What is the NIS2 Directive?
NIS2 stands for the Network and Information Security Directive 2, a European directive adopted in 2023 as the successor to the original NIS Directive (2016). The aim of NIS2 is to strengthen the cyber resilience of organisations that provide essential or important services within the EU.
NIS2 is binding on both public and private organisations and applies also to OT environments, such as those in energy, manufacturing, drinking water and transport.
🎯 Aim of NIS2
- Mandate minimum security measures
- Improve incident response and reporting obligations
- Provide transparency and cooperation between Member States
- Uniform security requirements across critical sectors
🧱 Who is in scope of NIS2?
The directive distinguishes two types of organisation:
| Category | Examples |
|---|---|
| Essential entities | Energy, transport, drinking water, healthcare, government services |
| Important entities | Digital services, food production, chemicals, postal & courier, manufacturing |
NIS2 applies to organisations with more than 50 employees or an annual turnover of more than EUR 10 million, unless specifically exempt.
🔐 NIS2 obligations
Under NIS2, organisations must, among other things:
- Establish a risk management approach (e.g. via an ISMS)
- Report incidents within 24 hours to the national authority (e.g. the NCSC or CSIRT)
- Conduct regular security audits
- Analyse supply chain risks
- Apply network segmentation, Defense in Depth and Vulnerability Management
- Document and test Business Continuity and recovery plans
🏭 Relevance to OT
Industrial environments also fall within the scope of NIS2, including:
- SCADA systems in drinking water companies
- PLCs in power stations
- MES and Historian systems in manufacturing
- Security in line with IEC 62443 and ISO 27001 is recommended
📌 In summary
NIS2 is the European directive on digital resilience for critical and important sectors. Organisations must implement technical and organisational security measures, report incidents and structurally manage risk.
The directive entered into force on 16 January 2023; EU Member States (such as the Netherlands) had to transpose it into national law by October 2024. In the Netherlands, this is the Cyber Security Act.