.svg?width=185&quality=80&auto=webp "Header - Logo"){kind=logo}
.svg?width=13&quality=80&auto=webp "Top Navigation - Sign in - Icon")
Everything you need to prepare for the NIS 2 Directive
Navigate your NIS 2 Compliance Journey with Sophos
The NIS2 directive became effective in January 2023. EU Member States had been given a deadline of October 17, 2024,
to integrate NIS2 security requirements into their national legislation. By this date, all companies falling under the scope of
NIS2 must ensure compliance with the updated requirements.
What’s new with NIS 2?
NIS 2 replaces the original NIS Directive introduced in 2016, which was the first piece of EU-wide legislation on cybersecurity. NIS 2 widens the scope of the initial framework to include more industries, introduces stringent supervisory measures for national authorities, places greater focus on supply chains, creates stricter enforcement and stricter penalties for non-compliance.
Not sure if NIS 2 applies to your organization?
Comparing NIS 2 with other cybersecurity regulations
NIS 2 is just one of the many cybersecurity regulations to which EU operators must comply. Here’s a look at the NIS 2 Directive’s relationship with other frameworks and how they overlap:
| NIS 2 | GDPR | DORA | CER | |
|---|---|---|---|---|
| EU Directive | (EU) 2022/2555 | (EU) 2016/679 | (EU) 2022/2554 | (EU) 2022/2557 |
| Directive Name | Network and Information Security Directive 2 | General Data Protection Regulation | Digital Operational Resilience Act | Critical Entities Resilience Directive |
| Scope | Applies to organizations that are Essential Entities and Important Entities; replaces NIS1 (EU) 2016/1148 | Applies to any organization that processes the personal data of individuals who live in the EU and the EEA | Applies to all financial entities in the EU | Applies to organizations that are considered critical according to Member State decision |
| Purpose | Designed to improve the cybersecurity and resilience of network and information systems across the European Union | Protects the fundamental rights and freedoms of individuals, specifically their right to privacy and the protection of personal data | In addition to cybersecurity requirements, this Directive places emphasis on the overall resilience of financial institutions | With an emphasis on the resilience and business continuity of Critical Entities designated within the Directive and provides guidance about defenses against non-cyber-related risks |
| Compliance status with respect to NIS 2 | - | Organisations covered by NIS 2, which are also data controllers or data processors under the EU GDPR, must comply with both the EU GDPR and the EU NIS 2 Directives | DORA and NIS 2 are designed to work together to strengthen cybersecurity requirements; each has distinct requirements, both of which are required by financial institutions | Critical Entities must also comply with NIS 2 when it comes to cybersecurity and the CER Directive for non-cyber incidents. |
| Effective date | October 17, 2024 | May 25, 2018 | January 17, 2025 | October 18, 2024 |
| Sanctions | Includes non-monetary penalties (such as compliance orders), administrative fines and criminal sanctions. Non-compliance fines for Essential Entities can reach up to 2% of total worldwide annual turnover or €10 million (whichever is higher) whilst fines for Important Entities can be up to 1.4% of total worldwide annual turnover or €7 million | Violations of GDPR provisions may be enforced by substantial penalties, including up to €10 million or 2% of global annual turnover (Tier 1 monetary penalties) or up to €20 million or 4% of the annual global turnover (Tier 2 monetary penalties), depending on the nature of the violation | Financial penalties for breaches of DORA can be imposed, but the exact amount depends on the provisions violated and the severity of the breach. Also, regulators may take other actions, including warnings, operational restrictions, or regulatory orders that restrict operations until proof of compliance. | The penalties for non-compliance will vary by Member State but are likely to include fines, public notification, remediation, and withdrawal of authorization |
Disclaimer: Specifications and descriptions are subject to change without notice. Sophos disclaims all warranties and guarantees regarding this information. The use of Sophos products alone does not comprise legal advice and does not guarantee legal compliance. The information in this document does not constitute legal advice. Customers are solely responsible for compliance with all laws and regulations and should consult their own legal counsel for advice regarding such compliance.
For more information on how to achieve your NIS 2 compliance goals before the deadline, contact us today.
Contact Us
Are you impacted by NIS 2? Complete this form to receive a quick self-assessment link.