NIS2 and IoT- What is it and is your organization ready?
NIS2 is the new European directive intended to strengthen the digital resilience for critical sectors such as healthcare and government. With stricter rules, higher fines, and more responsibility for directors, the impact is significant. For companies and the entire supply chain. NIS2 is relevant for almost all companies who wish to implement an IoT solutions. Selecting the right sourcing Partner for your IoT hardware and/or IoT software solution becomes extremely relevant – VADnet members are specialist in IoT and can help you further.
But what exactly does NIS2 entail? Who does the law apply to? And how do you avoid sanctions? In this blog, we answer 8 frequently asked questions about this European directive.
1: WHAT IS NIS2?
NIS2 stands for Network and Information Security Directive 2. It is the successor to the earlier NIS directive from 2016. The standard is a European directive that obliges organizations to improve their cybersecurity and digital resilience. This includes, for example, reporting incidents, performing risk analyses, and securing network and information systems.
2: WHY IS NIS2 NECESSARY?
NIS2 was established to reduce the risk of cyberattacks. Cyberattacks are becoming increasingly sophisticated, large-scale, and damaging. A successful hack not only impacts one organization. It can also have major consequences for our entire society.
SECURITY OF VITAL SECTORS IMPROVED THROUGH COLLABORATION
With this uniform legislation, the EU wants to improve the security of vital sectors. If incidents occur, countries can collaborate more quickly. Organizations are also encouraged to improve their digital foundation. Furthermore, NIS2 forces organizations to consider where vulnerabilities lie within a company and in the supply chain.
3: WHICH SECTORS DOES NIS2 APPLY TO?
The European directive applies to the protection of vital and important sectors. For example:
Vital sectors:
- Energy
- Drinking water supply
- Digital infrastructure
- Healthcare institutions
- Transport
- Government services
Important sectors:
- Chemical industry
- Food production
- Postal and courier services
- Waste management
- Digital service providers
- Industry and mechanical engineering
Does this then apply to every company in these sectors, even freelancers? No. Only organizations in these sectors with more than 50 employees or more than €10 million in turnover fall under NIS2.
4: HOW DO YOU BECOME NIS2-COMPLIANT?
To be NIS2-compliant, your organization must comply with, among other things, the following important obligations. Examples for compliance are:
- Implement risk management (e.g., based on ISO 27001)
- Implement security measures such as updates, access control, and encryption
- Report cyber incidents to authorities within 24 hours
- Apply business continuity management
- Secure suppliers and the supply chain
- Establish management responsibility, for example, with a SISO (Security Information Officer)
5: WHAT HAPPENS IF YOU DO NOT COMPLY WITH NIS2 OBLIGATIONS?
Failure to comply with NIS2 obligations can lead to severe sanctions. Regulators such as the Radiocommunications Agency (Agentschap Telecom) or the CCB (in Belgium) can impose fines of up to €10 million or 2% of global turnover. Audits or mandatory improvement measures can also be imposed. And in some cases, fines can even be recovered from management.
REPUTATIONAL DAMAGE AND OPERATIONAL RISKS
In addition to financial sanctions, non-compliance often leads to reputational damage. Customers and partners expect their data to be secure. But also consider production loss, data leaks, or halted processes.
6: WHAT ARE THE DIFFERENCES WITH NIS1, ISO STANDARDS, AND CRA?
NIS2 differs from the original NIS directive (NIS1) in several respects. For example, more organizations now fall under the new NIS2 directive, and management responsibility is increased. Compared to ISO standards, such as ISO 27001, and with the upcoming Cyber Resilience Act (CRA), NIS2 is more legally binding. The table below shows the main differences between the standards.
| Feature | NIS1 | NIS2 | ISO Standards (e.g., ISO 27001) | Cyber Resilience Act (CRA) |
Legal status | European Directive (2016) | European Directive (2023, national implementation in 2024/2025) | Voluntary standard | Binding European Regulation |
Scope | Essential service providers (limited sectors) | Essential and important organizations in more sectors | Any organization wishing to certify | Manufacturers of digital products |
Management responsibility | Barely mentioned | Mandatory at board level | Focuses on process level | Focuses on product level |
Mandatory measures | General security measures | Extensive obligations regarding risk management, monitoring, recovery | Recommendations and requirements for information security | Obligations for secure product development and updates |
Sanctions | Limited | High: audits, supervision, fines | No legal sanctions (only for contractual requirements) | High: CE marking mandatory, enforcement via market supervision |
Focus | Services and networks | Digital resilience of organizations in a broad sense | Information security | Product safety and cybersecurity in the chain |
Mandatory? | Yes | Yes | No | Yes |
7: WHEN IS NIS2 MANDATORY IN EUROPE?
NIS has officially entered into force in the EU since January 2023. Every European member state had to transpose NIS2 into their national legislation by October 2024.
In Belgium fore example, the NIS2 law has been part of Belgian legislation since October 18, 2024. The Centre for Cybersecurity Belgium (CCB) is responsible for NIS2 enforcement in Belgium as the supervisory authority.
Check out each European country for specific details if NIS2 is already effective in your country.
8: HOW DO YOU PROPERLY PREPARE YOUR ORGANIZATION FOR NIS2?
Good preparation for NIS2 begins with insight. Map out whether your organization falls under the directive and analyze where the greatest risks lie. Then, it’s a matter of getting processes, IT security, and internal responsibilities in order. And making them demonstrable.
The NIS2 Quality Mark helps organizations demonstrate that they are taking the right steps towards compliance. There are 3 levels of certification:
- QM10 (basic)
- QM20 (substantial)
- QM30 (high)
START PREPARING NOW
NIS2 is more than a legal obligation. It is also an opportunity to make your organization digitally stronger, more reliable, and future-proof. And that is not an unnecessary luxury in our digital society with vulnerable OT environments. Now is the time to start preparing.
Do you have questions about NIS2 in relation to VADnet products and services? Or do you want more information about our process to be NIS2-compliant? Contact the VADnet member in your country and he will be able to lead you further.
Source: this is a translated blog from MCS Benelux, VADnet member since 2010
