richardk/iso27diy-corp
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
iso27diy-corp/Corpus/Standards/NIS 2 Cbw/FortMesa NIS2 Explained.md

42 KiB
Raw Blame History

#nis2

NIS 2 Explained

for FortMesa webinar June 2025: "The State of EU Cyber Compliance: NIS2 Explained"

Goal of NIS2

The ultimate goal behind NIS-2 is to significantly raise the baseline level of cybersecurity and resilience across the European Union, especially for critical infrastructure and essential services123. NIS-2 aims to:

  • Establish a unified, high standard of cybersecurity for network and information systems in key sectors across all EU member states143.
  • Ensure organizations implement robust risk management, incident response, and business continuity measures to prevent, detect, and minimize the impact of cyber incidents23.
  • Promote consistency by harmonizing security requirements, reporting obligations, and enforcement across the EU, addressing previous fragmentation and gaps153.
  • Strengthen cooperation and information sharing among member states for a coordinated response to cross-border cyber threats123.

In essence, NIS-2 is designed to protect the EUs economy and society by making its digital infrastructure more secure, resilient, and better prepared for evolving cyber threats123.

GDPR is about protecting citizens against the misuse of personal data, therefore, in terms of information security, more about confidentiality of data. Protecting privacy was the goal, information security management almost a side show. NIS 2 is all about resilience of critical infrastructure, under threat of cybercrime (also by state actors), and has a broader focus in terms of information security: the complete information security package.

History and Current Status

Origins and NIS1 Directive (2016):

  • The original Network and Information Security Directive (NIS1), adopted in 2016 (Directive 2016/1148), was the EUs first comprehensive cybersecurity law, aiming to establish a high common level of cybersecurity across Member States678.
  • NIS1 targeted critical sectors like energy, transport, healthcare, finance, water, and digital infrastructure, requiring essential service providers and digital service providers to take security measures and report incidents97.
  • Despite these advances, NIS1 faced challenges: its scope was too narrow, enforcement and implementation were inconsistent across Member States, and definitions were sometimes unclear, leading to fragmentation and gaps in protection6108.

Growing Need for Reform:

  • As digitalization accelerated and cyber threats became more frequent and sophisticated, it became clear by 2020 that the EU needed a stronger, more harmonized approach to cybersecurity6107.
  • The European Commission launched a review and consultation on NIS reform in July 2020, leading to a proposal for an updated directive—NIS2—in December 20201112.

Development and Adoption of NIS2:

  • The legislative process included negotiations between the European Parliament, Council, and Commission throughout 2021 and early 2022612.
  • A provisional agreement on NIS2 was reached in May 2022, with formal adoption by the Parliament and Council in November 2022612.
  • NIS2 was published in the Official Journal on December 27, 2022, and entered into force on January 16, 202311712.

Transition and Implementation Timeline for NIS2:

  • Member States were given 21 months, until October 17, 2024, to transpose NIS2 into national law6117.
  • NIS2 expands the scope to more sectors, introduces stricter supervisory and enforcement measures, harmonizes sanctions, and places greater emphasis on supply chain security and top management responsibility91310.

Summary Table: NIS1 vs. NIS2

Aspect NIS1 (2016) NIS2 (2023)
Scope Limited sectors, fewer entities Expanded sectors and more entities
Enforcement Inconsistent across Member States Stronger, harmonized supervision
Management Limited focus on top management Clear top management responsibility
Reporting Less stringent, varied obligations Stricter, harmonized reporting
Supply Chain Not specifically addressed Explicitly included

NIS2 aims to address all the shortcomings of its predecessor by broadening coverage, clarifying obligations, and enforcing higher cybersecurity standards EU-wide9610.

Why Was the NIS 1 Scope Considered Too Narrow?

  • Limited Sectors: NIS 1 only applied to seven key sectors considered vital to the economy and society, such as energy, transport, banking, financial market infrastructures, drinking water, healthcare, and digital infrastructure141516.
  • Member State Discretion: Each EU Member State had the responsibility to identify which organizations qualified as operators of essential services (OES), resulting in inconsistent application and gaps in coverage across the EU1417.
  • Exclusions: Some critical digital infrastructures and services, such as certain telecommunications and public administration entities, were not covered1819.
  • Light Regulation for Digital Service Providers: Digital service providers (like cloud services and online marketplaces) were subject to lighter, less comprehensive requirements1418.

How Has the Scope Broadened in NIS 2?

  • More Sectors Covered: NIS 2 expands the scope to include additional sectors and sub-sectors crucial to the economy and society, such as waste management, postal and courier services, food production, manufacturing of critical products, and more digital services14151617.
  • Size-Cap Rule: All medium-sized and large entities in the covered sectors are automatically in scope, removing the need for Member States to individually designate operators1417.
  • Public Administration: NIS 2 now applies to central government public administration entities, and Member States can extend this to regional and local levels14.
  • Supply Chain Focus: Entities essential to the supply chain of critical infrastructures are now included15.
  • Unified Requirements: The distinction between “essential service operators” and “digital service providers” is eliminated; all covered entities face similar obligations1617.

In summary: NIS 1 was considered too narrow because it left critical gaps due to sector limitations, inconsistent national implementation, and exclusions. NIS 2 addresses these gaps by broadening the scope to more sectors, applying clear criteria (like the size-cap), and harmonizing requirements across the EU14151617.

Current state as of May 2025

The NIS-2 directive should have been transposed into national legislation by October 17, 2024.

The Netherlands did not meet this deadline20212223. The national law implementing NIS-2, the Cybersecurity Act (Cbw), is now not expected to enter into force until the second or third quarter of 202520212224. Until then, the current Network and Information Systems Security Act (Wbni) still applies to the organizations concerned2122. Organizations that will fall under the new law do not yet have any legal obligations from NIS-2, but they can voluntarily prepare and register2521.

The implementation of the NIS-2 directive is also delayed in other countries, including France and Germany.

France

France has not yet fully transposed the NIS-2 directive into national legislation. The bill (“Loi relatif à la résilience des infrastructures critiques”) was submitted to the Senate in October 2024. The law is expected to be adopted in the course of the second half of 2025. France is taking a broad approach to implementation and is adding extra sectors and local authorities to the scope. The national cybersecurity authority ANSSI will play a central role in supervision and enforcement2627.

Germany

In Germany, the bill for NIS-2 was approved in July 2024, but its parliamentary processing was delayed. Enforcement was expected to start from March 2025. Germany, unlike France, has not brought local authorities under the NIS-2 legislation26.

In short: both France and Germany have not yet fully transposed the NIS-2 directive and, as of May 2025, are still in the legislative process, each with its own emphasis and delays282627.

What kind of organizations are targeted by NIS-2?

NIS-2 targets a wide range of organizations that are critical to the functioning of society and the economy. Specifically, it applies to:

  • Medium-sized and large organizations (generally with at least 50 employees or €10 million annual turnover) operating in sectors deemed essential or important293031.
  • Essential sectors include energy, transport, banking, financial market infrastructure, healthcare, drinking water, digital infrastructure, ICT services management, wastewater, public administration, and space activities2931.
  • Important sectors include digital providers, postal and courier services, waste management, chemicals, food production and distribution, research, and various types of manufacturing3231.
  • The directive also allows Member States to include smaller organizations if they are considered high-risk or critical for society33.

In summary, NIS-2 covers both public and private organizations in a broad set of vital and important sectors, focusing on those whose disruption would significantly impact society or the economy323431.

Sectors in Scope under NIS2

NIS2 divides in-scope organizations into two main categories: Sectors of High Criticality (Essential Sectors) and Other Critical Sectors (Important Sectors).

Sectors of High Criticality (Essential Sectors):

  • Energy (including electricity, oil, gas, heating/cooling, hydrogen, EV charging)
  • Transport (air, rail, road, water, shipping, ports)
  • Banking
  • Financial market infrastructure
  • Healthcare (providers, labs, pharmaceuticals, medical device manufacturing)
  • Drinking water
  • Wastewater
  • Digital infrastructure (DNS, domain name registries, trust services, data centers, cloud, electronic communications, managed IT/security services)
  • ICT service management (business-to-business)
  • Public administration (central, regional, and optionally local)
  • Space (ground-based infrastructure)35363738

Other Critical Sectors (Important Sectors):

  • Digital providers (online marketplaces, search engines, social platforms)
  • Postal and courier services
  • Waste management
  • Manufacture, production, and distribution of chemicals
  • Production, processing, and distribution of food
  • Manufacturing (medical devices, computers, electronics, optics, machinery, vehicles, other transport equipment)
  • Research organizations353639374038

Medium-sized and large organizations in these sectors are required to comply with NIS2 cybersecurity requirements.

Geographical Location

  • Jurisdiction: NIS2 applies to essential and important entities established in an EU/EEA Member State, and they fall under the jurisdiction of the country where they are established or, in some cases, where they provide their services414243.
  • Multiple Member States: If an organization provides services in more than one Member State, it must comply with NIS2 requirements in each relevant country43.
  • Entities Outside the EU: Non-EU organizations offering services within the EU must designate a representative established in an EU Member State where their services are offered42.
  • Sector-Specific Rules: For certain sectors (e.g., digital infrastructure, cloud, DNS, electronic communications), jurisdiction may depend on the location of the main establishment or where services are provided42.

In summary, an organizations geographical location determines which Member States authorities oversee its compliance, and cross-border or non-EU service providers must ensure they meet NIS2 obligations within the EU market.

Can an entity outside the EU offering services within the EU be held accountable?

Yes, non-EU entities offering services within the EU can be held accountable under the NIS2 Directive. The regulation applies extraterritorially, meaning it extends to organizations outside the EU if they provide essential or important services to EU markets. Heres how geographical location factors into accountability:

Marketplace Principle:

  • NIS2 applies if services are “offered within the EU,” even if the entity lacks a physical presence there. Factors include:
  • Using EU languages or currencies (e.g., offering services in German or accepting euros).
  • Targeting EU users in marketing materials or service descriptions 44. Sector Relevance:
  • Non-EU entities in sectors like digital infrastructure, healthcare, transport, or energy are particularly impacted if their services are critical to EU operations 45.

In summary, NIS2s extraterritorial scope ensures that non-EU entities serving EU markets must adhere to its cybersecurity standards, with significant legal and financial consequences for non-compliance.

Requirements for Non-EU Entities

  1. Designate an EU Representative: Non-EU organizations must appoint a representative in an EU Member State where their services are offered 4645.
  2. Supply Chain Compliance: Third-party suppliers (including non-EU partners) must meet NIS2 security standards if they provide critical inputs to EU entities 4645.
  3. Incident Reporting: Significant cybersecurity incidents affecting EU services must be reported to national authorities within strict deadlines (e.g., 24-hour “early warning”) 4745.

What is expected of these organizations?

Expectations for Different NIS-2 Stakeholders

EU Member States

  • Develop and maintain a national cybersecurity strategy with clear objectives and resources4849.
  • Designate national authorities, Computer Security Incident Response Teams (CSIRTs), and a single point of contact for cross-border and cross-sector cooperation49.

National Authorities & CSIRTs

  • Oversee and enforce compliance among organizations.
  • Conduct regular audits, inspections, and request information as part of supervision49.
  • Facilitate incident response and information sharing at national and EU level49.

Essential and Important Entities (Organizations)

  • Implement risk management: identify, assess, and mitigate cybersecurity risks across their operations and supply chains5051.
  • Establish and maintain robust security policies, technical and organizational measures, and incident response plans51.
  • Report significant security incidents to authorities within strict timelines5251.
  • Ensure business continuity and crisis management capabilities51.
  • Senior management is directly responsible and can be held liable for compliance, including ensuring adequate resources, policies, and monitoring5354.

Supply Chain Partners

  • Organizations must assess and manage cybersecurity risks in their supply chains, considering the security practices of suppliers and service providers50.

Critical Entities (under CER Directive)

  • Entities identified as critical must comply with both NIS-2 cybersecurity and physical resilience obligations, with authorities cooperating on both aspects49.

Summary Table

Stakeholder Key Responsibilities under NIS-2
Member States National strategy, designate authorities/CSIRTs, ensure cross-border cooperation
National Authorities Supervision, enforcement, audits, incident coordination
Essential/Important Orgs Risk management, security measures, incident reporting, management accountability
Supply Chain Partners Support supply chain risk management and security
Critical Entities Comply with both cyber and physical resilience requirements

The directive thus requires coordinated action at national, sectoral, and organizational levels to achieve a high and consistent level of cybersecurity across the EU.

What is expected/required of the board and management?

For organizations in scope of NIS-2, the board and management have explicit and far-reaching responsibilities:

  • Active Oversight and Approval: The board must oversee, approve, and regularly review the organizations cybersecurity risk management measures and policies555657.
  • Training and Awareness: Board members and executives are required to follow cybersecurity training to ensure they understand risks and can make informed decisions. They must also ensure regular training for employees55565857.
  • Accountability and Liability: Management is directly accountable for compliance. Serious failures can result in personal liability, administrative fines, and even temporary bans from management roles5556585957.
  • Risk Management: The board must ensure comprehensive risk assessments, mitigation strategies, and continuous improvement of cybersecurity controls, including supply chain security and incident response55605957.
  • Incident Reporting: Management must ensure processes are in place for prompt reporting of significant incidents, typically within 24 hours for initial notification556059.
  • Business Continuity: The board is responsible for ensuring robust business continuity and crisis management plans, including system recovery and emergency procedures555957.

In summary, NIS-2 makes cybersecurity a core element of corporate governance, requiring boards and management to be knowledgeable, proactive, and fully accountable for digital risk management and compliance.

What is required of the organization with regard to vendor management?

Organizations in scope of NIS-2 are required to take extensive measures for vendor (third-party) management:

  • Risk Assessment: Conduct thorough and ongoing risk assessments of all vendors and suppliers, evaluating their cybersecurity posture, incident history, and the criticality of their services61626364.
  • Supply Chain Security Policies: Develop and enforce comprehensive policies for third-party risk management, including clear security requirements, access controls, encryption, and multi-factor authentication throughout the supply chain626365.
  • Contractual Obligations: Include enforceable cybersecurity clauses in contracts with vendors—covering compliance, incident reporting, audit rights, and termination for non-compliance6366.
  • Continuous Monitoring: Regularly monitor and audit third-party security practices, update risk assessments, and ensure ongoing compliance with NIS-2 standards616263.
  • Incident Reporting: Ensure vendors promptly report cybersecurity incidents and coordinate on incident response and resolution6163.
  • Documentation: Maintain detailed records of vendor assessments, contracts, and compliance audits for regulatory review6163.

In summary, NIS-2 requires organizations to proactively manage, monitor, and document third-party risks, making supply chain security an integral part of their cybersecurity strategy.

Local differences

The main differences in emphasis between France and Germany in the implementation of the NIS-2 directive are:

  • In France, local authorities explicitly fall under the NIS-2 legislation, whereas this is not the case in Germany6768.
  • Some countries, including France, are adding extra sectors that fall under the law; Germany is limiting itself more to the strictly necessary sectors67.
  • Germany emphasizes comprehensive risk management, reporting obligations, and registration requirements for "particularly important facilities" and federal administrative bodies69.
  • In Germany, micro-enterprises are largely excluded, while in France, the scope is actually being expanded by including local authorities and additional sectors6769.

These differences create a fragmented regulatory landscape within the EU, making it more complex for international organizations to comply with all rules67.

Similarities in Measures

  • In both France and Germany, companies under NIS-2 must take appropriate technical and organizational measures to manage cyber risks and prevent incidents707172.
  • Both countries mandate risk management, regular evaluation of security measures, and a reporting obligation for serious security incidents7172.
  • Supplier and supply chain management is an important component in both countries: companies must also pay attention to the security of their direct suppliers and service providers72.
  • The basic principles are risk-based: the greater the risk, the more stringent the measures must be72.

Differences

  • Scope: France explicitly includes local authorities and additional sectors in the law, while Germany primarily focuses on critical infrastructures and federal agencies71.
  • Registration: In Germany, there is a registration obligation with the Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik - BSI) for “particularly important” organizations71. In France, the national cybersecurity authority ANSSI has more control.
  • Exemptions: Micro-enterprises are largely exempt in Germany; France applies a broader scope71.
  • Enforcement: Germany is known for strict compliance and enforcement through contractual obligations; in France, the approach is more centrally regulated72.

In short: the core measures are similar, but the scope, exemptions, and enforcement differ per country, leading to different obligations for companies depending on their country of establishment7172.

International standards and certification

Some companies offer NIS-2 certification, or claim to offer NIS-2 certified training. Is there a legal basis for this?

Currently, there is no legal basis for an official “NIS-2 certification” or “NIS-2 certified training.” The NIS-2 Directive and national legislation do require organizations to take appropriate security measures, but there is no government-recognized NIS-2 certificate or official quality mark7374.

The European Commission is working on a certification framework, but this is still under development and not currently in force73. Companies currently offering NIS-2 certification or training do so based on their own interpretations or existing standards (such as ISO 27001), but these do not have official legal status.

In short: claims about “NIS-2 certification” are currently commercial and not legally recognized.

What is already known about that EC certification framework?

Little concrete information is yet known about the official European certification framework for NIS-2. The European Commission is working with ENISA (the EU Agency for Cybersecurity) on the development of such a framework, but this has not yet been finalized and is therefore not yet in force75.

The NIS-2 Directive itself does not prescribe mandatory certification for companies, but it does give the Commission the possibility to establish technical and methodological requirements for certain sectors and services in the future76. This process is still under development.

In summary: there is not yet an official, EU-recognized NIS-2 certification framework; companies therefore cannot yet be certified according to a standard established by the EU. Any commercial “NIS-2 certificates” are currently not legally recognized.

NIS-2 Measures and International Standards

In Flemish Belgium, the measures that companies must take for NIS-2 conformity are based on internationally recognized standards such as the NIST processes and ISO 27001/270027778. Organizations must take risk management measures and align their cybersecurity with generally accepted security principles. For supervision, explicit reference is made to the CyberFundamentals framework (CyFun®) of the CCB (Centre for Cybersecurity Belgium) or an ISO 27001 certification as a control instrument7778. This aligns with the approach of NIST and ISO, where risk management, incident response, continuity planning, and periodic audits are central78.

Do France and Germany also base their NIS-2 measures on international standards? Which ones?

Yes, both France and Germany base their measures for NIS-2 on international standards, particularly ISO 27001/27002. These standards are seen as a good benchmark for meeting NIS-2 requirements7980. In both countries, companies are expected to align their risk management, security measures, and incident response with these internationally recognized frameworks. In practice, alignment with the NIST Cybersecurity Framework is also often sought, although ISO 27001/27002 is most explicitly mentioned in the context of European legislation7980.

In short: ISO 27001/27002 are the most important international references, and the NIST framework is also recognized as a best practice for NIS-2 compliance.

Enforcement and Penalties

  • Fines: Up to €10 million or 2% of global annual revenue, whichever is higher 4645.
  • Management Liability: Executives face personal liability for non-compliance, including potential bans from managerial roles 4745.
  • Market Access Risks: Non-compliance may disrupt partnerships with EU businesses or lead to exclusion from EU markets 4681.

What are the general expectations, as of May 2025, about enforcement of the NIS-2?

As of May 2025, enforcement of the NIS-2 Directive across the EU is marked by significant delays and fragmentation. Although the directive required all Member States to adopt and enforce national laws by October 2024, many—including Germany, France, and the Netherlands—have not yet fully transposed NIS-2 into national legislation828384. The European Commission has formally warned 19 Member States for failing to meet the deadline and may escalate to legal action if compliance is not achieved soon82.

In practice, this means that while the NIS-2 provisions are technically in effect at the EU level, actual enforcement depends on national laws and the readiness of designated authorities8384. In countries where national laws are not yet in force, there is a period of legal uncertainty and limited practical enforcement, though organizations are expected to prepare for compliance838485. Once national laws are enacted—expected in the second half of 2025 for many countries—enforcement will become much stricter, with clear duties of care, incident reporting, and potential sanctions for non-compliance8683.

Research and Footnotes

Perplexity thread 1 Perplexity thread 2

  1. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive ↩︎

  2. https://www.darktrace.com/cyber-ai-glossary/nis2-directive ↩︎

  3. https://www.proofpoint.com/us/threat-reference/nis2-directive ↩︎

  4. https://www.nis-2-directive.com ↩︎

  5. https://nis2directive.eu/why-nis2/ ↩︎

  6. https://www.europarl.europa.eu/thinktank/en/document/EPRS_BRI(2021)689333 ↩︎

  7. https://sosafe-awareness.com/glossary/nis2/ ↩︎

  8. https://dispel.com/blog/what-was-the-original-nis-directive-and-why-was-it-not-sufficient ↩︎

  9. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive ↩︎

  10. https://www.cyberday.ai/blog/nis2-overview-history-key-contents-and-significance-for-top-management ↩︎

  11. https://nis2directive.eu/what-is-nis2/ ↩︎

  12. https://nis2directive.eu/nis2-release-date/ ↩︎

  13. https://www.nis-2-directive.com ↩︎

  14. https://www.nis-2-directive.com ↩︎

  15. https://assets.kpmg.com/content/dam/kpmg/pl/pdf/2023/10/kpmg-network-and-information-security-directive-nis2.pdf ↩︎

  16. https://www.nfir.nl/en/nis2-all-about-the-directive-legislation-and-latest-status/ ↩︎

  17. https://www.stibbe.com/publications-and-insights/the-revised-network-and-information-security-directive-enhancing-eu ↩︎

  18. https://esmt.berlin/knowledge/research-insights/eu-directive-network-and-information-security-requirements-digital ↩︎

  19. https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX%3A32016L1148 ↩︎

  20. https://www.security.nl/posting/862964/Re:+Nederland+voert+NIS2-richtlijn+naar+verwachting+derde+kwartaal+2025+in ↩︎

  21. https://www.rijksoverheid.nl/actueel/nieuws/2024/10/23/implementatie-nis2-en-cer-in-nederland-vertraagd-wat-betekent-dat-voor-u ↩︎

  22. https://penrose.law/informatiebeveiliging_op_orde_nis2_cyberbeveiligingswet/ ↩︎

  23. https://www.fox-it.com/nl/nis2-een-nieuwe-europese-richtlijn-voor-netwerk-en-informatiebeveiliging/ ↩︎

  24. https://tweakers.net/nieuws/222522/nederlandse-nis2-wet-treedt-pas-in-tweede-of-derde-kwartaal-2025-in-werking.html ↩︎

  25. https://www.zlogin.nl/update/nis2-richtlijn-rol-eherkenning/ ↩︎

  26. https://www.techzine.nl/experts/privacy-compliance/563162/de-staat-van-nis2-een-versnipperde-aanpak-in-de-eu/ ↩︎

  27. https://www.openkritis.de/eu/eu-nis-2-france.html ↩︎

  28. https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition ↩︎

  29. https://digital-strategy.ec.europa.eu/en/policies/nis2-directive ↩︎

  30. https://www.infosecurity-magazine.com/blogs/nis2-everything-eu-orgs-need-to/ ↩︎

  31. https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/ ↩︎

  32. https://www.pwc.nl/en/insights-and-publications/themes/risk-regulation/new-european-nis2-directive-stricter-requirements-for-cyber-security.html ↩︎

  33. https://www.nomios.nl/en/resources/what-is-nis2/ ↩︎

  34. https://highberg.com/insights/eight-things-you-need-to-know-about-nis2 ↩︎

  35. https://www.ekelmansadvocaten.com/en/nis2-richtlijn-tips-om-je-als-organisatie-voor-te-bereiden-op-deze-nieuwe-regelgeving/ ↩︎

  36. https://advisera.com/articles/who-does-nis2-apply-to/ ↩︎

  37. https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/ ↩︎

  38. https://www.pwc.nl/en/insights-and-publications/themes/risk-regulation/new-european-nis2-directive-stricter-requirements-for-cyber-security.html ↩︎

  39. https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_3_SECTORS.pdf ↩︎

  40. https://www.int-comp.org/insight/nis2-are-you-in-scope/ ↩︎

  41. https://www.onespan.com/blog/NIS2-part1-what-is-new-in-NIS2-Directive ↩︎

  42. https://www.twobirds.com/-/media/new-website-content/insights/pdfs/220607_nis2-directive_provisional-agreement_newsletter_final.pdf ↩︎

  43. https://www.ceeyu.io/resources/blog/will-your-company-be-subject-to-nis2 ↩︎

  44. https://www.skadden.com/insights/publications/2024/10/navigating-the-new-cybersecurity-landscape ↩︎

  45. https://www.metricstream.com/blog/navigating-the-nis2-directive-compliance-success.html ↩︎

  46. https://www.linkedin.com/pulse/beyond-borders-what-non-eu-companies-need-know-new-nis2-q0d5f ↩︎

  47. https://nis2directive.eu/nis2-requirements/ ↩︎

  48. https://www.nis-2-directive.com/NIS_2_Directive_Article_7.html ↩︎

  49. https://digital-strategy.ec.europa.eu/en/faqs/directive-measures-high-common-level-cybersecurity-across-union-nis2-directive-faqs ↩︎

  50. https://www.ey.com/en_pl/insights/law/nis2-supply-chain-security ↩︎

  51. https://www.veeam.com/blog/nis2-directive-explained.html ↩︎

  52. https://www.nfir.nl/en/nis2-all-about-the-directive-legislation-and-latest-status/ ↩︎

  53. https://www.nis-2-directive.com ↩︎

  54. https://www.ccnet.de/en/blog/the-crucial-role-of-management-in-the-implementation-of-the-nis2-directive/ ↩︎

  55. https://nis2directive.eu/nis2-requirements/ ↩︎

  56. https://blog.smartglobalgovernance.com/en/cybersecurity-governance-nis-2-makes-executives-accountable/ ↩︎

  57. https://www.deloitte.com/nl/en/services/risk-advisory/perspectives/the-nis2-directive.html ↩︎

  58. https://www.ncsc.gov.ie/pdfs/NCSC_NIS2_8_MGMT.pdf ↩︎

  59. https://www.guberna.be/en/know/guberna-what-does-nis2-mean-board-directors-and-executives ↩︎

  60. https://highberg.com/insights/eight-things-you-need-to-know-about-nis2 ↩︎

  61. https://panorays.com/blog/nis2-compliance-for-third-party-risk-management/ ↩︎

  62. https://www.bitsight.com/blog/navigating-nis2-requirements-transforming-supply-chain-security ↩︎

  63. https://mitratech.com/resource-hub/blog/nis2-and-third-party-risk-management/ ↩︎

  64. https://www.bitsight.com/blog/nis2-compliance-how-to-identify-critical-suppliers ↩︎

  65. https://www.dataguard.com/nis2/requirements/ ↩︎

  66. https://rhymetec.com/nis2-requirements/ ↩︎

  67. https://www.techzine.nl/experts/privacy-compliance/563162/de-staat-van-nis2-een-versnipperde-aanpak-in-de-eu/ ↩︎

  68. https://www.ictmagazine.nl/experts/terwijl-de-deadline-nadert-struikelen-eu-landen-over-naleving-van-de-nis2-richtlijn/ ↩︎

  69. https://www.ferner.nl/cyberbeveiliging-in-duitsland-implementatie-van-de-nis2-richtlijn-in-duitsland/ ↩︎

  70. https://www.eye.security/nl/blog/nis2-hoe-wordt-de-richtlijn-omgezet-in-europese-landen ↩︎

  71. https://www.ferner.nl/cyberbeveiliging-in-duitsland-implementatie-van-de-nis2-richtlijn-in-duitsland/ ↩︎

  72. https://samendigitaalveilig.nl/nieuws/bedrijven-lopen-risico-om-buitenlandse-klanten-kwijt-te-raken-door-nis2-regelgeving/ ↩︎

  73. https://itce.be/post/nis2-richtlijn-in-belgie-wat-is-het-en-voor-wie-52-topics ↩︎

  74. https://www.digitaleoverheid.nl/overzicht-van-alle-onderwerpen/nis2-richtlijn/ ↩︎

  75. https://digital-strategy.ec.europa.eu/nl/policies/nis-transposition ↩︎

  76. https://www.nis-2-directive.com ↩︎

  77. https://www.vlaanderen.be/digitaal-vlaanderen/onze-diensten-en-platformen/cyber-response-team-lokaal-bestuur/nieuwe-wetgeving-nis2-wat-lokale-besturen-moeten-weten ↩︎

  78. https://www.dmvh.eu/blog/nis2-in-vlaanderen-implementatie-impact-gevolgen-voor-bedrijven ↩︎

  79. https://www.declercq.com/app/uploads/2024/02/NIS2-Praktische-handleiding-NL-De-Clercq-Advocaten-Notariaat-gecomprimeerd.pdf ↩︎

  80. https://www.ninjaone.com/nl/blog/nis2-vs-iso-27001/ ↩︎

  81. https://www.dataguard.com/nis2/requirements/ ↩︎

  82. https://digital-strategy.ec.europa.eu/en/policies/nis-transposition ↩︎

  83. https://blog.grand.io/nis-2-directive-compliance-in-the-age-of-dora/ ↩︎

  84. https://connectontech.bakermckenzie.com/eu-nis2-implementation-where-are-we-now/ ↩︎

  85. https://ezine.eversheds-sutherland.com/eu-nis2-directive/netherlands ↩︎

  86. https://business.gov.nl/amendment/nis2-directive-protects-network-information-systems/ ↩︎