NIS 2 directive

NIS 2 (Network and Information Security) or NIS2 is the European Union's main regulation aimed at strengthening cybersecurity in its member states.

Published on December 27, 2022, it replaces the previous NIS of 2016 and will be transposed into national law by October 17, 2024.

Book a demo

Which companies are affected by NIS2?

The NIS 2 directive imposes security requirements on a wide range of players.A simple way to check whether your entity is subject to the NIS 2 directive... As of March 26, 2024, the government has set up a simulator to help you determine whether your organization is concerned.

Essential entities (EE) and important entities (EI)

which replace the former Essential Service Operators (ESOs) and Digital Service Providers (DSPs). This includes their subcontractors and suppliers.

Companies with more than 50 employees

with sales in excess of one million euros, be they SMEs, large corporations or, in some cases, local authorities.

Everyone is concerned

Suppliers can be used as relays to compromise a real target, as in the SolarWinds supply chain attack.

A hacking operation called SUNBURST introduced a backdoor into the SolarWinds product to hack into several US government agencies.

NIS 2 requires critical and important entities to consider the cybersecurity of their suppliers (85).

“Critical and important entities should therefore assess and take into account the overall quality and resilience of products and services, the cybersecurity risk management measures embedded in these products and services, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures.”

What penalties are possible under NIS 2?

Companies that fail to implement the required security measures or achieve compliance can face substantial fines:

  • Major digital service providers: > €7 million or 1.4% of global annual sales

  • Critical service operators: > $10 million or 2% of global annual sales

What criteria must NIS2 meet?

NIS2 provides new requirements for incident management, risk management, security testing and supply chain security.

Subsequently, each entity will be required to provide some of this information to ANSSI as proof of compliance with this standard.

Continuous safety testing

NIS 2 requires critical and important entities to carry out proactive and regular security audits, as well as security scans, in order to identify both known and unknown vulnerabilities.

With regard to assets exposed on the Internet, this includes all OWASP risks (write an article on OWASP risks) such as :

  • Faulty access control

  • Insecure design

  • Incorrect security configuration

  • Obsolete components

  • Injection...

Identification of critical systems

Critical and important entities must identify critical systems and related systems in real time. These systems may include :

  • Customer databases

  • Online payment servers

  • Mobile banking applications

Patrowl enables continuous (re)discovery of all your Internet-exposed (outward-facing) assets.

Solution and tool: NIS2

Patrowl is fully compliant with NIS 2 requirements for continuous asset penetration testing thanks to the offensive security solution.

Our latest news

See more news