NIS2 - European Directive for Network and Information Security

The new European NIS2 directive is a hot topic in the world of cybersecurity. NIS2 stands for Network and Information Security Directive 2, and it is a legislative framework aimed at improving cybersecurity in the European Union.

The first NIS directive was introduced in 2016, which required EU countries to develop national cybersecurity strategies and mandate companies in certain sectors, such as finance and energy, to implement appropriate security measures. NIS2 is the successor to this directive and builds on the experiences and insights gained since the introduction of the first directive. By the end of 2024, we can expect the new Belgian NIS2 legislation.

Share on


Europe g3113f3894 1280

NIS1 and NIS2

In 2016, the NIS-1 directive came into effect as the first EU legislation on cybersecurity. The directive was then converted into Belgian legislation in 2019. The NIS-1 directive requires member states to develop national cybersecurity strategies and collaborate across borders through the NIS Cooperation Group and the CSIRT network. It also obliges member states to designate providers of essential services in sectors such as energy, transportation, banking, financial markets, healthcare, drinking water, and digital infrastructure. These providers must take minimum security measures and have an obligation to report serious incidents. Providers of essential digital services must also comply with these requirements.

Since the implementation of the NIS-1 directive in 2016, the European Commission has examined its effectiveness and found that its scope is too limited. Cyber threats have increased significantly in recent years, while our economic and social connectivity and dependence on the digital world have grown. There is a lack of clarity on the scope and powers of the directive. In addition, there are significant differences between national approaches, and there is a general lack of information exchange.

To address these issues, the Commission has proposed expanding the scope of NIS-1 to more sectors and entities, particularly to harmonize identification rules and expand security requirements. These adjustments are included in the new NIS-2 directive.

Does NIS-2 apply to your company?

The NIS2 directive is extensive and now applies to medium and large entities from a range of sectors that are critical to the economy and society. These include providers of public electronic communication services, digital services, wastewater and waste management, manufacturing of critical products, postal and courier services, food companies, and medical companies.

Companies must check themselves whether they fall under the directive. In general, the directive applies to large and medium-sized companies with 50 or more employees or a balance sheet total of at least 10 million euros. Initeam also advises (smaller) companies to develop a cybersecurity plan and protect themselves against increasing digital threats.

What is the purpose of NIS2?

The NIS2 directive aims to increase awareness of cybersecurity so that governments and businesses are better prepared for the increasing threats in this area. In addition to promoting awareness, the revised directive also focuses on securing supply chains and relationships between suppliers. Furthermore, stricter accountability of top management is introduced to ensure that cybersecurity obligations are met.
To ensure compliance with the directive, reporting obligations are streamlined and stricter supervisory measures and enforcement requirements are introduced for national authorities. The sanction regimes in the Member States are also harmonized. With this, the NIS2 directive aims to promote an effective and uniform approach to cybersecurity within the EU.

Carreer opportunities