Schedule a Demo
Back to Resource Center

NIS2 cyber law for essential businesses: what is the difference between NIS1 and NIS2?

About NIS2

As of January 16, 2023, the European NIS2 Directive applies to essential companies. In the Netherlands, we know the new cyber directive as NIB2. It is the successor to the NIB1. Like other EU countries, the Netherlands has until Oct. 17, 2024, to adapt national rules to the European standard. What will change? We list it for you.

The NIS cyber law now applies to essential businesses. That is, the original NIS1 applies to those sectors. Starting in 2024, guidelines will also apply to “key companies. That will improve cybersecurity in the Netherlands and in Europe among a larger number of medium to large companies.

What is the NIS2 guideline?

NIS2 is the successor to NIS1, which was introduced years back for essential businesses. The new NIS2 directive (officially: Directive (EU) 2022/2555)) was published by ENISA, the European Union Agency for Cybersecurity. The directive prescribes minimum security requirements, as well as the obligation to report (serious) incidents to the national authority or the European Computer Security Incident Response Team (CSIRT). The new directive replaces the original one, which came into force in 2016.

These are the main differences between the NIS1 and NIS2:

  • Directive applies to more sectors
    The NIS2 applies to essential companies as well as major companies. More medium-sized and large companies must start complying with the directive. In addition, the Dutch government may designate smaller companies with a high security risk that must also begin to comply.
  • List of minimum basic security
    The directive is more concrete, thanks to a list of minimum basic security that companies must implement. The directive imposes a risk management approach.
  • Division into essential and key sectors
    The new NIS directive divides companies into essential and key sectors. The distinction between operators of essential services and providers of digital services disappears.
  • Address security in the chain
    Companies must start addressing security risks in their supply chain. That includes risks created by supplier relationships.
  • Stricter supervision
    National authorities are allowed stricter supervision and enforcement. The new directive pulls penalty regimes and reporting requirements in all member states equal(er).

What are essential businesses?

The NIS directive applies to essential businesses. These sectors are:

  • Energy
  • Drinking water
  • Wastewater
  • Transportation
  • Banking
  • Financial Markets
  • Digital infrastructure
  • Public Administrations
  • Health care
  • Space

Tip: Wondering exactly which companies are “essential” or “important”? Download the table Sectors covered by NIB2 from CBS.

The new NIS2 directive will also apply to major companies. These sectors are:

  • Postal and courier services
  • Processing and distribution
  • Waste processing
  • Digital providers
  • Manufacturing companies
  • Chemical industry
  • Food industry

Difference in supervision between essential and important companies

Local authorities will proactively monitor key businesses. Supervision of key businesses will take place after the fact, if there is evidence of an incident.

Key and essential companies will have a duty to report and a duty of care. They have to put security in place in their supply chain and communicate clearly how they handle cyber incidents.

Why is the new guideline important?

The new NIS2 directive should make network and information systems at companies more secure. In this way, the Netherlands and the entire European Union should become less vulnerable to cyber attacks.

Minister Dilan Yeşilgöz-Zegerius (Justice and Security) said, “We are increasingly dependent on digital processes, especially since corona we are working more and more from home. In addition, we see a growing digital threat from both criminals and state actors that, with a war on Europe’s eastern border, is not going to abate for the time being. It is therefore now necessary to take the next step to raise the level of cybersecurity in the EU. In doing so, we will prevent digital incidents from disrupting our society.”

Minister Micky Adriaansens (Economic Affairs and Climate) adds: “We must be alert to the risks of cyber attacks. The impact can be significant, such as empty shelves in stores or industrial production outages. Managing digital security remains an individual responsibility of companies and consumers. But with this legislation we can take a step to ensure that the level of cyber security goes up among (medium) sized parties in more important sectors.”

Will you be fined if you fail to comply?

Companies that fail to comply with the new directive will receive a warning, then a reminder and then risk a large fine. The maximum fine is 10 million euros or two percent of the total annual turnover of medium to large companies.

Preventing damage from cybercrime: what can you do?

Even without a cyber law like the NIB2 in the Netherlands, it is important to take cybercrime seriously. You protect your business with, for example:

  • Security by design
    Start every meeting with (digital) security. What measures do you take to prevent abuse and what are the risks and vulnerabilities? By thinking about this as standard, you set up (new) systems more secure by default.
  • Secure connection
    Use a secure connection for your company. Prevent others from unwanted viewing or even stealing data. The secure connection is available worldwide, at any time from any location.
  • Train employees in cybersecurity
    Those who do not know what the risks are cannot possibly protect themselves against them. Train employees and make sure they recognize vulnerabilities and don’t fall into traps when cybercriminals set them up.

How EyeOn uses Guardey to comply with NIS2

Companies that need to comply with NIS2 are required to offer security awareness training to their employees.

Our customer Gezamenlijke Brandweer Amsterdam (a Dutch fire department) is an essential organization and therefor needs to adhere to the NIS2 regulation. To ensure their employees are prepared to recognize cyber threats, they use Guardey to offer security awareness training. Every week, their team plays a short 3-hour challenge that helps them to slowly build up cyber security knowledge.

Read the entire story here

Make it easy with Guardey

We understand at Guardey that you may have a lot on your mind. How do you comply with NIS2, what are the vulnerabilities at your company and how do you prevent a hack, data breach or other cybercrime?

That’s why we like to make it easy for you. With Guardey, you choose a complete cyber security solution all at once. We are plug & play, for both a secure connection, against malicious software and to train your employees professionally (but fun!).

So do you want to improve your company’s cyber security and comply with the new NIS2 directive? Discover our solution or ask us your questions. We’ll be happy to explain how you can be protected with Guardey in a very accessible, simple and affordable way.

Anouk CTA Guardey website

Experience Guardey today.

  • Try completely risk free
  • 24/7 support
Start 14-day free trial