CyberArk Glossary >

What is NIS2 Directive?

The NIS2 (Network and Information Security) Directive is a regulatory framework established by the European Union(EU) to enhance the cybersecurity of critical infrastructure and digital service providers. NIS2 is an update to the earlier NIS Directive. In January 2023, EU member states formally enacted a revision of the 2016 Network and Information Systems (NIS) Directive. All 27 EU member states must incorporate the NIS2 Directive into their national laws by October 2024. NIS2 builds on the requirements of the original Directive, it aims to protect critical infrastructure and organizations within the EU from cyber threats and achieve a high level of common security across the EU

Sectors covered by the NIS2 Directive:

Entities that need to comply with the NIS2 Directive are divided into two categories: ‘essential’ and ‘important’. Entities filed under ‘essential’ will fall under proactive supervision. ‘Important’ entities will be monitored after an incident of non-compliance is reported. Here are the critical sectors covered by the NIS2 Directive:

Essential Entities  Important Entities 
  • Energy
  • Transport
  • Financial institutions
  • Market infrastructure
  • Healthcare
  • Drinking water
  • Wastewater
  • Digital infrastructure and providers
  • Public administration
  • Space activities
  • Digital providers
  • Postal and courier services
  • Waste management
  • Manufacturing, production, and distribution of chemicals
  • Production, processing, and distribution of food
  • Research
  • Manufacturing


What are the challenges of the NIS2 Directive?

While complying with NIS2 has several benefits, such as avoiding fines and lawsuits, enhancing cyber resilience and improving risk management, it also poses some challenges. Here are some of the key challenges of NIS2:

  1. Growing complexity of digital threats: Companies face an increasing complexity of digital threats. NIS2 comes into play where cyberattacks are becoming more sophisticated.
  2. Increased responsibilities in cybersecurity: The NIS2 Directive expands the responsibilities of companies in cybersecurity. The challenges involve implementing more rigorous measures to protect information systems and ensure the confidentiality of sensitive data.
  3. Significant risks of non-compliance: NIS2 introduces severe financial penalties for non-compliance. The challenges for companies involve implementing these new rules and integrating them with the existing policies and avoiding the financial consequences associated with non-compliance.

What are the penalties for non-compliance with NIS2?

NIS2 also provides penalties for non-compliance including the following:

  • Essential entities (EE): Up to €10 million or 2% of annual global revenue, targeting sectors like transportation, finance, healthcare, etc.
  • Important entities (IE): Up to €7 million or 1.4% of annual global revenue, targeting industries like food production, digital services, chemicals, etc.

How can businesses improve their NIS2 Directive compliance readiness?

Businesses can improve their NIS2 compliance readiness by implementing the following measures:

  1. Identify, assess and address your risks: Management bodies of essential and important entities must take appropriate and proportionate technical, operational and organizational measures, using an all-hazards approach to manage the risks posed to the security of network and information systems and the physical environment.
  2. Evaluate your security posture: A security assessment can help identify areas of weakness such as unmanaged passwords or misconfigured or dormant accounts that are susceptible to credential theft.
  3. Take steps to safeguard privileged access: Adversaries can exploit privileged accounts to orchestrate attacks, take down critical infrastructure and disrupt essential services. NIS2 advises critical entities to limit access to administrator-level accounts and to regularly rotate administrative passwords.
  4. Strengthen your ransomware defenses: Costly and debilitating ransomware attacks are a major concern for EU regulators and one of the primary drivers of the NIS2 Directive. Introduce security solutions and best practices to proactively defend against ransomware. Use endpoint privilege security solutions to enforce the principle of least privilege, control applications and augment next-generation antivirus (NGAV) and endpoint detection and response (EDR) solutions.
  5. Move to a Zero Trust architecture: Traditional perimeter-based security architectures, conceived to defend trusted enterprise network borders, aren’t suited for the world of cloud services and hybrid workforces. Adopt a Zero Trust approach, implementing several layers of defense such as least privilege access, continuous authentication and threat analytics to validate all access attempts.
  6. Scrutinize your software supply chain: Supply chain attacks are a major concern for EU regulators and a prime motivator for the NIS2 Directive. Take a fresh look at your software supply chain and consider implementing a secrets management solution to mitigate risk.
  7. Formalize your incident response plan: NIS2 calls for faster incident reporting, with the first report due within 24 hours of becoming aware of a significant incident. Make sure your organization is prepared. Review your event notification, information gathering and reporting processes.
  8. Educate your people: Cybersecurity and cyber hygiene training are fundamental to NIS2. Step up your efforts to improve cyber awareness and foster a security-first culture.

Learn more about the NIS2 Directive:

  1. Getting Ready for NIS2 – Why Identity Security is Key to Preparing for Compliance Updates
  2. NIS2 to Boost Cybersecurity Requirements for Many EU Businesses
  3. An Identity Security Approach to NIS2 Readiness
  4. NIS2 Compliance: An Identity Security Guidebook