The 2016 NIS Directive is the cornerstone of the EU’s response to growing cyber threats and challenges facing digitalization. Seven years later, the new NIS2 directive was agreed upon between the Commission, Parliament and the European Council in June 2022.
The updated directive is expected to come force on 18 October 2024. Thus ensuring that appropriate levels of security for networks and information systems are maintained across all critical and sensitive industries.
Keep up with the latest cybersecurity regulations by subscribing to our monthly newsletter.

Core NIS2 objectives at a glance:
- Manage security risks
- Appropriate governance including risk analysis, incidence handling, vulnerability handling and disclosure;
- Supply chain security between entities and suppliers or service providers;
- Risk-management measures to assess the effectiveness of cybersecurity;
- Asset management and access control policies
- Protect against cybersecurity attacks
- Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- Detect cybersecurity incidences
- Processes for monitoring and abnormality detection
- Minimize the impact of cybersecurity incidences
- Crisis management, backup management and disaster recovery
- Cyber hygiene practices and cybersecurity training
Key updates to NIS2:
- New classification system
- Distinction between operators of “essential services” and “digital service providers” will be scrapped as entities will be divided into “essential” and “important” categories
- Different levels of supervision and enforcement between “essential” and “important” entities
- “Essential” entities are subject to more stringent regulations including
- Regular audits;
- Evidence of proactive adoption and implementation of cybersecurity measures;
- Harsher penalties for non-compliance
- Widening the scope of entities subject to the reporting and cybersecurity risk measures requirements
- All medium and large companies in selected sectors will be included in the scope and must adhere to the provisions
- New sectors will be added based on their how crucial they are for the economy and society
- Enforcing penalties
- €10 million or 2 percent of the entity’s total turnover worldwide for not complying with the reporting and/or cybersecurity risk management measures
Even entities that are not established in the EU, but offer services within the EU have to adhere to the NIS2 directive. Additionally, they must also appoint a representative in the EU member state(s) where services are offered.
Simultaneously, CISA in the United States is working in tandem with NIST to build the NIST Cybersecurity Framework 2.0. This updated framework is slated to come into force in Winter 2024 and is expected to introduce measures similar to the NIS2 Directive.
Read more about expanding global cybersecurity legislation here, check out this webinar with mobile phone and IoT security expert, David Rogers, or reach out to ZARIOT’s industry experts today to ensure your solutions are at the cutting edge of technology and compliance.
NIS Directive Article 4(4) sectors and sub-sectors subject to provisions of the Directive
Sector | Subsector | Type of Entity |
Energy | Electricity | Suppliers |
Energy | Oil | Operators of transmission pipelines |
Energy | Operators of oil production, refining, and treatment facilities, storage and transmission | |
Energy | Gas | Supply undertakings |
Energy | Distribution, transmission, and storage system operators | |
Energy | LNG system operators | |
Energy | Natural gas undertakings | |
Energy | Operators of natural gas refining and treatment facilities | |
Transport | Air transport | Air carriers |
Transport | Airport managing bodies, airports, and entities operating ancillary installations within airports | |
Transport | Traffic management control operators providing air traffic control (ATC) services | |
Transport | Rail transport | Infrastructure managers |
Transport | Railway undertakings | |
Transport | Water transport | Inland, sea and coastal passenger and freight water transport companies |
Transport | Managing bodies of ports including their port facilities | |
Transport | Operators of vessel traffic services | |
Transport | Road transport | Road authorities responsible for traffic management control |
Transport | Operators of Intelligent Transport Systems | |
Banking | Credit institutions | |
Financial market | Operators of trading venues and central counterparties | |
Healthcare | Hospitals and private clinics | Healthcare providers |
Water supply/distribution | Suppliers and distributors of water intended for human consumption | |
Digital infrastructure | Internet Exchange Points (IXPs) DNS service providers Top-Level Domain (TLD) name registries |
Leave a Reply