The NIS2 directive

What is the NIS2 directive?

The NIS2 directive is a successor to the Network and Information Security directive (NIS). Created by the European Union, it aims to improve the cybersecurity and resilience of essential services in EU member states.

Compared to the NIS directive, the NIS2 directive extends to more sectors and sets stricter standards for security and incident reporting. The goal is to improve the digital and economic resilience of European member states, governments, businesses, and organizations.

In recent years, various developments such as COVID-19, the Ukraine war, cyber threats, and climate change put increasing pressure on the security of our society and economy. The NIS2 directive specifically focuses on risks that threaten network and information systems, such as cyber security risks.

Who is the NIS2 directive for?

The directive includes an explanation of which specific government agencies are now also covered by the obligations.

The NIS2 Directive applies to central government, including central government and independent administrative entities. They are considered essential. It is up to individual member states to decide whether to include local governments, such as municipalities, water boards, and provinces. This is the goal though, as is legislating existing policies through the Basic Government Security Initiative (BIO). And establishing government-wide oversight.

There is an exception in the NIS2 directive for government agencies that are primarily engaged in national security, public safety, defense, or law enforcement. For example, security regions or police are not covered by the NIS2 directive. However, government agencies with activities indirectly related to national security are covered.

Features of the NIS2 directive

Duty of Care

The directive requires organizations to conduct their own risk assessment and take appropriate measures to safeguard their services and protect information.

Duty to report

Incidents that could significantly disrupt essential services must be reported to the regulator and the Computer Security Incident Response Team (CSIRT) within 24 hours. Factors such as the number of people affected, the duration of the disruption, and potential financial losses determine whether an incident has to be reported.


Organizations covered by the directive will also be supervised by an independent regulator. It is currently still being determined which regulator will be responsible for the public sector and exactly what the supervision will entail.

The aim is to harmonize existing accountability structures, incorporating findings from previous oversight studies.

How do you prepare for the NIS2 directive?

Adherence to existing information security guidelines, such as the Government Information Security Baseline (BIO), is essential to meet the duty of care arising from NIS2. It is therefore important that government agencies adhere to these obligations as a starting point.

For government agencies, the fulfillment of the NIS2 duty of care takes place as much as possible within the existing frameworks. Organizations that previously did not comply with information security standards are required to do so under the NIS2 directive.

The BIO will most likely be expanded to include some additional obligations.

Need help implementing the NIS2 directive?

Need help taking steps to comply with NIS2 certification? ISOPlanner prevents financial and reputational damage by helping government organizations comply with increasingly complex laws and regulations in an approachable way.

Start a free trial of our software or contact us, we are happy to help!