Skip to Content

Get started

Open search
NIS2 Compliance - Banner background Image

Everything you need to prepare for the NIS 2 Directive

Navigate your NIS 2 Compliance Journey with Sophos

What is NIS 2?

Are you affected?

The NIS2 directive became effective in January 2023. EU Member States had been given a deadline of October 17, 2024,
to integrate NIS2 security requirements into their national legislation. By this date, all companies falling under the scope of
NIS2 must ensure compliance with the updated requirements.

Sophos solutions for NIS 2

What’s new with NIS 2?

NIS 2 replaces the original NIS Directive introduced in 2016, which was the first piece of EU-wide legislation on cybersecurity. NIS 2 widens the scope of the initial framework to include more industries, introduces stringent supervisory measures for national authorities, places greater focus on supply chains, creates stricter enforcement and stricter penalties for non-compliance.

NIS vs NIS2 - comparison

Learn about the scope, definitions, and context of NIS2 terminology

Read the NIS 2 whitepaper

NextGen FireWall - Resource CTA V2 - Background Image
test-icon

Not sure if NIS 2 applies to your organization?

Take our NIS 2 self-assessment test to find out.

 

 

Comparing NIS 2 with other cybersecurity regulations


NIS 2 is just one of the many cybersecurity regulations to which EU operators must comply. Here’s a look at the NIS 2 Directive’s relationship with other frameworks and how they overlap:

 

 NIS 2GDPRDORACER
EU Directive(EU) 2022/2555(EU) 2016/679(EU) 2022/2554(EU) 2022/2557
Directive NameNetwork and Information Security Directive 2General Data Protection RegulationDigital Operational Resilience ActCritical Entities Resilience Directive
ScopeApplies to organizations that are Essential Entities and Important Entities; replaces NIS1 (EU) 2016/1148Applies to any organization that processes the personal data of individuals who live in the EU and the EEAApplies to all financial entities in the EUApplies to organizations that are considered critical according to Member State decision
PurposeDesigned to improve the cybersecurity and resilience of network and information systems across the European UnionProtects the fundamental rights and freedoms of individuals, specifically their right to privacy and the protection of personal dataIn addition to cybersecurity requirements, this Directive places emphasis on the overall resilience of financial institutionsWith an emphasis on the resilience and business continuity of Critical Entities designated within the Directive and provides guidance about defenses against non-cyber-related risks
Compliance status with respect to NIS 2-Organisations covered by NIS 2, which are also data controllers or data processors under the EU GDPR, must comply with both the EU GDPR and the EU NIS 2 DirectivesDORA and NIS 2 are designed to work together to strengthen cybersecurity requirements; each has distinct requirements, both of which are required by financial institutionsCritical Entities must also comply with NIS 2 when it comes to cybersecurity and the CER Directive for non-cyber incidents.
Effective dateOctober 17, 2024May 25, 2018January 17, 2025October 18, 2024
SanctionsIncludes non-monetary penalties (such as compliance orders), administrative fines and criminal sanctions. Non-compliance fines for Essential Entities can reach up to 2% of total worldwide annual turnover or €10 million (whichever is higher) whilst fines for Important Entities can be up to 1.4% of total worldwide annual turnover or €7 millionViolations of GDPR provisions may be enforced by substantial penalties, including up to €10 million or 2% of global annual turnover (Tier 1 monetary penalties) or up to €20 million or 4% of the annual global turnover (Tier 2 monetary penalties), depending on the nature of the violationFinancial penalties for breaches of DORA can be imposed, but the exact amount depends on the provisions violated and the severity of the breach. Also, regulators may take other actions, including warnings, operational restrictions, or regulatory orders that restrict operations until proof of compliance.The penalties for non-compliance will vary by Member State but are likely to include fines, public notification, remediation, and withdrawal of authorization

Disclaimer: Specifications and descriptions are subject to change without notice. Sophos disclaims all warranties and guarantees regarding this information. The use of Sophos products alone does not comprise legal advice and does not guarantee legal compliance. The information in this document does not constitute legal advice. Customers are solely responsible for compliance with all laws and regulations and should consult their own legal counsel for advice regarding such compliance.

For more information on how to achieve your NIS 2 compliance goals before the deadline, contact us today.

Contact Us

Are you impacted by NIS 2? Complete this form to receive a quick self-assessment link.