Articles
>
The NIS Directive 2 Guide

The NIS Directive 2 Guide

The NIS 2 Directive is currently the star of cyber discussions... but are you familiar with its predecessor? Because if there is a NIS 2, it means there was a NIS to begin with... And understanding the new directive requires a good understanding of the old one. Here is an overview of NIS, its objectives, and its requirements.

August 30, 2024
Table of Contents
Discover how Tenacy structures your cybersecurity
Schedule a demo

The NIS Directive: what is it all about?

The NIS (Network and Information Security) Directive is a cornerstone of European cybersecurity legislation.

Adopted in July 2016 and transposed into the various Member States in 2018, NIS aims to strengthen the overall level of security of networks and information systems throughout the European Union.

Before its adoption, EU Member States had very uneven levels of cybersecurity. This resulted in gaps and vulnerabilities that could affect the entire European single market. The NIS Directive was therefore designed to address these challenges by establishing a common framework—the ultimate goal being to ensure a high level of security for networks and information systems across the EU.

What are the objectives of the NIS Directive?
  1. Improving national cybersecurity: with NIS, the EU requires Member States to adopt national cybersecurity strategies—but also to designate competent authorities to oversee the implementation of the directive.
  2. Strengthening cooperation between Member States: NIS aims to facilitate information sharing and thus encourage collaboration.
  3. Increase the resilience of ESOs and digital service providers (DSPs) by imposing security and incident reporting obligations on companies operating in critical sectors such as energy, transportation, healthcare, and digital infrastructure.
Who does the NIS Directive apply to?

NIS applies, on the one hand, to Operators of Essential Services (OES). These are entities that provide services that are critical to society and the economy, such as:

  • energy networks;
  • transportation systems;
  • banking infrastructure;
  • healthcare facilities.

NIS also concerns Digital Service Providers (DSPs). This category includes:

  • online markets;
  • search engines;
  • Cloud services.

What are the requirements of the NIS Directive?

Member States' obligations
  • Develop a national strategy detailing cybersecurity objectives and applicable measures.
  • Designate competent authorities to supervise the implementation of the directive, as well as one or more single points of contact to facilitate communication and coordination.
  • Establish CSIRTs (Computer Security Incident Response Teams), i.e., teams dedicated to managing and responding to cybersecurity incidents.
The obligations of OSEs and FSNs
  • Implement appropriate technical and organizational security measures to manage cyber risks.
  • Notify the relevant authorities of incidents that have a significant impact on the continuity of the services they provide.
What is the incident reporting process?
  1. Detection of the security incident.
  2. Assessing the impact of the incident on service continuity (to determine whether it meets the notification threshold).
  3. Initial notification to the competent authorities, accompanied by preliminary information about the incident.
  4. Follow-up notification (in case additional information is required as the incident is analyzed and managed).
What are the consequences of non-compliance?

Companies that do not comply with the requirements of the NIS Directive are liable to various penalties, which vary between Member States. These penalties may include:

  • financial penalties;
  • compliance orders;
  • suspension of activities (for the most serious cases).

The sanctions are particularly severe primarily to encourage companies to take the necessary security measures to protect their networks and information systems.

NIS 2: the successor

In December 2020, the European Commission proposed a revision of the NIS Directive, known as NIS 2. The aim of this new version, which will apply in France fromOctober 2024, is to strengthen and broaden the scope of the original directive by introducing stricter security requirements and covering a greater number of critical sectors.

  • Expansion of scope: more companies and sectors are covered, including public administrations and additional digital service providers.
  • Enhanced security requirements: Companies must adopt more rigorous risk management measures and adhere to higher security standards.
  • Stricter penalties: Stricter penalty mechanisms are being put in place to ensure better compliance.

Like its little sister NIS 2, the NIS Directive provides an essential framework for improving cybersecurity within the European Union. By imposing clear obligations on Member States, ESOs, and NISOs, it creates a more secure environment for networks and information systems.

Withthe move towards NIS 2, the EU has demonstrated its ongoing commitment to strengthening the resilience of European information systems in the face of increasingly sophisticated threats.

That's good news: the NIS framework is already integrated into Tenacy (and NIS 2 will be as soon as it is transposed)!

How does Tenacy help you anticipate NIS2 and accelerate your compliance?

Faced with the requirements of the NIS2 directive, organizations must structure their cybersecurity governance, have a clear vision of their maturity level, and be able to demonstrate compliance at any time. This is precisely where Tenacy comes in.

By centralizing all cybersecurity activities (risk analysis, policy management, action plans, audits, incidents, etc.) in a single platform, Tenacy enables you to effectively manage your compliance process.

Thanks to its centralization, automation, and reporting features, you gain agility and responsiveness to meet NIS2 requirements while reducing operational overhead. Tenacy is THE platform used by CISOs at large corporations to automate their compliance.

See the infographic dedicated to NIS2

Anticipate and manage your NIS2 compliance with Tenacy

The NIS2 directive broadens the scope of entities concerned, strengthens cybersecurity requirements, and increases regulatory pressure, particularly with obligations for 24-hour reporting, clear governance, and proactive risk management. For organizations subject to these requirements, this necessitates a rigorous and ongoing approach to compliance. Tenacy addresses these challenges by offering you an all-in-one platform to centralize, structure, and manage all actions related to your information security.

With its dedicated modules, Tenacy helps you to:

  • Map your assets, risks, and critical suppliers to meet the risk management requirements of the directive.
  • Formalize your policies, processes, and responsibilities, including the roles of management and the CISO, as expected by NIS2;
  • Follow action plans and audits related to your cyber posture, with clear performance indicators to demonstrate continuous improvement;
  • Document and automate reporting obligations, including the traceability of incidents and measures taken, which is essential in view of the reporting deadlines imposed;
  • Get a comprehensive, real-time view of NIS2 compliance levels through consolidated dashboards.

By unifying all these dimensions in a collaborative and accessible interface, Tenacy enables you to accelerate your NIS2 compliance, reduce your operational burden, and strengthen your ability to prove compliance at any time. It is a true operational foundation for cyber governance, designed to meet the most demanding regulatory standards—without unnecessary complexity.

How about we team up for your cybersecurity?

Schedule an appointment with our teams
Other articles

You may be interested in

Everything you need to know about the Cyber Resilience Act in France
Compliance
Cyber Resilience Act: everything you need to know about the new European regulation

The purpose of this article is to provide you with a clear and practical overview of the Cyber Resilience Act.

At the end of the document, you will also find advice on how to structure your approach and facilitate compliance.

January 27, 2026
NIS 2: what changes for your organization?
Compliance
NIS 2: Changes to Expect

The NIS Directive is the first European legislative act dedicated to cybersecurity.  Faced with a series of upheavals in the economic and security context of European Union member countries, the current directive is evolving to respond to these new challenges. What does the reform of this new version consist of? How will this directive be transposed into French legislation? Are you affected by the requirements relating to the security of networks and information systems? In this article, we will break down the changes to come.

February 14, 2023
Automate your compliance with Tenacy
Compliance
Why choose a GRC tool to manage and automate your cybersecurity compliance?

As risk and compliance management continues to grow in complexity, many organizations still rely on Excel spreadsheets and manual evidence collection, operating without real-time visibility. However, using a GRC (Governance, Risk & Compliance) tool is becoming essential...

March 13, 2024