NIS2 (Network and Information Security Directive 2) is the European Union’s updated cybersecurity directive, replacing the original NIS Directive (2016), often referenced to as NIS1. NIS2 was adopted in December 2022 and the deadline for implementation by EU member states was October 17, 2024. NIS2 strengthens cybersecurity requirements across essential and important sectors to enhance cyber resilience and response capabilities.

The full text of the NIS2 Directive can be found, here: Directive – 2022/2555 – EN – EUR-Lex.

Short Overview of Key Requirements of NIS2

The NIS2 Directive outlines several key requirements for organizations to improve their cybersecurity and resilience. Here are the main key requirements of the NIS2 Directive:

1. Expanded Scope and Coverage

  • NIS2 broadens the scope of the original NIS Directive (NIS1) by covering a wider range of sectors and entities, including energy, transport, health, digital infrastructure, and other essential services.
  • It also extends compliance requirements to medium and large enterprises in both the public and private sectors that provide critical infrastructure or services.
  • This requirement ensures that organizations in both traditional and digital sectors, such as cloud providers and data centers, are included in the cybersecurity framework.

Diagram showing essential entities regulated by original NIS regulation includes Healthcare, Banking, Finance, Energy and then those added in NIS2 (known as important entities) and they include manufacturing, waste management, research, post and so on...

NIS2 extended those sectors covered be NIS as “essential” as well as added additional sectors to be covered by the directive and categorized as “Important entities”.

What is a “medium” sized enterprise in the context of NIS2?

In the European Union, a “medium” enterprise refers to an organization that employs at least 50 people and has an annual turnover or balance sheet total exceeding 10 million euros, essentially meaning it falls within the size range where the NIS2 regulations apply to them, requiring them to implement specific cybersecurity measures; smaller businesses are generally excluded from the full scope of NIS2 regulations.

2. Cybersecurity Risk Management and Governance

  • NIS2 mandates that organizations implement robust cybersecurity risk management measures to protect their networks and systems. This includes the need for a proactive approach to cybersecurity, covering areas such as:
    • Risk assessments and the implementation of appropriate security controls
    • Incident response plans
    • Business continuity measures to ensure critical services remain operational
  • It also requires senior management to take responsibility for cybersecurity, making them accountable for the implementation of appropriate security measures and policies.

3. Incident Reporting

  • One of the most specific and stringent requirements of NIS2 is timely incident reporting. Organizations must report significant security incidents to national authorities within 24 hours of becoming aware of them and provide a detailed report within 72 hours.

    • decorative image of an alarm clock and a warning sign - to represent that timely response and reporting of IT incidents is part of the criteria NIS2 covers

  • The directive emphasizes the need for a quick response to cybersecurity breaches to minimize impact, enable coordinated responses, and ensure relevant authorities are informed promptly.

4. Supply Chain and Third-Party Security

  • NIS2 stresses the importance of managing cybersecurity risks across supply chains and third-party services. Organizations must assess and ensure that their suppliers and service providers meet cybersecurity standards.
  • This is increasingly important as attacks often target vulnerabilities in third-party systems. Companies are required to ensure that their suppliers implement appropriate risk management practices to mitigate potential cyber risks.

5. Enhanced Cooperation and Information Sharing

  • NIS2 promotes cooperation and information-sharing among EU member states, national authorities, and private-sector organizations.
  • Member states are required to establish cybersecurity incident response teams and Computer Security Incident Response Teams (CIRTs) at the national level. These teams help facilitate collaboration, share threat intelligence, and manage cross-border cybersecurity incidents, ensuring that information about potential or active threats is shared quickly to minimize risks across the EU.

Key Differences Between NIS1 and NIS2

NIS1 (2016) NIS2 (2022)
Scope Focused on essential services (utilities, energy, healthcare, finance, etc.) Expands to important sectors (e.g., drug research, space industry, public administration, ICT services).
Security Requirements Basic cybersecurity measures without strict specifications. More detailed risk management, including supply chain security, multi-factor authentication (MFA), and business continuity plans.
Incident Reporting Organizations must report significant incidents to national authorities. Stricter 24-hour early warning and full 72-hour incident reporting requirements.
Enforcement & Penalties Limited enforcement, with fines varying by country. Fines up to €10 million or 2% of global turnover, and personal liability for executives. For details, see: NIS2 Fines & Consequences | Huge Penalties for Violations.
Regulatory Oversight Each EU country had different enforcement mechanisms, creating inconsistencies. Harmonized rules across the EU, reducing discrepancies between member states.
Supply Chain Security Not explicitly covered. Organizations must ensure third-party risk management and assess vendor security.
Management Accountability Limited responsibility for senior executives. Company executives can be held personally liable for non-compliance.
Cooperation Between Member States Limited cooperation framework. Enhanced EU-wide collaboration, with a Cyber Crisis Response Framework for coordinated actions.

NIS2 vs DORA

NIS2 and DORA are both EU regulations enhancing cybersecurity and resilience but cover different sectors. NIS2 targets essential industries like energy, healthcare, telecom, and IT, focusing on risk management, supply chain security, and incident reporting. DORA is specific to the financial sector, ensuring operational resilience for banks, insurers, and investment firms while directly regulating ICT providers serving them. DORA places particular focus on critical third-party suppliers such as cloud providers and was conceived to handle scenarios where ICT failures at a few critical suppliers could effectively cripple a country’s banking and financial services ecosystem. For more information on DORA, please see: What is the Digital Operational Resilience Act (DORA)? Everything you need to know about DORA compliance. | eG Innovations.

Both mandate cybersecurity measures but differ in oversight—NIS2 is enforced by national cybersecurity agencies, while DORA falls under financial regulators including the European Supervisory Authorities (ESAs), comprising the European Banking Authority (EBA), the European Insurance and Occupational Pensions Authority (EIOPA), and the European Securities and Markets Authority (ESMA). Financial institutions may need to comply with both, especially if they rely on IT and telecom providers. Together, they support the EU’s goal of a unified cybersecurity framework, requiring businesses to align security and compliance strategies.

Can ISO 27000 Help You Achieve NIS2 Compliance?

ISO 27001:2022Yes, the ISO/IEC 27000 series (particularly ISO/IEC 27001) can significantly aid organizations in aligning their cybersecurity practices with the NIS2 Directive, ensuring compliance with key provisions. While ISO 27001 is a broad information security management framework, it shares many similarities with the requirements of NIS2, making it an excellent tool for achieving compliance.

ISO 27001 and NIS2 both emphasize cybersecurity risk management, requiring organizations to assess and mitigate threats to critical infrastructure. ISO 27001’s Information Security Management System (ISMS) provides a structured approach that aligns with NIS2’s expectations. Both frameworks mandate incident detection and reporting, ensuring timely responses to security breaches. ISO 27001’s controls help meet NIS2’s 24-hour and 72-hour reporting requirements.

NIS2 also stresses supply chain security, which ISO 27001 supports by requiring organizations to assess third-party risks. For information on eG Innovations’ certification for ISO:27001 and similar, see: Information Security and Compliance | eG Innovations.

Continuous monitoring and governance are also key in both frameworks, reinforcing accountability and proactive cybersecurity measures.

Many useful third-party tools are available to map ISO 27001 to DORA, such as – bsi-ce-nis2-mapping-tool-25-en-de.pdf.

How eG Enterprise Helps You Achieve NIS2 Compliance

image showing eG Enterprise's scope - On-prem, cloud, hybrid IT.... plus End user experience, service performance, IT Infra performance... some sectors e.g. eCommerce, finance, healthcare, government plus some features e.g. transaction tracing and automated diagnostics

eG Enterprise, with its comprehensive AI-powered, automated monitoring and observability platform, can help organizations meet the key tenets of NIS2 compliance. Here’s how some of eG Enterprise’s features align with the core requirements of the NIS2 Directive:

1. Expanded Scope and Coverage

eG Enterprise provides end-to-end observability across a wide range of IT environments, including SaaS, applications, cloud-native infrastructure, multi-cloud and hybrid environments, and traditional data centers. With converged digital experience, application and infrastructure monitoring, eG Enterprise can proactively monitor not only services but the impacts of issues on users, whether delivered via on-premises or cloud application delivery chains. In practice, this requires automatically monitoring tens of thousands or even millions of metrics, logs and traces in real-time, learn more: Designing for Scale: How eG Enterprise Manages Millions of Metrics with AIOps-driven Self-Monitoring | eG Innovations.

For details of the 650+ application and infrastructure stacks and technologies supported, see: End-to-End Monitoring: Applications, Cloud, Containers.

Image showing eG Enterprise is a converged application and IT Infrastructure monitoring tool

2. Cybersecurity Risk Management

eG Enterprise helps organizations implement continuous risk management through its AI-powered anomaly detection and real-time monitoring capabilities. It can automatically detect potential security vulnerabilities and threats across an organization’s IT environment, including application performance and infrastructure.

A rich suite of synthetic monitoring tools allows organizations to continually probe systems with “robot users” to test the availability and performance of systems even when no real users are accessing services and in pre-production before real users are exposed to new systems.

The platform allows businesses to take proactive action by identifying areas of concern and ensuring that risk management measures are in place. This helps meet NIS2’s emphasis on assessing and managing cybersecurity risks to protect critical infrastructure.

Figure 1: Modern APM observability tools such as eG Enterprise will continuously monitor application processes for unusual or suspicious activity and trigger automated alerts pre-emptively to help avoid incidents.

Fundamentally every organization who needs to comply with NIS2 should be focused on ensuring that they avoid incidents. Robust monitoring is essential in any business continuity strategy. See: Protect Your Organization with the Ideal Business Continuity Strategy | eG Innovations Establishing a Business Continuity Strategy | eG Innovations.

Image of eG Enterprise web console monitoring lots of different technologies and vendor IT stacks

Figure 2: Proactive comprehensive coverage of your application and IT infrastructure landscape within a single secure console.

Banner to link to download a free eBook explaining the benefits of AIOps monitoring features

3. Incident Reporting

eG Enterprise’s automated alerting, incident detection and reporting capabilities support NIS2’s incident reporting requirement. The platform continuously monitors the health of applications, infrastructure, and services, detecting issues in real time. Moreover, AIOps-powered auto-detection/deploy and auto-baselining coupled with out-of-the-box alert thresholds and alert correlation ensure automated day-0 coverage without alarm storms (see: What is Event Correlation? And Why Does Event Correlation Matter when Monitoring? | eG Innovations).

A topology map where eG Enterprise shows the dependencies between components including the relationships between applications and infrastructure - colored overlays highlight the root cause of application slowness (a faulty Java application) - the error on the IIS Web server is simply a secondary effect so is coded less severe

Figure 3: If incidents occur, eG Enterprise pinpoints the root cause of the problem and provides topological maps of dependencies to evaluate impacts and secondary consequences.

When incidents or breaches occur, eG Enterprise provides detailed diagnostics and real-time insights into the root cause, helping organizations meet the 24-hour reporting requirement of NIS2. It also helps generate reports, track incidents, and document resolution activities, enabling organizations to meet the 72-hour follow-up deadline.

Diagram showing "History of Alarms" window in eG Enterprise

Figure 4: Smart alarm tracking and acknowledgments along with the alarm history database ensure that incidents are continuously tracked – with live reports instantly available.

NIS2 also places great weight on governance and responsibility. Centralized dashboards and a wealth of pre-built reports enable organizations to maintain oversight and accountability, a key requirement in NIS2. Senior management can track performance and overview incidents. Built-in audits and change and configuration tracking provide further compliance records. Learn more:

Banner to click on to download a free whitepaper explaining how AIOps automated thresholding and alerting works and provides anomaly detection for the eG Enterprise monitoring platform

4. Supply Chain Security

Two pieces of chain joined by a padlock as a decorative image to represent the Secure supply chain requirements of NIS2 and DORA type regulations

eG Enterprise enhances supply chain security by offering deep insights into the performance and security posture of third-party services and components. Its third-party risk monitoring tracks external dependencies and ensures that any issues within the supply chain are detected and managed proactively. A few thoughts:

  • The platform helps organizations ensure that their third-party service providers and integrated systems are scrutinized, and inter-dependencies are understood, which aligns with NIS2’s requirement to assess and mitigate risks from third-party suppliers.
  • SaaS and open-source solutions will come under increased scrutiny. For some considerations on these see: Should I Trust a SaaS Vendor or Product? | eG Innovations and Open-source IT Monitoring Tools | eG Innovations.
  • The increasing reliance of many sectors upon a few significant hyperscaler cloud providers (Google GCP, Microsoft Azure, Amazon AWS and a few others) is of particular concern and strong monitoring tooling is needed for organizations leveraging such clouds to handle events such as cloud outages especially if an organization’s internal communication tools (Outlook, MS Teams, email systems and so on) have cloud dependencies. See: How to Protect your IT Ops from Cloud Outages.
  • We take the responsibility for our own product development processes and supply chain very seriously and partake in several externally scrutinized/audited certification programs, see: Information Security and Compliance | eG Innovations.

A brief overview of supply-chain risks is covered, here: What is supply chain risk management (SCRM)? | Definition by TechTarget.

5. Enhanced Cooperation and Information Sharing

eG Enterprise supports cross-team collaboration and information sharing through its centralized platform, which provides a unified view of system health and security data. Teams across different departments (IT, AppDev, security, compliance, management) can collaborate and access real-time insights, enabling better incident management and faster resolution.

Image of the AVD Connection failure report in the eG Enterprise console's "Reporter" tab

Figure 5: Built-in reports from eG Enterprise allow deep analysis of recurrent issues allowing organizations to prioritize long term solutions to improve operational uptime and availability essential for business continuity.

By integrating with existing Security Information and Event Management (SIEM) and Information Technology Service Management (ITSM) tools and facilitating cross-functional workflows, eG Enterprise contributes to the cooperation and information sharing aspect of NIS2. It ensures that cybersecurity teams and external authorities can be informed and collaborate efficiently when needed.

The eG Enterprise sign in reports including details of password spray attacks

Figure 6: Brute force and password spraying attacks can be easily identified via proactive monitoring of authentication technologies and the details examined via built-in reports.

Conclusions

eG Enterprise’s features, including AI-driven monitoring, real-time incident detection, supply chain monitoring, and cross-team collaboration tools, align closely with the core tenets of NIS2. By leveraging eG Enterprise organizations can streamline their compliance efforts while improving cybersecurity and resilience across critical services.

Banner to click on to access a free trial of eG Enterprise

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform

Related Information

If you enjoyed this article you may like to explore these articles that cover overlapping themes:

eG Enterprise is an Observability solution for Modern IT. Monitor digital workspaces,
web applications, SaaS services, cloud and containers from a single pane of glass.

Free Trial  See the platform