis of the current state, or sometimes called a gap analysis. It provides an understanding of specific areas for development or gaps in relation to a desired level, and you will also gain valuable insights into your overall cybersecurity management. Below, we have selected three packages depending on how much you already have in place today and how much guidance you wish to receive. Contact us via the form below for a personalized consultation where we will provide more information.

Contact us for a personal consultation