Talk With an Expert

All you need to know about the new NIS2 Directive

The new NIS2 directive that went into force on January 2023 is going to impact a wide array of organisations as national governments strive to create national legislation by October 17th of 2024. SANS and our instructors have created this hub to serve as a source of information on all you need to know about this new directive as well as resources, infographics, checklists you can use to help prepare yourself and your organisation for this new NIS2 directive.

DORA

Navigating DORA and NIS2 Compliance for Financial Sector Organisations in the EU

Catch-up on this Q&A webcast session with SANS’ Brian Correia and ENISA’s Senior Cyber Policy Expert, Jurgita Skritaitė which took place on 13th May 2025. In this session we covered:

  • Who falls within scope (including global providers)
  • Key deadlines, enforcement, and jurisdictional reach
  • Practical steps to support operational resilience and third-party compliance
Person watching webcast on screen

NIS2 Directive Awareness and Readiness Report: a SANS Survey

SANS recently conducted a survey on global organisations' awareness and preparedness for implementing measures as a result of the new EU regulation NIS2. Our newly released white paper not only highlights findings on organizational readiness and awareness, but also offers insights into modern threat capabilities and provides actionable recommendations for effective compliance strategies and training requirements. We also hosted a webinar on October 28th during which co-author Bojan Zdrnja took viewers through the report findings and SANS recommendations.

Person looking at resources on an iPad

Difference between NIS & NIS2

The NIS Directive, adopted in 2016, was the first EU-wide legislation on cybersecurity. Its main goal was to establish a common level of security for network and information systems across the European Union. The NIS2 Directive is an updated and more comprehensive version of the NIS Directive, aiming to address the shortcomings of the original legislation and to adapt to the evolving digital landscape. We’ve listed the most important differences between these two directives in a useful infographic.

Person reading poster

Am I considered essential or important under NIS2?

Industries & Entities considered essentialIndustries & Entities considered important
Energy Digital providers
Transport Postal and courier services
Banking Waste management
Financial market infrastructure Food
Healthcare Chemicals
Drinking water Research
Digital infrastructure Manufacturing
Managers of ICT services
Wastewater
Government services
Aerospace

Essential entities:

  • are large organisations operating in a sector listed in the left column above

Important entities:

  • are medium-sized organisations operating in a sector listed in the left column above and medium and large organisations operating in an industry listed in the right colum above.

An organisation is large based on the following criteria:

  • a minimum of 250 employees or;
  • an annual turnover of €50 million or more and a balance sheet total of €43 million or more.

An organisation is medium-sized based on the following criteria:

  • 50 or more employees or;
  • an annual turnover and balance sheet total of €10 million or more.

Mapping Your Path Using The ECSF And NIS2

The European Cybersecurity Skills Framework (ECSF) is a practical tool to support the identification and articulation of tasks, competencies, skills and knowledge associated with the roles of European cybersecurity professionals. To enable you to see which skills are required for these roles and what courses and exercises might help you obtain these skills, we have created an easy-to-use mapping tool for you to discover your potential next training opportunity.

DORA

How can SANS help prepare for NIS2?

SANS offers a variety of solutions that will help you prepare and comply with this new directive. Ranging from skill and risk assessments to cross-company security awareness training or individual role-based training and certification, we have a solution for your challenges.

Elevating Cybersecurity: The SANS-ISS Partnership and the Future of Cyber Resilience

In this case study, explore how ISS, a global facility services provider, collaborates with SANS to enhance its cybersecurity capabilities across 28 countries. The video delves into the challenges of unifying diverse IT and security departments and highlights the critical role of ongoing training to adapt to rapid technological and criminal developments. Through firsthand accounts, learn about the implementation of the SANS maturity model, the strategic benefits of SANS training programs, and how ISS is leveraging this partnership to boost corporate resilience and attract top talent in cybersecurity. Discover the pivotal role of human factors in cybersecurity and how ISS is strengthening its defenses not just technologically, but also through skilled and certified personnel.

Secure Compliance Globally

NIS2 is just one of many recent regulations that will have global repercussions. The recent US SEC ruling on Incident Reporting and Management oversight and the DOD 8140.3 ruling, all have implications for organisations and government instances on a global level.

Person looking at resources on an iPad

Speak to a SANS advisor

We would like to ask you to fill out your details below and one of our SANS advisors will reach out to you directly. Feel free to provide further detail on your questions in the “Message” box as this will help the advisor better tend to your questions.