Since its publication in the EU Official Journal, the NIS 2 (Network and Information Security) Directive has become the compass for European cybersecurity, imposing a harmonized defense framework to protect critical infrastructure in the single market. Want to understand the fundamentals of this regulation? Here is the complete definition, objectives, and key terms you need to know for NIS 2 compliance.
What is the NIS 2 Directive? Definition
The NIS 2 Directive is a European legislative text aimed at achieving a high level of cybersecurity across the Union. Unlike the first version, it removes legal gray areas by imposing strict risk management measures and reporting obligations on more than 160,000 entities in Europe.
The four main objectives of NIS 2
- Resilience: imposing high safety standards on vital sectors.
- Cooperation: create an information exchange network between Member States (via the CSIRT network).
- Transparency: requiring major incidents to be reported within 24 hours.
- Harmonization: preventing a weak link (a state or a company) from undermining the entire European chain.
👉Webinar: How to prepare for NIS 2 in a changing environment?
NIS 2 Glossary: Essential Terms to Know
- EE (Essential Entity): Organizations in highly critical sectors (energy, healthcare, banking). They are subject to strict ex-ante (before an incident) and ex-post supervision.
- EI (Important Entity): Organizations in critical sectors (Waste, Agri-food, Postal services). They are mainly supervised "ex-post" (in the event of an incident).
- CSIRT: Computer Security Incident Response Team. Teams responsible for responding to security incidents at the national level.
- SoA (Statement of Applicability): Document listing the security measures adopted and justifying any exclusions (often used in conjunction withISO 27001).
- Supply Chain Security: Obligation for an entity to ensure the security of its direct suppliers and service providers.
Who is affected? Thresholds and sectors
NIS 2 applies automatically based on size and industry.
Note: certain sectors (digital infrastructure, public administration) may be classified as EE regardless of their size.
🎨 Infographic – Discover the NIS 2 Directive at a glance
What NIS 2 changes for your governance
Beyond the technical aspects, NIS 2 is a management challenge.
- Criminal liability: executives can no longer completely delegate cyber risk. They are responsible for approving measures and may be personally sanctioned.
- Vulnerability management: the obligation to keep systems up to date and test their resilience (regular audits).
- Business continuity: mandatory implementation of disaster recovery plans (DRPs) and crisis management plans.
FAQ – Frequently asked questions about NIS 2
Where can I find a cybersecurity audit that complies with NIS 2?
The auditmust be carried out by organizations qualified by ANSSI. NIS 2 software such as Tenacy allows you to carry out internal pre-audits to identify any compliance issues before the official auditor visits.
What IT tools are recommended to comply with NIS 2?
Amodern technology stack (MFA, EDR, SIEM) is necessary, but insufficient without a GRC tool to orchestrate compliance, track action plans, and automate reporting to authorities.
Which services offer a solution for compliance with the NIS 2 Directive?
Tenacyis a leading platform for managing NIS 2. The framework is already integrated, allowing you to transform regulations into operational tasks that can be assigned to your teams.
👉 Find all the reference materials available on the GRC platform.
Conclusion: begin your compliance process today
The transposition deadline is approaching. Upgrading your security can take months, so it's best to plan ahead! The NIS 2 framework is already available in Tenacy: pending the transposition of the directive into French law, the Belgian transposition has been integrated into the tool. You can therefore start your NIS 2 compliance process right now, thanks to automated action plans tailored to your organizational context!
