Understanding the NIS2 Directive

  • What is the NIS2 directive?
  • Published by: André Hammer on Feb 07, 2024
Blog Alt EN

The NIS2 Directive is a big law that impacts UK businesses and organizations. Understanding its rules is important for digital security.

In this article, we will look at the main points of the NIS2 Directive and how it affects different sectors. It's important for all types of businesses to understand NIS2 for navigating the digital world.

What is the NIS2 Directive?

Evolution from the Original NIS Directive

The NIS2 Directive aims to enhance the security of network and information systems across the UK. Its key objectives include:

  • Strengthening the resilience of critical infrastructure
  • Improving cybersecurity measures
  • Fostering greater cooperation among Member States

Compared to the original NIS Directive, the NIS2 Directive places a greater emphasis on:

  • The role of digital service providers
  • Their obligation to implement robust security measures
  • Introducing a risk-based approach to security

This new approach acknowledges the evolving nature of cybersecurity threats and the need for improved collaboration between public and private entities. The NIS2 Directive also introduces:

  • New incident reporting requirements
  • Supply chain security measures
  • Enhanced accountability measures

These are in place to ensure that critical infrastructure operators and digital service providers remain vigilant against potential cyber threats. These changes reflect the evolving cybersecurity landscape and the need for a more comprehensive and coordinated approach to cybersecurity across the UK.

Key Objectives of the NIS2 Directive

Enhance National Cybersecurity

The NIS2 Directive aims to improve national cybersecurity. It sets key objectives for organizations to meet, such as enhancing cybersecurity capabilities, ensuring network and information systems' security and resilience, and promoting cross-border cooperation among EU member states.

Organizations must comply by implementing security measures, reporting major incidents, and cooperating with authorities. The directive also encourages improved cooperation through the establishment of a Cooperation Group, a Strategic Union single contact point, and the Network of National Coordination Centres.

This collective approach aims to strengthen the overall cybersecurity posture of EU member states through shared responsibilities and collective action.

Promote Improved Cooperation

The NIS2 Directive can improve cooperation for addressing cybersecurity challenges. It requires Member States to establish a national cybersecurity unit responsible for the cybersecurity of operators of essential services and digital service providers. This unit will encourage information sharing and collaboration among different entities to enhance cybersecurity measures.

Additionally, it will designate a single point of contact for cross-border cooperation to strengthen coordination and response to cybersecurity incidents. The NIS2 Directive also emphasizes the importance of cooperation among entities in supply chains to enhance cybersecurity.

By identifying and implementing measures to increase transparency and communication between different entities in the supply chain, cybersecurity can be improved. The European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) plays a key role in promoting improved cooperation under the NIS2 Directive. It establishes a network of national cybersecurity coordination authorities to facilitate the exchange of information, best practices, and expertise for a coordinated response to cyber crises at the European level.

Strengthen Security Measures Along Supply Chains

Security measures can be improved by:

  • Implementing strong cybersecurity controls
  • Conducting regular risk assessments
  • Establishing contingency plans for security breaches.

To comply with the NIS2 Directive, entities must:

  • Implement security measures to prevent incidents
  • Report significant incidents to relevant authorities

Risk management involves:

  • Identifying threats, vulnerabilities, and impact scenarios
  • Implementing security measures to reduce risks

The NIS2 Directive promotes:

  • Information sharing and best practices
  • Enhancing incident response capabilities
  • Fostering trust and transparency among supply chain entities.

Entities Registration Under the NIS2 Directive

Categories of Entities

Under the NIS2 Directive, entities fall into two categories: digital service providers (DSPs) and operators of essential services (OES). Each category has its own compliance obligations.

DSPs include online marketplaces, search engines, and cloud services. OES covers sectors such as energy, transport, healthcare, and digital infrastructure.

Both DSPs and OES must ensure the security of their network and information systems. They are also required to report any incidents that could significantly impact service delivery.

The Directive addresses jurisdictional complexity by establishing a cooperation group. This group facilitates strategic cooperation and the exchange of information among member states. This ensures a consistent approach to cybersecurity across the EU.

As a result, both DSPs and OES need to follow the compliance obligations of the NIS2 Directive. It is crucial for them to collaborate in addressing cyber threats in the digital world.

Registration Requirements

Entities covered by the NIS2 Directive must follow specific registration requirements. This includes providing relevant information and documentation, as well as adhering to security and risk management guidelines.

Any operator of essential services and digital service providers under the directive's scope must complete the registration process. Compliance obligations involve implementing security measures, reporting incidents, and cooperating with national cybersecurity enforcement authorities.

Examples of entities that may need to register and comply with the NIS2 Directive include financial institutions, energy suppliers, e-commerce platforms, online marketplaces, cloud services, and search engines.

Compliance Obligations

Under the NIS2 Directive, organizations have to follow certain rules about their cybersecurity and digital resilience. This involves putting in place measures to stop and reduce the effects of cybersecurity incidents, and telling the right authorities about these incidents. To meet the NIS2 Directive requirements, organizations can do risk assessments, put in the right security measures, and create plans for when incidents happen.

If organizations don't follow the NIS2 Directive, they could face big fines. It's really important for organizations to know and deal with their obligations under the NIS2 Directive to avoid financial and reputational harm.

Prepare for Compliance with NIS2 Directive

Risk Management

The NIS2 Directive aims to make network and information systems more secure in the European Union. It focuses on improving cybersecurity preparedness, response capabilities, and incident reporting.

Entities can prepare for compliance by:

  • Implementing robust risk management frameworks.
  • Conducting thorough risk assessments.
  • Developing incident response plans.

They should also establish due diligence requirements for managing supply chain security, ensuring that suppliers and partners adhere to high cybersecurity standards. This helps mitigate risks related to third-party dependencies and strengthens overall cyber resilience.

Incident Reporting Procedures

The NIS2 directive explains how digital service providers and operators of essential services in the UK should report incidents. It says they must report incidents promptly and provide all necessary information. The directive also sets out specific timeframes for reporting. For instance, essential service operators must report significant incidents within 2 hours, while digital service providers have 24 hours to report incidents.

Additionally, the directive improves cooperation with the CSIRT platform. It requires member states to ensure that CSIRTs can work together effectively and provide support to resolve incidents. This cooperation aims to enhance cybersecurity resilience in the European Union and its member states.

Accountability Measures

Entities must follow specific rules under the NIS2 Directive. These rules relate to managing risks, handling incidents, setting security policies, and conducting security tests. To register and meet the NIS2 Directive requirements, entities need to show proof of implementing these measures through documented policies and procedures.

Not following the NIS2 Directive could lead to penalties, like financial sanctions, public reprimands, and requirements to address the non-compliance within a giventime. These penalties are in place to make sure that entities take the right actions to secure their networks and information systems, and safeguard the UK's digital infrastructure.

Incident Reporting under the NIS2 Directive

Thresholds for Reporting

Under the NIS2 Directive, reporting thresholds are determined based on factors like the impact and duration of incidents and the number of affected users.

For instance, incidents leading to significant disruption of essential services or severe financial depletion must be reported. Similarly, incidents affecting democratic processes and public order may also require reporting.

These thresholds directly influence incident reporting procedures and timelines, determining the severity level that triggers reporting obligations.

Regarding interaction protocols with the CSIRT platform under the NIS2 Directive, these include notifying incidents to the competent authority and providing all necessary information to the CSIRT to mitigate the incident. This may involve sharing technical and non-technical details about the incident to facilitate response and recovery coordination.

Timelines and Protocols

Under the NIS2 Directive, there are timelines and protocols for incident reporting. This ensures that entities meet reporting requirements on time. The directive emphasises that entities should prepare for compliance by implementing effective risk management and accountability measures. This helps in prioritizing the safeguarding of network and information systems.

The NIS2 Directive has key objectives. It aims to focus on the security and resilience of critical entities. It also provides regulatory measures for swift and effective response to cybersecurity incidents. Additionally, the directive aims to adapt to the evolving threat landscape by introducing updated security measures. It also reinforces cross-border cooperation among Member States.

For example, the NIS2 Directive stresses the implementation of incident response and recovery plans. This helps entities effectively manage and mitigate the impact of cybersecurity incidents in a timely and efficient manner.

CSIRT Platform Interaction

The NIS2 Directive aims to make supply chains more secure. It does this by improving cooperation for CSIRT platform interaction. The main objectives are to enhance incident reporting protocols and requirements for CSIRT platform interaction. This helps ensure effective response to and management of cybersecurity incidents. Ultimately, it contributes to the overall resilience of digital infrastructure.

Organisations must establish and maintain incident reporting capability. They also need to interact effectively with CSIRT platforms. This involves reporting incidents promptly and cooperating with CSIRT teams for information-sharing and threat intelligence.

By following these protocols, organisations can help make cyberspace more secure. This safeguards their operations and the broader digital ecosystem.

Improved Cooperation Through the NIS2 Directive

European Cyber Crisis Liaison Organisation Network (EU-CyCLONe)

The European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) is an important part of the NIS2 Directive. Its aim is to improve cooperation and coordination across the European Union for responding to cybersecurity incidents.

It establishes a framework for Member States to share information and expertise. This is to encourage a more unified approach to managing cybersecurity risks, especially in critical sectors like energy, transport, banking, financial market infrastructures, and digital infrastructures.

The NIS2 Directive mandates entities in these critical sectors to comply with specific cybersecurity risk management obligations and report any incidents. EU-CyCLONe is essential for facilitating compliance obligations and incident reporting procedures. It provides a platform for information exchange, threat intelligence sharing, and mutual assistance during a cybersecurity crisis.

Through this collaborative network, entities can effectively tackle and reduce cybersecurity threats. This contributes to enhancing the overall resilience of the European Union's digital infrastructure.

Cross-Border Collaboration

The NIS2 Directive aims to enhance national cybersecurity in EU member states. It promotes cooperation and coordination and emphasizes risk management, incident reporting, and cybersecurity capabilities.

To prepare for compliance, entities can invest in robust cybersecurity measures, conduct thorough risk assessments, and implement incident response protocols.

The directive also encourages cross-border collaboration for information sharing and testing cooperation mechanisms. This helps manage cybersecurity risks within supply chains.

Managing Supply Chains Security Within NIS2 Directive

Due Diligence Requirements

Entities under the NIS2 Directive must follow due diligence for supply chain security. They need to assess their supply chain partners and ensure they meet the security standards. To comply, they must establish strong risk management and incident reporting procedures. This includes creating incident response plans, training employees on cybersecurity, and using risk assessment tools. Non-compliance can lead to penalties.

Due to jurisdictional complexity, organizations may require legal expertise in cybersecurity law to navigate regulations and reporting across EU member states.

Third-Party Supplier Risks

Under the NIS2 Directive, third-party supplier risks can include cybersecurity threats, data breaches, and operational disruptions. Organisations can manage these risks by implementing strong due diligence processes, clear contractual obligations, and regular supplier audits.

Failing to address these risks in line with the NIS2 Directive can result in financial losses, reputational damage, and regulatory penalties. Therefore, it's important for organisations to actively identify and mitigate third-party supplier risks to comply with the NIS2 Directive and protect their operations.

Accountability and Management of Cybersecurity Risks

The NIS2 Directive focuses on improving national cybersecurity and enhancing security measures along supply chains. It aims to strengthen cooperation and increase resilience to cyber threats. The directive places emphasis on ensuring that essential service providers and digital service providers adhere to stringent security measures and reporting requirements.

Entities can ensure compliance with the NIS2 Directive by fulfilling registration requirements, implementing robust risk management strategies, establishing incident reporting procedures, and adhering to accountability measures. The directive also establishes thresholds for reporting incidents and facilitates improved cooperation, European cyber crisis liaison, and cross-border collaboration to effectively mitigate cyber threats.

Setting out clear requirements and guidelines for incident reporting and security measures, the NIS2 Directive contributes to the overall strengthening of national and European-level cybersecurity.

Addressing Jurisdictional Complexity in NIS2

Addressing jurisdictional complexity in NIS2 has challenges. Each EU member state has different laws and regulations. This makes it hard for businesses in multiple countries to follow cybersecurity requirements. NIS2 aims to create a common framework for cybersecurity rules in the EU. It wants to make compliance easier by having one set of regulations instead of many conflicting ones. This can benefit businesses by making operations more efficient and improving cybersecurity in the EU.

Also, NIS2 can enhance collaboration and information sharing across borders, making the EU's digital environment more secure.

Penalties for Non-Compliance with the NIS2 Directive

Failing to follow the NIS2 Directive can lead to serious legal and financial consequences for organisations. Penalties for not complying may include large fines and sanctions. The Directive gives regulatory bodies the power to take action against those who do not follow it. Regular audits and assessments are also in place to make sure that the NIS2 Directive is being followed and to prevent non-compliance.

It's very important for organisations to put strong cybersecurity measures in place and to regularly check their security. This is necessary to avoid facing penalties for not following the NIS2 Directive.

Therefore, businesses need to understand the requirements of the NIS2 Directive and take proactive steps to comply with it. This is to avoid any potential legal and financial problems.

Looking Forward: The Impact of the NIS2 Directive

The NIS2 Directive is a set of rules to make network and information systems safer in the European Union. It has goals like boosting cybersecurity, making member states work together better, and keeping essential services secure.

This directive will affect cybersecurity by making companies and organizations follow certain rules. They must do regular risk checks and put in safety measures to stop and lessen the impact of cyber attacks.

The NIS2 Directive will improve how countries work together and manage cybersecurity. It will create a plan for member states to share info, best ways to do things, and strategies to stop and handle cyber threats better.

Not following the NIS2 Directive has big consequences. Companies could get fined or punished. This means they'll want to focus on cybersecurity and spend on things to follow the rules and lower the risk of getting in trouble.


The NIS2 Directive is designed to improve the EU's cybersecurity framework. It introduces new rules for operators of essential services and digital service providers. Member states must identify essential service operators and impose security and reporting requirements on them. Digital service providers also have new incident notification obligations.

The directive highlights the importance of EU countries and the EU Agency for Cybersecurity cooperating to respond to and prevent cyber threats effectively.

Readynez offers a 4-day NIS 2 Directive Lead Implementer Course and Certification Program, providing you with all the learning and support you need to successfully prepare for the exam and certification. The NIS 2 Lead Implementer course, and all our other Security courses, are also included in our unique Unlimited Security Training offer, where you can attend the NIS 2 Lead Implementer and 60+ other Security courses for just €249 per month, the most flexible and affordable way to get your Security Certifications.

Please reach out to us with any questions or if you would like a chat about your opportunity with the NIS 2 Lead Implementer certification and how you best achieve it. 


1. What is the NIS2 Directive?

The NIS2 Directive is a European Union directive that aims to enhance the cybersecurity readiness of critical infrastructure operators and digital service providers. It includes requirements for incident reporting, risk management, and security measures. Examples of critical infrastructure operators include energy, transport, healthcare, and financial services.

2. Who does the NIS2 Directive affect?

The NIS2 Directive affects operators of essential services and digital service providers, such as energy, transport, finance, healthcare, and cloud computing companies, as well as online marketplaces and search engines.

3. What are the main objectives of the NIS2 Directive?

The main objectives of the NIS2 Directive are to increase the cybersecurity resilience of critical entities, improve cross-border cooperation, and ensure a common level of cybersecurity across the EU. For example, this includes establishing cybersecurity incident reporting requirements and promoting information sharing among member states.

4. What are the key requirements of the NIS2 Directive?

The key requirements of the NIS2 Directive include implementing appropriate security measures, reporting security incidents, and identifying essential service operators. For example, organizations must have cybersecurity measures in place and report any incidents that could affect their services.

5. How can organizations comply with the NIS2 Directive?

Organizations can comply with the NIS2 Directive by implementing cybersecurity measures, conducting risk assessments, and reporting incidents to the relevant authorities. They can also ensure resilience by regularly testing and updating their security measures.

Two people monitoring systems for security breaches

Unlimited Security Training

Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course. 

  • 60+ LIVE Instructor-led courses
  • Money-back Guarantee
  • Access to 50+ seasoned instructors
  • Trained 50,000+ IT Pro's



Price: {{item.ItemPriceExVatFormatted}} {{item.Currency}}