Become a Partner
Back to Resource Center

NIS2 cyber law for essential businesses: what is the difference between NIS1 and NIS2?

About NIS2

As of January 16, 2023, the European NIS2 Directive applies to essential companies. In the Netherlands, we know the new cyber directive as NIB2. It is the successor to the NIB1. Like other EU countries, the Netherlands has until Oct. 17, 2024, to adapt national rules to the European standard. What will change? We list it for you.

The NIS cyber law now applies to essential businesses. That is, the original NIS1 applies to those sectors. Starting in 2024, guidelines will also apply to “key companies. That will improve cybersecurity in the Netherlands and in Europe among a larger number of medium to large companies.

What is NIS2 guideline?

NIS2 is the successor to NIS1, which was introduced years back for essential businesses. The new NIS2 directive (officially: Directive (EU) 2022/2555)) was published by ENISA, the European Union Agency for Cybersecurity. The directive prescribes minimum security requirements, as well as the obligation to report (serious) incidents to the national authority or the European Computer Security Incident Response Team (CSIRT). The new directive replaces the original one, which came into force in 2016.

These are the main differences between the NIS1 and NIS2:

  • Directive applies to more sectors
    The NIS2 applies to essential companies as well as major companies. More medium-sized and large companies must start complying with the directive. In addition, the Dutch government may designate smaller companies with a high security risk that must also begin to comply.
  • List of minimum basic security
    The directive is more concrete, thanks to a list of minimum basic security that companies must implement. The directive imposes a risk management approach.
  • Division into essential and key sectors
    The new NIS directive divides companies into essential and key sectors. The distinction between operators of essential services and providers of digital services disappears.
  • Address security in the chain
    Companies must start addressing security risks in their supply chain. That includes risks created by supplier relationships.
  • Stricter supervision
    National authorities are allowed stricter supervision and enforcement. The new directive pulls penalty regimes and reporting requirements in all member states equal(er).

What are essential businesses?

The NIS directive applies to essential businesses. These sectors are:

  • Energy
  • Drinking water
  • Wastewater
  • Transportation
  • Banking
  • Financial Markets
  • Digital infrastructure
  • Public Administrations
  • Health care
  • Space

Tip: Wondering exactly which companies are “essential” or “important”? Download the table Sectors covered by NIB2 from CBS.

The new NIS2 directive will also apply to major companies. These sectors are:

  • Postal and courier services
  • Processing and distribution
  • Waste processing
  • Digital providers
  • Accounting firms
  • Manufacturing companies
  • Chemical industry
  • Food industry

Difference in supervision between essential and important companies

Local authorities will proactively monitor key businesses. Supervision of key businesses will take place after the fact, if there is evidence of an incident.

Key and essential companies will have a duty to report and a duty of care. They have to put security in place in their supply chain and communicate clearly how they handle cyber incidents.

Why is the new guideline important?

The new NIS2 directive should make network and information systems at companies more secure. In this way, the Netherlands and the entire European Union should become less vulnerable to cyber attacks.

Minister Dilan Yeşilgöz-Zegerius (Justice and Security) said, “We are increasingly dependent on digital processes, especially since corona we are working more and more from home. In addition, we see a growing digital threat from both criminals and state actors that, with a war on Europe’s eastern border, is not going to abate for the time being. It is therefore now necessary to take the next step to raise the level of cybersecurity in the EU. In doing so, we will prevent digital incidents from disrupting our society.”

Minister Micky Adriaansens (Economic Affairs and Climate) adds: “We must be alert to the risks of cyber attacks. The impact can be significant, such as empty shelves in stores or industrial production outages. Managing digital security remains an individual responsibility of companies and consumers. But with this legislation we can take a step to ensure that the level of cyber security goes up among (medium) sized parties in more important sectors.”

Will you be fined if you fail to comply?

Companies that fail to comply with the new directive will receive a warning, then a reminder and then risk a large fine. The maximum fine is 10 million euros or two percent of the total annual turnover of medium to large companies.

Preventing damage from cybercrime: what can you do?

Even without a cyber law like the NIB2 in the Netherlands, it is important to take cybercrime seriously. You protect your business with, for example:

  • Security by design
    Start every meeting with (digital) security. What measures do you take to prevent abuse and what are the risks and vulnerabilities? By thinking about this as standard, you set up (new) systems more secure by default.
  • Secure connection
    Use a secure connection for your company. Prevent others from unwanted viewing or even stealing data. The secure connection is available worldwide, at any time from any location.
  • Train employees in cybersecurity
    Those who do not know what the risks are cannot possibly protect themselves against them. Train employees and make sure they recognize vulnerabilities and don’t fall into traps when cybercriminals set them up.

Make it easy with Guardey

We understand at Guardey that you may have a lot on your mind. How do you comply with NIS2, what are the vulnerabilities at your company and how do you prevent a hack, data breach or other cybercrime?

That’s why we like to make it easy for you. With Guardey, you choose a complete cyber security solution all at once. We are plug & play, for both a secure connection, against malicious software and to train your employees professionally (but fun!).

So do you want to improve your company’s cyber security and comply with the new NIS2 directive? Discover our solution or ask us your questions. We’ll be happy to explain how you can be protected with Guardey in a very accessible, simple and affordable way.

Frequently Asked Questions

What is Guardey in short?

You just want to know what Guardey is, in a few lines, not scrolling through the whole website. We got you covered. Here you are:

Guardey focuses on three parts of your cyber security:

A safe and encrypted VPN connection via Guardey’s secure infrastructure or a Site-to-Site VPN.

We analyze information packages from the data going through the VPN tunnel, give clear insights into your data infrastructure, and provide alerts in case of threats like ransomware, viruses, and irregularities in your network.

Your cyber security is as strong as your weakest link. With Guardey, you can educate your whole team and increase awareness in a fun and efficient way through gamification.

It’s an advanced software as a service with applications for Windows and Mac OSX and an online platform for reporting and managing your teams and company policies.

How does the free trial works?

Your free 14-day trial with Guardey is based on our Basic plan. In our basic plan, all the alarms will only be available for yourself or your own company, and you manage the alarms in-house. We don’t need any payment information to start your trial, and you can invite as many users as you want.

The majority of SMEs don’t have an in-house IT department or a team of cyber security specialists. Therefore we also offer Guardey co-managed and Guardey custom. In both plans, you are able to connect Guardey to a preferred Guardy IT partner or, of course, your own IT partner.

They can semi or fully manage the alarms and the health of your infrastructure so that you can focus on your business.

After your 14 days of the free trial, you can decide if you want to continue with a paid plan. Upgrading during your trial period means you stop your trial and upgrade to a paid plan. You need a verified payment method to upgrade.

How can I pay after the trial period?

We don’t ask for any payment information to start your trial.

If you want to upgrade during or after your free trial to a paid plan, you can use one of the below payment methods:

  1. Credit cards (Visa, MasterCard, American Express, Maestro, PostePay, Cartes Bancaires)
  2. PayPal
  3. Direct Debit (iDeal SEPA)
Can I up- or downgrade to a different plan?

Yes you can! You can always upgrade immediately and costs are calculated pro-rata on your next invoice. A downgrade will be effective from your next payment period.

Want to ask more questions?
Get a personal demo

Get the latest resources & news, delivered directly to your inbox.

Anouk ter Harmsel

Let's protect your business!

  • Try completely risk free
  • 24/7 support
Start 14-day free trial