homepage
Menu
Open menu
  • Training
    Go one level top Back

    Training

    • Courses

      Build cyber prowess with training from renowned experts

    • Hands-On Simulations

      Hands-on learning exercises keep you at the top of your cyber game

    • Certifications

      Demonstrate cybersecurity expertise with GIAC certifications

    • Ways to Train

      Multiple training options to best fit your schedule and preferred learning style

    • Training Events & Summits

      Expert-led training at locations around the world

    • Free Training Events

      Upcoming workshops, webinars and local events

    • Security Awareness

      Harden enterprise security with end-user and role-based training

    Featured: Solutions for Emerging Risks

    Discover tailored resources that translate emerging threats into actionable strategies

    Risk-Based Solutions

    Can't find what you are looking for?

    Let us help.
    Contact us
  • Learning Paths
    Go one level top Back

    Learning Paths

    • By Focus Area

      Chart your path to job-specific training courses

    • By NICE Framework

      Navigate cybersecurity training through NICE framework roles

    • DoDD 8140 Work Roles

      US DoD 8140 Directive Frameworks

    • By European Skills Framework

      Align your enterprise cyber skills with ECSF profiles

    • By Skills Roadmap

      Find the right training path based on critical skills

    • New to Cyber

      Give your cybersecurity career the right foundation for success

    • Leadership

      Training designed to help security leaders reduce organizational risk

    • Degree and Certificate Programs

      Gain the skills, certifications, and confidence to launch or advance your cybersecurity career.

    Featured

    New to Cyber resources

    Start your career
  • Community Resources
    Go one level top Back

    Community Resources

    Watch & Listen

    • Webinars
    • Live Streams
    • Podcasts

    Read

    • Blog
    • Newsletters
    • White Papers
    • Internet Storm Center

    Download

    • Open Source Tools
    • Posters & Cheat Sheets
    • Policy Templates
    • Summit Presentations
    • SANS Community Benefits

      Connect, learn, and share with other cybersecurity professionals

    • CISO Network

      Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

  • For Organizations
    Go one level top Back

    For Organizations

    Team Development

    • Why Partner with SANS
    • Group Purchasing
    • Skills & Talent Assessments
    • Private & Custom Training

    Leadership Development

    • Leadership Courses & Accreditation
    • Executive Cybersecurity Exercises
    • CISO Network

    Security Awareness

    • End-User Training
    • Phishing Simulation
    • Specialized Role-Based Training
    • Risk Assessments
    • Public Sector Partnerships

      Explore industry-specific programming and customized training solutions

    • Sponsorship Opportunities

      Sponsor a SANS event or research paper

    Interested in developing a training plan to fit your organization’s needs?

    We're here to help.
    Contact us
  • Talk with an expert
  • Log In
  • Join - it's free
  • Account
    • Account Dashboard
    • Log Out
  1. Home >
  2. Blog >
  3. The NIS2 Mandate: What Every Organization Needs to Know
Carlos_Fragoso.jpg
Carlos Fragoso

The NIS2 Mandate: What Every Organization Needs to Know

While there's not currently many details regarding the controls required for compliance, companies can always enhance their cybersecurity.

June 3, 2024

This is Part 6 of a multi-blog series on the new NIS2 Directive. Explore the complete series:

  • Part 1
  • Part 2
  • Part 3
  • Part 4
  • Part 5

The Network and Information Security Directive (NIS2) is currently being translated into national legislation by European Union (UE) member states. In this series, we ask SANS instructors and seasoned cybersecurity experts about the implications of NIS2 for organizations. Carlos Fragoso is a digital forensics and incident response subject matter expert Maltego and SANS instructor for SEC401 and SEC504.

NIS2 is the successor to the 2016 European Network and Information Systems Directive (NIS). The first version aimed to improve the cybersecurity posture and risk management of critical infrastructure and digital service providers in all member states. "We all remember 2020 being a very disruptive year with the COVID pandemic," said Fragoso. "The lockdowns as well as the many data breaches like the SolarWinds attack caused a quick digital transformation and evolution of the threat landscape causing a significant impact on supply chains and essential services. The EU noticed inconsistencies in how member states applied the first directive, so they devised an enhanced and extended directive in January 2023. This NIS2 directive is currently being shaped into each member state's national legislation, which must be done by October 17th, 2024. The goal of this new directive is to increase resiliency and reduce inconsistency in the internal EU market."

Who Must Comply?

The NIS2 directive increases the number of sectors that must comply to 18. Eleven of them are highly critical, comprised of companies called essential entities and seven industries called critical, where organizations are labelled important entities, (see the Which Organizations Are Essential or Important? section below). "An organization can identify if they fall under NIS2 if they operate in one of the mentioned sectors or provide digital services like domain name registration or operations, cloud computing, online marketplaces, or search engines," said Fragoso. "It is still too early to discuss criteria or benchmarks because all member states are still developing national legislation. However, I assume there would be some levels or certifications that will show they are compliant."

Supply Chain Security

NIS2 requires organizations to apply cybersecurity controls that are mapped to the new regulation. "This could have a considerable impact on those organizations that were not in the scope of NIS1, especially if their current cybersecurity governance or maturity level is not high. They will have to increase the bar quickly to be compliant,” Fragoso said. This also goes for companies that may not directly fall under the scope of NIS2, as that directive has some precise demands on supply chain security. "In the past, we have seen that not all companies can properly identify how others could impact them. So, the new directive wants organizations to identify all components and their providers that could impact the organization within the product or service it provides. Organizations then need to establish the risk of those components and act accordingly."

Stricter Requirements for Reporting

Another new NIS2 requirement focuses on cybersecurity incident notification, explained Fragoso. "You will need to notify your reference cybersecurity incident response team (CSIRT) within 24 hours when there is an incident with significant impact." The new directive also mentions a specific network for coordinated cyber crisis management: EU CyCLONe. "I don't yet have the details of this specific element of the directive," said Fragoso. "However, I would guess this would mean a coordinating body to ensure a cybersecurity crisis can be managed across all EU member states. We already have an EU cybersecurity agency, the European Union Agency for Cybersecurity (ENISA), so I am assuming at this moment that ENISA will probably take some of these coordination roles because they already have the mandate of the EU to do this kind of thing."

Preparing for NIS2

In terms of preparing for NIS2, Fragoso believes that while there's not currently many details regarding the controls organizations must have in place to comply, companies can always enhance their current cybersecurity posture. "All organizations should start a project to review NIS2 and national legislation as soon as this is made public by national governments, to map their cybersecurity controls. Most of the required controls may already be in place but need adaptation," said Fragoso. He pointed out companies that meet industry security standards like ISO will probably already have many of the required controls. "However, we may see some things shift from being optional to mandatory under the NIS2 legislation." At the same time, Fragoso said, organizations should start preparing their teams with skills development and cybersecurity training, considering standards such as the European Cybersecurity Skills Framework (ECSF) and related US frameworks like those from NIST and NICE.

Exercises and Training are Key to Compliance

Fragoso advised organizations to commence cybersecurity exercises if they are not being done regularly. "This should be done as part of incident readiness. Obviously, when applying controls to better protect, early detect, and better react to any potential incident, you need to test those. The best way to do this is by doing cybersecurity exercises. In the past, many of those exercises were at a very tactical or operational level, but seeing as NIS2 now also makes management liable for the organization's cybersecurity, it is essential to conduct these exercises on a broader level." This also applies to training all staff within the organization. All staff, not just the people on the shop floor or the IT and security staff, must comply with the new regulations. This includes management and top-level executives, as they will be liable for any significant incident according to NIS2. "Organizations need to step up their game regarding cybersecurity knowledge, skills and ability," said Fragoso.

Law Enforcement

NIS2 does not explicitly apply to entities in areas such as defense, national security, public security, or law enforcement, however, the scope indirectly impacts them as governments try to enforce and ensure NIS2 compliance. "So, most member states must not only locally translate NIS2, but also have the knowledge and understanding of how to do it and be able to advise on implementation and strategy. And the must of course get involved in cyber-attack investigation when notified by victim organizations that fall under NIS2. Government agency, retainer, or contractor digital forensics and incident response (DFIR) teams must understand the aspects that need to be considered for preparation, such as cybersecurity exercises and proper response, including coordination and notification,” Fragoso said.

NIS2 Won't Affect DFIR Teams

Fragoso couldn’t say for certain whether NIS2 will make the lives of DFIR experts easier or more difficult. "I don't think NIS2 will affect DFIR as a discipline because we have already adapted the discipline to response and investigative processes. Dealing with cybersecurity isn't something we started yesterday," Fragoso said smiling. "We've been doing it for quite some years now. So, in the short term, NIS2 may cause a work overload for governance, legal, and security teams to ensure the organization has a plan and implements the required controls. In the middle term, there may be a period to clarify ambiguities and fix anomalies or incorrectly implemented aspects of the plan. But my guess is their lives will be easier in the long term because having a framework and security controls ultimately helps everyone." The framework in place may help DFIR teams enforce cybersecurity controls within the company more easily. "It gives them more power, authority, and visibility."

Advise on Preparation

One of the most important things organizations can engage in at this time is a discussion with their government bodies to get relevant information about the local NIS2 implementation as early as possible. "Also, it's probably wise to hire an advisor, some external body, to help understand what controls need to be in place and how to best comply with the new legislation. Someone outside your company can be more neutral when you try to get things done internally," explained Fragoso. Last but certainly not least, Fragoso urges companies to ensure they are incident-ready by testing their organization against cybersecurity exercises. "Some organizations are already doing this as part of another regulation, but they may only do one annual exercise because they are mandatory. I advise companies to do them periodically, at least twice or thrice yearly so you can have an indecent readiness program covering the proper processes, technology, and people."

Continuous Improvement

NIS will be a continuous improvement process. Fragoso predicts that this second version of the directive will also prove to have inconsistencies between member states or elements that need to be clearer. "And then we can probably expect NIS version 3 as an improvement on this current directive, as when it comes to cybersecurity, we will never be fully finished in protecting EU organizations and improving their cybersecurity posture."

Which Organizations are Essential or Important? 

Essential Entities: Large organizations operating in a sector from Annex 1 of the NIS2 Directive.

Key Entities: Medium-sized organizations operating in an Annex 1 sector and medium and large organizations operating in an Annex 2 sector.

An organization is considered large based on the following criteria:

  • A minimum of 250 employees, or
  • An annual turnover of €50 million or more and a balance sheet total of €43 million or more.

An organization is considered medium-sized based on the following criteria:

  • 50 or more employees, or
  • An annual turnover and balance sheet total of €10 million or more.

In this series on NIS2, we highlight the new directive from different angles so that CISOs and their organizations can gain insight into how to deal with NIS2.

Achieving NIS2 compliance is a significant milestone for any organization. Let SANS be your guide, with our comprehensive learning paths, certifications, and resource center tailored to your needs. Embark on your compliance journey at www.sans.org/mlp/nis2.

As SANS maps out industry preparedness for the new EU Commission's NIS2 Directive, your insights are invaluable. Please take a moment to complete the NIS2 survey to contribute to our research. Your feedback will help us provide the guidance and resources needed for this and future directives.

Continue reading in Part 7 of our NIS2 Compliance series here.

Share:
TwitterLinkedInFacebook
Copy url Url was copied to clipboard
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Tags:
  • Cybersecurity Leadership

Related Content

Blog
emerging threats summit 340x340.png
Digital Forensics, Incident Response & Threat Hunting, Offensive Operations, Pen Testing, and Red Teaming, Cyber Defense, Industrial Control Systems Security, Cybersecurity Leadership
May 14, 2025
Visual Summary of SANS Emerging Threats Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Emerging Threats Summit 2025
No Headshot Available
Alison Kim
read more
Blog
LDR - Blog - It’s Dangerous to Go Alone- A Consensus-Driven Approach to SOC Metrics_340 x 340.jpg
Cybersecurity Leadership
April 25, 2025
It’s Dangerous to Go Alone: A Consensus-Driven Approach to SOC Metrics
Metrics play a crucial role in understanding the performance of Security Operations Center (SOC) functions.
Mark-Orlando-370x370.jpg
Mark Orlando
read more
Blog
Cybersecurity Leadership
April 24, 2025
Visual Summary of SANS Cybersecurity Leadership Summit 2025
Check out these graphic recordings created in real-time throughout the event for SANS Cybersecurity Leadership Summit 2025
No Headshot Available
Emily Blades
read more
  • Company
  • Mission
  • Instructors
  • About
  • FAQ
  • Press
  • Contact Us
  • Careers
  • Policies
  • Training Programs
  • Work Study
  • Academies & Scholarships
  • Public Sector Partnerships
  • Law Enforcement
  • SkillsFuture Singapore
  • Degree Programs
  • Get Involved
  • Join the Community
  • Become an Instructor
  • Become a Sponsor
  • Speak at a Summit
  • Join the CISO Network
  • Award Programs
  • Partner Portal
Subscribe to SANS Newsletters
Receive curated news, vulnerabilities, & security awareness tips
United States
Canada
United Kingdom
Spain
Belgium
Denmark
Norway
Netherlands
Australia
India
Japan
Singapore
Afghanistan
Aland Islands
Albania
Algeria
American Samoa
Andorra
Angola
Anguilla
Antarctica
Antigua and Barbuda
Argentina
Armenia
Aruba
Austria
Azerbaijan
Bahamas
Bahrain
Bangladesh
Barbados
Belarus
Belize
Benin
Bermuda
Bhutan
Bolivia
Bonaire, Sint Eustatius, and Saba
Bosnia And Herzegovina
Botswana
Bouvet Island
Brazil
British Indian Ocean Territory
Brunei Darussalam
Bulgaria
Burkina Faso
Burundi
Cambodia
Cameroon
Cape Verde
Cayman Islands
Central African Republic
Chad
Chile
China
Christmas Island
Cocos (Keeling) Islands
Colombia
Comoros
Cook Islands
Costa Rica
Cote D'ivoire
Croatia (Local Name: Hrvatska)
Curacao
Cyprus
Czech Republic
Democratic Republic of the Congo
Djibouti
Dominica
Dominican Republic
East Timor
Ecuador
Egypt
El Salvador
Equatorial Guinea
Eritrea
Estonia
Eswatini
Ethiopia
Falkland Islands (Malvinas)
Faroe Islands
Fiji
Finland
France
French Guiana
French Polynesia
French Southern Territories
Gabon
Gambia
Georgia
Germany
Ghana
Gibraltar
Greece
Greenland
Grenada
Guadeloupe
Guam
Guatemala
Guernsey
Guinea
Guinea-Bissau
Guyana
Haiti
Heard And McDonald Islands
Honduras
Hong Kong
Hungary
Iceland
Indonesia
Iraq
Ireland
Isle of Man
Israel
Italy
Jamaica
Jersey
Jordan
Kazakhstan
Kenya
Kiribati
Korea, Republic Of
Kosovo
Kuwait
Kyrgyzstan
Lao People's Democratic Republic
Latvia
Lebanon
Lesotho
Liberia
Liechtenstein
Lithuania
Luxembourg
Macau
Madagascar
Malawi
Malaysia
Maldives
Mali
Malta
Marshall Islands
Martinique
Mauritania
Mauritius
Mayotte
Mexico
Micronesia, Federated States Of
Moldova, Republic Of
Monaco
Mongolia
Montenegro
Montserrat
Morocco
Mozambique
Myanmar
Namibia
Nauru
Nepal
Netherlands Antilles
New Caledonia
New Zealand
Nicaragua
Niger
Nigeria
Niue
Norfolk Island
North Macedonia
Northern Mariana Islands
Oman
Pakistan
Palau
Palestine
Panama
Papua New Guinea
Paraguay
Peru
Philippines
Pitcairn
Poland
Portugal
Puerto Rico
Qatar
Reunion
Romania
Russian Federation
Rwanda
Saint Bartholemy
Saint Kitts And Nevis
Saint Lucia
Saint Martin
Saint Vincent And The Grenadines
Samoa
San Marino
Sao Tome And Principe
Saudi Arabia
Senegal
Serbia
Seychelles
Sierra Leone
Sint Maarten
Slovakia
Slovenia
Solomon Islands
South Africa
South Georgia and the South Sandwich Islands
South Sudan
Sri Lanka
St. Helena
St. Pierre And Miquelon
Suriname
Svalbard And Jan Mayen Islands
Sweden
Switzerland
Taiwan
Tajikistan
Tanzania, United Republic Of
Thailand
Togo
Tokelau
Tonga
Trinidad And Tobago
Tunisia
Turkey
Turkmenistan
Turks And Caicos Islands
Tuvalu
Uganda
Ukraine
United Arab Emirates
United States Minor Outlying Islands
Uruguay
Uzbekistan
Vanuatu
Vatican City State
Venezuela
Vietnam
Virgin Islands (British)
Virgin Islands (U.S.)
Wallis And Futuna Islands
Western Sahara
Yemen
Zambia
Zimbabwe

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
  • Privacy Policy
  • Terms and Conditions
  • Do Not Sell/Share My Personal Information
  • Contact
  • Careers
© 2025 The Escal Institute of Advanced Technologies, Inc. d/b/a SANS Institute. Our Terms and Conditions detail our trademark and copyright rights. Any unauthorized use is expressly prohibited.
  • Twitter
  • Facebook
  • Youtube
  • LinkedIn