Become a Partner
Back to Resource Center

NIS2 cyber law for essential businesses: what is the difference between NIS1 and NIS2?

About NIS2

As of January 16, 2023, the European NIS2 Directive applies to essential companies. In the Netherlands, we know the new cyber directive as NIB2. It is the successor to the NIB1. Like other EU countries, the Netherlands has until Oct. 17, 2024, to adapt national rules to the European standard. What will change? We list it for you.

The NIS cyber law now applies to essential businesses. That is, the original NIS1 applies to those sectors. Starting in 2024, guidelines will also apply to “key companies. That will improve cybersecurity in the Netherlands and in Europe among a larger number of medium to large companies.

What is NIS2 guideline?

NIS2 is the successor to NIS1, which was introduced years back for essential businesses. The new NIS2 directive (officially: Directive (EU) 2022/2555)) was published by ENISA, the European Union Agency for Cybersecurity. The directive prescribes minimum security requirements, as well as the obligation to report (serious) incidents to the national authority or the European Computer Security Incident Response Team (CSIRT). The new directive replaces the original one, which came into force in 2016.

These are the main differences between the NIS1 and NIS2:

  • Directive applies to more sectors
    The NIS2 applies to essential companies as well as major companies. More medium-sized and large companies must start complying with the directive. In addition, the Dutch government may designate smaller companies with a high security risk that must also begin to comply.
  • List of minimum basic security
    The directive is more concrete, thanks to a list of minimum basic security that companies must implement. The directive imposes a risk management approach.
  • Division into essential and key sectors
    The new NIS directive divides companies into essential and key sectors. The distinction between operators of essential services and providers of digital services disappears.
  • Address security in the chain
    Companies must start addressing security risks in their supply chain. That includes risks created by supplier relationships.
  • Stricter supervision
    National authorities are allowed stricter supervision and enforcement. The new directive pulls penalty regimes and reporting requirements in all member states equal(er).

What are essential businesses?

The NIS directive applies to essential businesses. These sectors are:

  • Energy
  • Drinking water
  • Wastewater
  • Transportation
  • Banking
  • Financial Markets
  • Digital infrastructure
  • Public Administrations
  • Health care
  • Space

Tip: Wondering exactly which companies are “essential” or “important”? Download the table Sectors covered by NIB2 from CBS.

The new NIS2 directive will also apply to major companies. These sectors are:

  • Postal and courier services
  • Processing and distribution
  • Waste processing
  • Digital providers
  • Manufacturing companies
  • Chemical industry
  • Food industry

Difference in supervision between essential and important companies

Local authorities will proactively monitor key businesses. Supervision of key businesses will take place after the fact, if there is evidence of an incident.

Key and essential companies will have a duty to report and a duty of care. They have to put security in place in their supply chain and communicate clearly how they handle cyber incidents.

Why is the new guideline important?

The new NIS2 directive should make network and information systems at companies more secure. In this way, the Netherlands and the entire European Union should become less vulnerable to cyber attacks.

Minister Dilan Yeşilgöz-Zegerius (Justice and Security) said, “We are increasingly dependent on digital processes, especially since corona we are working more and more from home. In addition, we see a growing digital threat from both criminals and state actors that, with a war on Europe’s eastern border, is not going to abate for the time being. It is therefore now necessary to take the next step to raise the level of cybersecurity in the EU. In doing so, we will prevent digital incidents from disrupting our society.”

Minister Micky Adriaansens (Economic Affairs and Climate) adds: “We must be alert to the risks of cyber attacks. The impact can be significant, such as empty shelves in stores or industrial production outages. Managing digital security remains an individual responsibility of companies and consumers. But with this legislation we can take a step to ensure that the level of cyber security goes up among (medium) sized parties in more important sectors.”

Will you be fined if you fail to comply?

Companies that fail to comply with the new directive will receive a warning, then a reminder and then risk a large fine. The maximum fine is 10 million euros or two percent of the total annual turnover of medium to large companies.

Preventing damage from cybercrime: what can you do?

Even without a cyber law like the NIB2 in the Netherlands, it is important to take cybercrime seriously. You protect your business with, for example:

  • Security by design
    Start every meeting with (digital) security. What measures do you take to prevent abuse and what are the risks and vulnerabilities? By thinking about this as standard, you set up (new) systems more secure by default.
  • Secure connection
    Use a secure connection for your company. Prevent others from unwanted viewing or even stealing data. The secure connection is available worldwide, at any time from any location.
  • Train employees in cybersecurity
    Those who do not know what the risks are cannot possibly protect themselves against them. Train employees and make sure they recognize vulnerabilities and don’t fall into traps when cybercriminals set them up.

Make it easy with Guardey

We understand at Guardey that you may have a lot on your mind. How do you comply with NIS2, what are the vulnerabilities at your company and how do you prevent a hack, data breach or other cybercrime?

That’s why we like to make it easy for you. With Guardey, you choose a complete cyber security solution all at once. We are plug & play, for both a secure connection, against malicious software and to train your employees professionally (but fun!).

So do you want to improve your company’s cyber security and comply with the new NIS2 directive? Discover our solution or ask us your questions. We’ll be happy to explain how you can be protected with Guardey in a very accessible, simple and affordable way.

Frequently Asked Questions

What is gamification?

Gamification is adding game elements into non-game environments, such as security awareness training, to increase participation and foster active learning.

What are the benefits of gamification in security awareness training?

Traditional security awareness training can often be dry and boring. With gamification, the complex subject matter is transformed into an engaging and memorable experience.

By integrating game elements such as challenges, quizzes and rewards, it incentivizes users to actively learn. This makes the training more enjoyable and fosters a sense of competition and achievement. This combination drives better retention and application of cyber security knowledge.

Why is it important to train security awareness on a weekly basis?

Research shows that up to 90% of the learnings from yearly or even quarterly training are forgotten within a few weeks. Guardey was built to keep its users aware of cyber threats 365 days a year. The game comes with short, weekly challenges that slowly builds up the user’s knowledge and eventually drives lasting behavior change.

Which topics are covered in Guardey’s security awareness game?

Guardey covers a wide array of topics to train users about all currently relevant cyber threats, put together in collaboration with ethical hackers and educationalists. The topics covered include phishing, remote work, password security, CEO fraud, ransomware, smishing, and much more.

How much time do the weekly challenges take?

Every challenge takes up to three minutes to complete.

Can I use Guardey to comply with the ISO27001, NIS2, and GDPR security awareness policies?

Yes. ISO27001, NIS2, and GDPR all require that all employees receive appropriate security awareness training. Guardey is always up-to-date with the latest cyber threats, policies, and procedures.

Is security awareness training important for all employees, or just specific roles?

Cybersecurity awareness training is crucial for all employees, not just specific roles. Every staff member can potentially be a target or an unwitting entry point for cyber attacks. Training helps create a security-focused culture and minimizes risks for the entire organization.

While certain roles may require specialized training, a foundational level of training should be accessible to everyone.

In which languages is Guardey available?

Guardey is available in English, Dutch, Italian, French, Spanish, German, Polish, Swedish and Danish.

Want to ask more questions?
Get a personal demo

Get the latest resources & news, delivered directly to your inbox.

Anouk ter Harmsel

Let's protect your business!

  • Try completely risk free
  • 24/7 support
Start 14-day free trial