Pro Content
This lesson requires Loopus Pro access. Upgrade to unlock all courses, labs, and challenges.
Learning Objectives
- Understand NIS2 Directive scope, requirements, and key differences from NIS1
- Identify sector classifications and size thresholds for applicability
- Prepare organizations for NIS2 compliance obligations
NIS2 Directive Overview and Scope
The NIS2 Directive represents the European Union's significantly strengthened approach to cybersecurity regulation. Building on lessons learned from the original Network and Information Security Directive, NIS2 dramatically expands scope, increases requirements, and introduces serious consequences for non-compliance.
Understanding NIS2
NIS2 replaces the original NIS Directive from 2016, addressing criticisms that the earlier directive lacked sufficient coverage and enforcement power. The new directive applies from October 2024 across all EU member states. Organizations should have begun compliance preparation well in advance of this date.
Key Changes from NIS1
The original directive applied narrowly to specifically designated operators of essential services. NIS2 eliminates the designation requirement, instead applying automatically to organizations meeting sector and size criteria. This change dramatically increases the number of affected organizations.
Security requirements become more concrete and prescriptive under NIS2. Supply chain security receives explicit attention, requiring organizations to assess and manage risks from their suppliers and service providers. Incident reporting timelines tighten significantly, requiring initial notification within 24 hours and detailed reporting within 72 hours.
Enforcement gains serious teeth under NIS2. Maximum penalties reach 10 million euros or two percent of global annual turnover, whichever is higher. Perhaps most significantly, management bears personal liability for failures to ensure appropriate security measures, creating individual accountability that cannot be delegated.
Sector Classifications
NIS2 distinguishes between Essential Entities and Important Entities based on sector criticality. Essential Entities include highly critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.
Important Entities include other critical sectors: postal services, waste management, chemicals, food production, manufacturing, digital services, and research organizations.
Size Thresholds
Large organizations become subject to NIS2 when exceeding 250 employees or 50 million euros in annual turnover. Medium organizations become subject when exceeding 50 employees or 10 million euros in annual turnover. Small organizations are generally exempt unless they perform particularly critical functions within covered sectors.
Answer the Questions0 / 3 completed
What new compliance status is assigned automatically?
Who faces personal liability for non-compliance?
What is the max penalty percentage of turnover?