Directive NIS2

Préparez votre mise en conformité

Télécharger le livre blanc Nous contacter

De nombreux secteurs industriels sont soumis à de nouvelles exigences

La Directive européenne NIS2 introduit de nouvelles réglementations plus strictes en matière de cybersécurité dans de nombreux secteurs d’activité. Les organisations devront s’y conformer d’ici à l’automne2024, sous peine de lourdes sanctions.

Comment se mettre en conformité

Utilisez nos ressources pour en savoir plus sur la Directive NIS2 et découvrir si votre organisation est concernée, ainsi que les sanctions encourues et les mesures à prendre pour s’y conformer.

Livre blanc

Fiche de conformité

Livre blanc

Consultez notre livre blanc, créé en collaboration avec l’avocat David Bomhard, pour comprendre :

Les nouvelles exigences NIS 2
Les mesures qui doivent être prises par les organisations
Les risques liés à la responsabilité de la direction
Comment les solutions Sophos vous aident à vous conformer aux nouvelles exigences

Télécharger le livre blanc

Fiche de conformité

Ce document explique comment les solutions Sophos offrent des outils efficaces pour aider les organisations à répondre au Chapitre IV de la directive NIS 2.

La directive détaille :

Mesures de gestion des risques en matière de cybersécurité
Obligations d’information

Fortes de ces informations, les organisations seront mieux équipées pour se conformer aux exigences.

Études de cas

Découvrez comment nous avons protégé nos clients contre des cybermenaces.

Sicher vor modernen Cyberattacken

Die Schletter Solar GmbH profitiert jetzt von einer IT-Security-Lösung, die flexibel auf die Anforderungen der Zukunft reagieren kann.

Mehr erfahren

Mehr Schutz und Effizienz

Dank Sophos MDR hat die Transportgemeinschaft Wangen AG (TGW) nun maximale Kontrolle und Transparenz und kann auch modernsten Attacken Paroli bieten.

Mehr erfahren

Fit für die Zukunft

Die WEFRA LIFE ist jetzt langfristig für die Aufgaben in IT-Sicherheit gewappnet und optimal aufgestellt, um das Thema Cyber-Versicherung anzugehen.

Mehr erfahren

AG Barr

Sophos a permis aux équipes informatiques d’AG Barr d’entreprendre des tâches plus proactives sans être contraintes de gérer les problèmes de sécurité.

HammondCare

Sophos a étendu la pratique de sécurité existante de HammondCare, lui évitant ainsi d’avoir à développer ses propres capacités en interne.

Weitere Erfahrungsberichte finden Sie hier

Contactez-nous

Découvrez comment les solutions Sophos vous aident à vous conformer à la Directive NSI2.

Prénom

Nom de famille

Email professionnel

Société

Fonction

Numéro de téléphone

Pays

How Did You Hear About Us?

Contrat de Licence CLUF

Veuillez m’envoyer les mises à jour sur les produits et les services Sophos, les cadeaux publicitaires, les invitations aux événements spéciaux, etc. (Si vous avez déjà effectué cette demande, nous ne changerons pas vos préférences jusqu’à ce que vous décidiez de vous désabonner. Vous pouvez le faire à tout moment.)

En soumettant ce formulaire, vous acceptez d’être contacté(e) au sujet des produits et services de Sophos de la part des membres du groupe Sophos et d’entreprises ayant conclu un partenariat avec nous pour fournir nos produits et services. Sophos s’engage à respecter votre vie privée. Si vous souhaitez en savoir plus sur la façon dont nous recueillons et utilisons vos données personnelles, veuillez lire notre politique de confidentialité et notre page d’informations sur les cookies.

Everything you need to prepare for the NIS 2 Directive

Affected companies must comply by October 18, 2024.

What is NIS 2 ?Sophos solutions for NIS 2

The Network and Information Security Directive 2 (NIS 2) is designed to achieve a high common level of cybersecurity throughout the EU, with particular focus on operators of critical services and infrastructure. NIS 2 came into force in January 2023. EU Member States have until 17 October 2024 to transpose NIS 2 security requirements into their national laws and on that date all companies within the scope of NIS 2 must comply with its new requirements.

Sophos solutions for NIS 2

What’s new with NIS 2?

NIS 2 replaces the original NIS Directive introduced in 2016, which was the first piece of EU-wide legislation on cybersecurity. NIS 2 widens the scope of the initial framework to include more industries, introduces stringent supervisory measures for national authorities, places greater focus on supply chains, creates stricter enforcement and stricter penalties for non-compliance.

Read more about the scope, definitions, and context of NIS2 terminology here.

Read the NIS2 whitepaper

Who does NIS 2 apply to?

The original NIS Directive primarily applied to critical infrastructure organizations, pulling into the Directive’s requirements only 7 industry sectors as Operators of Essential Services and 3 industry sectors as Digital Services. NIS 2 significantly expands the scope to include 11 industry sectors as Essential Entities and 7 industry sectors as Important Entities.

Essential Entities are subject to a more intensive supervision regime in which both ex-ante and ex-post compliance are monitored (meaning that entities will be required to meet supervisory requirements as of the introduction of NIS2.) Important Entities are subject to a lighter form of supervision, only ex-post (meaning that action is only taken if and when authorities receive evidence of non-compliance).

An organisation is covered by the NIS 2 Directive if:

The organization provides services or carries out activities in any of the EU member states
With exceptions, the organization has at least 50 employees or an annual turnover or balance sheet of over €10 million
The organization operates in one of the 18 sectors specified by NIS 2 under Annex I and Annex II

NIS 2 identifies organizations operating in the following 18 sectors as essential entities and important entities depending on the total annual revenue and size of the organization:

*Essential Entities:

These are typically medium and large organizations seen as critical to the economy and operating in a sector listed in the left column above.

**Important Entities:

These are typically medium and large organizations seen as important to the economy but not critical and operating in a sector listed in the right column above.

Exceptions: Companies that are the sole provider of a particular service within an EU member state or disruption of their service could have a significant impact may be classified as an essential entity or

Typical criteria for an organization to be considered large:

250 employees or more; or
An annual turnover of €50 million or more and a balance sheet total of €43 million or more

Criteria for an organization to be considered medium:

50 employees or more; or
An annual turnover and balance sheet total of €10 million or more

Small or micro-organizations are not excluded from the scope of NIS 2. Member States can extend NIS 2 requirements if an entity fulfils specific criteria as a key player in society, the economy, or sectors or types of service.

Not sure if NIS 2 applies to your organization?

Take our NIS 2 self-assessment test to find out.

Take the test

Penalties for NIS 2 non-compliance

NIS 2 introduces stricter penalties for non-compliance by Essential Entities and Important Entities for their failure to meet security requirements or failure to report incidents. Although the specific fines may vary depending on the Member State, NIS 2 aims to harmonise penalties across all Member States by establishing a minimum list of administrative sanctions. The various types of penalties for non-compliance include:

Non-monetary penalties

NIS 2 gives more power to the national supervisory authorities to supervise and enforce compliance with non-monetary remedies, including:

Compliance orders (regulators can issue an order to implement specific actions)
Binding instructions (regulators can require a company to take specific actions)
Security audit implementation orders (regulatory orders implementing a security measure)
Threat notification orders to entities’ customers (public notice of non-compliance)
Temporary prohibitions (regulatory orders prohibiting management from carrying out managerial functions)

Administrative fines

For Essential Entities: a maximum fine level up to €10,000,000 or 2% of the global annual revenue, whichever is higher.
For Important Entities: a maximum up to €7,000,000 or 1.4% of the global annual revenue, whichever is higher.

Personal liability for managers of Essential Entities and Important Entities

NIS 2 includes new measures that allow Member States to hold senior management (e.g., board members, directors, leadership executives) of Essential Entities and Important Entities personally liable for NIS2 requirements. This includes requiring the company to make compliance violations public, publicly stating the nature of the violation that occurred and the person(s) at fault, and temporarily barring individuals from holding management positions. Also, management personnel may be held personally liable when having exercised gross negligence for failing to fulfil responsibilities for cybersecurity management.

Sophos solutions for NIS 2

Free webinar on NIS 2

Register for our on-demand webinar, where the experts decode NIS 2 for you. Find out how Sophos can support you in meeting the new rules.

Register now

Achieve NIS 2 compliance with Sophos

Compliance with NIS 2 is an opportunity for organizations to strengthen their security posture and resilience against cyber threats, thereby contributing to a stronger digital landscape in the EU.

Sophos can help you meet the NIS 2 requirements with confidence. Our extensive cybersecurity capabilities can help you cover key NIS 2 compliance requirements.

	Sophos Endpoint	Sophos Firewall	Sophos MDR	Sophos XDR
Policies on risk analysis
Incident handling
Business continuity
Supply chain security
Ensure security of the network and information systems, including Vulnerability handing and disclosure
Assess effectiveness of cybersecurity risk management measures
Policies regarding use of cryptography and encryption
Human resources security, access control policies and asset management
Use of multi-factor authentication
Reporting obligations

To learn more about Sophos’ intuitive security solutions that can support your NIS 2 compliance needs, download Sophos solutions for NIS 2.

Comparing NIS 2 with other cybersecurity regulations

NIS 2 is just one of the many cybersecurity regulations to which EU operators must comply. Here’s a look at the NIS 2 Directive’s relationship with other frameworks and how they overlap:

	NIS 2	GDPR	DORA	CER
EU Directive	(EU) 2022/2555	(EU) 2016/679	(EU) 2022/2554	(EU) 2022/2557
Directive Name	Network and Information Security Directive 2	General Data Protection Regulation	Digital Operational Resilience Act	Critical Entities Resilience Directive
Scope	Applies to organizations that are Essential Entities and Important Entities; replaces NIS1 (EU) 2016/1148	Applies to any organization that processes the personal data of individuals who live in the EU and the EEA	Applies to all financial entities in the EU	Applies to organizations that are considered critical according to Member State decision
Purpose	Designed to improve the cybersecurity and resilience of network and information systems across the European Union	Protects the fundamental rights and freedoms of individuals, specifically their right to privacy and the protection of personal data	In addition to cybersecurity requirements, this Directive places emphasis on the overall resilience of financial institutions	With an emphasis on the resilience and business continuity of Critical Entities designated within the Directive and provides guidance about defenses against non-cyber-related risks
Compliance status with respect to NIS 2	-	Organisations covered by NIS2, which are also data controllers or data processors under the EU GDPR, must comply with both the EU GDPR and the EU NIS2 Directives	DORA and NIS 2 are designed to work together to strengthen cybersecurity requirements; each has distinct requirements, both of which are required by financial institutions	Critical Entities must also comply with NIS 2 when it comes to cybersecurity and the CER Directive for non-cyber incidents.
Effective date	October 17, 2024	May 25, 2018	January 17, 2025	October 18, 2024
Sanctions	Includes non-monetary penalties (such as compliance orders), administrative fines and criminal sanctions. Non-compliance fines for Essential Entities can reach up to 2% of total worldwide annual turnover or €10 million (whichever is higher) whilst fines for Important Entities can be up to 1.4% of total worldwide annual turnover or €7 million	Violations of GDPR provisions may be enforced by substantial penalties, including up to €10 million or 2% of global annual turnover (Tier 1 monetary penalties) or up to €20 million or 4% of the annual global turnover (Tier 2 monetary penalties), depending on the nature of the violation	Financial penalties for breaches of DORA can be imposed, but the exact amount depends on the provisions violated and the severity of the breach. Also, regulators may take other actions, including warnings, operational restrictions, or regulatory orders that restrict operations until proof of compliance.	The penalties for non-compliance will vary by Member State but are likely to include fines, public notification, remediation, and withdrawal of authorization

Disclaimer: Specifications and descriptions are subject to change without notice. Sophos disclaims all warranties and guarantees regarding this information. The use of Sophos products alone does not comprise legal advice and does not guarantee legal compliance. The information in this document does not constitute legal advice. Customers are solely responsible for compliance with all laws and regulations and should consult their own legal counsel for advice regarding such compliance.

For more information on how to achieve your NIS 2 compliance goals before the deadline, contact us today.