NETWORK AND INFORMATION SECURITY DIRECTIVE (NIS2)

The Network and Information Security Directive (NIS2) is the EU-wide legislation on information security, providing legal measures to enhance the overall level of cyber resilience and standardise cyber security across the EU. 

EU member states are required to transpose NIS2 into their national legislation by the 17th of October 2024. Although NIS2 does not apply to the UK, UK organisations that fall under the scope must be compliant in order to do business in the EU. Bureau Veritas is here to help. 

Apart from a few exemptions, it applies to medium and large-sized companies (50 or employees or an annual turnover of €10 million), in a wide range of industry sectors including but not limited to healthcare, digital services, infrastructure, banking and finance, food, energy, water, waste disposal and managed security services.

The main aim of the NIS2 Directive is to promote a cyber security culture and ensure the resilience of essential services, under three key areas: 

  • Risk management and incident response

    NIS2 states that organisations must conduct regular risk assessments to identify potential risks and have robust incident response plans to make sure they can respond to and recover from cyber incidents effectively.

  • Security Measures

    It requires organisations to implement technical and organisational measures to ensure the security of their networks and information systems. This includes access controls, encryption, and regular security updates.

  • Reporting Requirements

    Organisations must also report significant cyber incidents to the relevant authorities.

DOWNLOAD OUR NIS2 FACTSHEET

WHAT UK BUSINESSES NEED TO KNOW

NIS2 does not apply to UK businesses, but the changes coming into force in October 2024 include adding managed service providers to the scope. As such, the NIS2 Directive applies to organisations operating or carrying out activities for EU businesses within the scope. Local UK information security legislation will also be updated with similar requirements to NIS2.

This includes companies that fit the description of an ‘essential’ or ‘important’ organisation in a defined list of sectors, such as internet providers, energy suppliers, drinking water companies, waste processors, banks, transporters, healthcare institutions, factories producing food, and digital infrastructure providers. 

NIS2 requires EU business to set security requirements on their suppliers, meaning adhering to the regulations will be paramount for businesses to remain competitive.

Failure to act could be costly. Under NIS2, national authorities can impose a wider range of sanctions compared with NIS. For example:

  • Directors and management can be held personally liable for failures in implementation
  • Fines can be up to €10 million or 2% of total turnover (for essential entities) or €7 million or 1.4% of total turnover (for important entities)
  • Regulators may suspend business operations if deemed necessary

Applicable sectors include: 

Image in image block

WATCH OUR ON DEMAND WEBINAR ON NIS2

NIS2 COMPLIANCE SERVICES FROM BUREAU VERITAS:

Our experts at Secura, a Bureau Veritas company, offer a range of services to support compliance with NIS2, wherever you are on your cyber security journey. Your steps to compliance, including our services to help you achieve them:

Verify if NIS2 applies to your organisation

The first step is to establish whether your organisation falls under the scope, if you are supplying services to the EU. NIS2 applies to important and essential entities. Whether a company is so classified depends on the size and sector in which the company operates.

TRAINING FOR YOUR BOARD AND STAFF

Training your employees, both at the boardroom level and other levels, is an essential part of the NIS2 Directive. We have developed the NIS2 Boardroom Training and SAFE Awareness Programme, helping you meet these requirements at all levels.

Map where your organisation currently stands

To determine what steps you need to take to meet the requirements of the NIS2, it is important to have a good idea of what the security maturity levels of different parts of your organisation currently are. Our NIS2 gap assessment service measures where you are and where you need to go. With this insight, you know which steps you need to take to comply with NIS2.

Implement improvements

After mapping where your organisation currently stands, you can implement any improvement measures that might be required. Our wide range of solutions including CISO support and incident response services can support you both in the implementation and in the interpretation of measures.

Achieve NIS2 compliance

After completing these steps, you will be NIS2 compliant, and your organisation will be more secure in the face of cyber threats. We also support throughout the process with our CyberCare programme. 

WHAT ARE THE BENEFITS OF NIS2 COMPLIANCE?

Secura

Compliance is mandatory for some organisations, but compliance with NIS2 will also deliver other benefits, including: 

  • Improved cyber resilience and better planning for cyber threats 
  • Enhanced understanding of cyber risks across the organisation
  • Enhanced incident response and reporting  
     

WHY CHOOSE BUREAU VERITAS FOR YOUR NIS2 COMPLIANCE NEEDS?

  • Experienced teams with decades of governance risk and compliance experience
     
  • A range of services specifically developed to meet your NIS2 needs and help you become NIS2 compliant
     
  • Cybersecurity experts in the fields of people, processes and technology
     
  • A single point of contact and proven partnership approach
     
  • A clear roadmap to become and stay NIS2 compliant
  • Backed by the global expertise of Bureau Veritas, a world leader in testing, inspection and certification services
     

  • HOW DOES NIS2 DIFFER FROM NIS?

    NIS2 focuses on the same objectives as NIS, but covers a wider range of sectors, has stricter requirements for risk management and incident reporting, and higher penalties for non-compliance. It also expands the scope of organisations covered.

  • CAN YOU SUMMARISE THE MAIN REQUIREMENTS OF NIS2?

    NIS2 states that processes must be established for risk analysis and management, information security and cyber incident management. Continuity and recovery plans must be in place to respond to emergencies. Significant incidents must be reported to the relevant authorities. Company-wide use of encryption technology and multi-factor authentication is required. And regular training is required for all staff to educate them on best practices in information security.

  • HOW DOES NIS2 RELATE TO ISO 27001?

    While both ISO 27001 and NIS2 both aim to enhance cyber security, they have different scopes, applicability and overall approach towards cyber security. If your Information Security Management System (ISMS) is certified to ISO 27001, you will be on the way to NIS2 compliance, but additional measures and processes are likely to be required.  

GET IN TOUCH WITH A MEMBER OF THE TEAM BY SUBMITTING YOUR DETAILS BELOW:

Please select country prefix
Enquiring about
If known (Approx.)
If known (Approx.)
Maximum 3 files.
2 MB limit.
Allowed types: pdf, doc, docx, ppt, pptx, xls, xlsx, jpg, png.
I have read and understood the terms and conditions of {Personal data protection policy}.
Your personal data is collected by Bureau Veritas UK, having its registered office at Suite 206, Fort Dunlop, Fort Parkway, Birmingham B24 9FD, and is subject to computer processing in order to respond to questions from the media about the Group or its subsidiaries on the basis of your consent, and to respond to customer complaints, on the basis of the service contract that you have entered into with a subsidiary of Bureau Veritas.

Your personal data is intended for the Corporate Communication department or the Quality, Health & Safety and Environment department of the Bureau Veritas Group, depending on the nature of your request, and for their service providers, providing consulting and technical services as well as for the Bureau Veritas IT department. Your personal data will be retained for a period of one year for media requests and three years for customer complaints from your request. Your personal data can be transferred outside the European Union, in countries where Bureau Veritas subsidiaries operate, on the basis of standard contractual clauses established by the European Commission, available on request, by submitting a query here.

Fields marked with an asterisk must be filled in. Otherwise, Bureau Veritas would not be able to answer your questions and/or complaints. In accordance with the Data Protection Act 2018 and the General Data Protection Regulation of 27 April 2016, you have the right to access, rectify and erase any personal data concerning you, as well as the right to limit the processing, the right to oppose to the processing or the right to portability of your personal data. You have the right to withdraw your consent at any time by submitting a query here and unchecking the box dedicated to the collection of your consent. You can exercise your rights online to lodge a complaint to the Information Commissioner’s Office.