NIS2 Directive | SANS Institute

NIS2 Directive Awareness and Readiness Report: a SANS Survey

SANS recently conducted a survey on global organisations' awareness and preparedness for implementing measures as a result of the new EU regulation NIS2. Our newly released white paper not only highlights findings on organizational readiness and awareness, but also offers insights into modern threat capabilities and provides actionable recommendations for effective compliance strategies and training requirements. We also hosted a webinar on October 28th during which co-author Bojan Zdrnja took viewers through the report findings and SANS recommendations.

Download Report Watch the Webinar

Difference between NIS & NIS2

The NIS Directive, adopted in 2016, was the first EU-wide legislation on cybersecurity. Its main goal was to establish a common level of security for network and information systems across the European Union. The NIS2 Directive is an updated and more comprehensive version of the NIS Directive, aiming to address the shortcomings of the original legislation and to adapt to the evolving digital landscape. We’ve listed the most important differences between these two directives in a useful infographic.

Click to view full infographic

Am I considered essential or important under NIS2?

The original NIS directive covered mainly organisations that were part of a nations’ infrastructure. The new NIS2 directive increases the scope of organisations that must comply with these new rules. NIS2 defines two categories: essential and important. Essential entities are subject to a more intensive supervision regime in which both ex-ante and ex-post compliance are monitored. Important entities are subject to a lighter form of supervision, only ex-post.

Industries & Entities considered essential	Industries & Entities considered important
Energy	Digital providers
Transport	Postal and courier services
Banking	Waste management
Financial market infrastructure	Food
Healthcare	Chemicals
Drinking water	Research
Digital infrastructure	Manufacturing
Managers of ICT services
Wastewater
Government services
Aerospace

Essential entities:

are large organisations operating in a sector listed in the left column above

Important entities:

are medium-sized organisations operating in a sector listed in the left column above and medium and large organisations operating in an industry listed in the right colum above.

An organisation is large based on the following criteria:

a minimum of 250 employees or;
an annual turnover of €50 million or more and a balance sheet total of €43 million or more.

An organisation is medium-sized based on the following criteria:

50 or more employees or;
an annual turnover and balance sheet total of €10 million or more.

Mapping your path using the ECSF and NIS2

The European Cybersecurity Skills Framework (ECSF) is a practical tool to support the identification and articulation of tasks, competencies, skills and knowledge associated with the roles of European cybersecurity professionals. To enable you to see which skills are required for these roles and what courses and exercises might help you obtain these skills, we have created an easy-to-use mapping tool for you to discover your potential next training opportunity.

View the mapping tool Learn more about the ECSF

Webcast

April 23, 2024

What You Need to Know about the NIS2 Directive: Part of the SANS Compliance Countdown Series

Join ENISA, the European Union’s Agency for Cybersecurity, to learn how to prepare for NIS2 incident reporting and security measure requirements, what it means for organizations doing business in the EU, and the skills needed for compliance across critical sectors. Part A - General introduction to the NIS2 • Main pillars of the NIS2 Directive • Requirements for companies in critical sectors • NIS2 Incident reporting and security measures Part B - Cybersecurity skills for the NIS2 • ENISA cybersecurity skills framework • Mapping skills to the NIS2 Marnix Dekker, Head of Sector NIS answers your questions to make sure you are as best prepared as possible to comply with the new requirements by October 17th, 2024.

Learn more

NIS2 Empowering Cybersecurity Excellence

Blog

March 27, 2024

Empowering Cybersecurity Excellence: Certifications as the Keystone of NIS2 Compliance

The NIS2 Directive requires senior leadership to have advanced cybersecurity knowledge and the entire workforce to possess the skills needed to enhance cybersecurity across four key areas. It highlights increased accountability for leadership and the necessity for continuous development and validation of cybersecurity skills. This blog emphasizes the crucial role of certifications in demonstrating compliance and organizational resilience, focusing on the importance of ongoing skills development and the significance of information sharing and collaboration across EU member states.

How can SANS help prepare for NIS2?

SANS offers a variety of solutions that will help you prepare and comply with this new directive. Ranging from skill and risk assessments to cross-company security awareness training or individual role-based training and certification, we have a solution for your challenges.

Training & Certification

SANS Training and GIAC Certifications helps organisations develop and validate the required capabilities needed to comply to NIS2

Discover more

Skill & Risk assessment

Gauge your organisation’s understanding of how to prevent cyber security attacks and provide better evidence of the effectiveness of your security awareness program

Discover more

Security Awareness

Culturally relevant, effective, and easy to implement, SANS’ EndUser Training solutions help build a truly mature security awareness program and security posture

Discover more

Role-Based Training

Each role requires a very specific skill-set. SANS offers industry-leading training for each role within your cybersecurity team.

Discover more

Executive Cyber Exercises

Presented in an immersive, interactive environment, stakeholders must enact each step in their crisis management plan in response to a simulated cyberattack. Program participants practice and prepare for a real-life cyber event.

Discover more

In-Depth Critical infrastructure Exercises

In collaboration with our expert Faculty members, SANS is able to set-up in-depth exercises tailored to your industry and/or situation to help you prepare for NIS2. Whether you operate within critical infrastructure, government, or other sectors.

Discover more

Elevating Cybersecurity: The SANS-ISS Partnership and the Future of Cyber Resilience

In this case study, explore how ISS, a global facility services provider, collaborates with SANS to enhance its cybersecurity capabilities across 28 countries. The video delves into the challenges of unifying diverse IT and security departments and highlights the critical role of ongoing training to adapt to rapid technological and criminal developments. Through firsthand accounts, learn about the implementation of the SANS maturity model, the strategic benefits of SANS training programs, and how ISS is leveraging this partnership to boost corporate resilience and attract top talent in cybersecurity. Discover the pivotal role of human factors in cybersecurity and how ISS is strengthening its defenses not just technologically, but also through skilled and certified personnel.

Secure Compliance Globally

NIS2 is just one of many recent regulations that will have global repercussions. The recent US SEC ruling on Incident Reporting and Management oversight and the DOD 8140.3 ruling, all have implications for organisations and government instances on a global level.

SANS has a variety of other resources related to these recent regulatory changes which you can find here.

Speak to a SANS advisor

We would like to ask you to fill out your details below and one of our SANS advisors will reach out to you directly. Feel free to provide further detail on your questions in the “Message” box as this will help the advisor better tend to your questions.

First Name

Last Name

Phone

Organization

Industry

Accounting

Agriculture

Automotive

Banking/Finance

Business Services/Consulting

Chemicals

Computer Services/Consulting

Computer Software

Consumer Electronics

Consumer Package Goods

Education

Energy - Nuclear

Energy - Oil & Gas

Engineering & Construction

Food & Beverage

Govt - Canada - Civilian - Federal

Govt - Canada - Civilian - Reg or Local

Govt - Canada - Law Enforcement

Govt - Canada - Military

Govt - Contractor

Govt - EMEA Region - Civilian

Govt - EMEA Region - Law Enforcement

Govt - EMEA Region - Military

Govt - Other Regions - Civilian

Govt - Other Regions - Law Enforcement

Govt - Other Regions - Military

Govt - US - Civilian - Federal

Govt - US - Civilian - State or Local

Govt - US - Law Enforcement

Govt - US - Military

Health Care

Hospitality

Insurance - Health

Insurance - Other

Legal

Logistics & Supply Chain

Manufacturing - Aerospace

Manufacturing - Defense

Manufacturing - Industrial

Manufacturing - Other

Media & Entertainment

Metals & Mining

Nonprofit

Other

Pharmaceutical/Biotechnology

Real Estate

Retail Trade

Software

Technology

Telecommunications

Transportation

Travel & Tourism

Utilities - Other

Utilities - Power

Utilities - Water

Wholesale Trade

Country

United States

Canada

United Kingdom

Spain

Belgium

Denmark

Norway

Netherlands

Australia

India

Japan

Singapore

Afghanistan

Aland Islands

Albania

Algeria

American Samoa

Andorra

Angola

Anguilla

Antarctica

Antigua and Barbuda

Argentina

Armenia

Aruba

Austria

Azerbaijan

Bahamas

Bahrain

Bangladesh

Barbados

Belarus

Belize

Benin

Bermuda

Bhutan

Bolivia

Bonaire, Sint Eustatius, and Saba

Bosnia And Herzegovina

Botswana

Bouvet Island

Brazil

British Indian Ocean Territory

Brunei Darussalam

Bulgaria

Burkina Faso

Burundi

Cambodia

Cameroon

Cape Verde

Cayman Islands

Central African Republic

Chad

Chile

China

Christmas Island

Cocos (Keeling) Islands

Colombia

Comoros

Congo

Cook Islands

Costa Rica

Cote D'ivoire

Croatia (Local Name: Hrvatska)

Curacao

Cyprus

Czech Republic

Democratic Republic of the Congo

Djibouti

Dominica

Dominican Republic

East Timor

Ecuador

Egypt

El Salvador

Equatorial Guinea

Eritrea

Estonia

Eswatini

Ethiopia

Falkland Islands (Malvinas)

Faroe Islands

Fiji

Finland

France

French Guiana

French Polynesia

French Southern Territories

Gabon

Gambia

Georgia

Germany

Ghana

Gibraltar

Greece

Greenland

Grenada

Guadeloupe

Guam

Guatemala

Guernsey

Guinea

Guinea-Bissau

Guyana

Haiti

Heard And McDonald Islands

Honduras

Hong Kong

Hungary

Iceland

Indonesia

Iraq

Ireland

Isle of Man

Israel

Italy

Jamaica

Jersey

Jordan

Kazakhstan

Kenya

Kiribati

Korea, Republic Of

Kosovo

Kuwait

Kyrgyzstan

Lao People's Democratic Republic

Latvia

Lebanon

Lesotho

Liberia

Liechtenstein

Lithuania

Luxembourg

Macau

Madagascar

Malawi

Malaysia

Maldives

Mali

Malta

Marshall Islands

Martinique

Mauritania

Mauritius

Mayotte

Mexico

Micronesia, Federated States Of

Moldova, Republic Of

Monaco

Mongolia

Montenegro

Montserrat

Morocco

Mozambique

Myanmar

Namibia

Nauru

Nepal

Netherlands Antilles

New Caledonia

New Zealand

Nicaragua

Niger

Nigeria

Niue

Norfolk Island

North Macedonia

Northern Mariana Islands

Oman

Pakistan

Palau

Palestine

Panama

Papua New Guinea

Paraguay

Peru

Philippines

Pitcairn

Poland

Portugal

Puerto Rico

Qatar

Reunion

Romania

Russian Federation

Rwanda

Saint Bartholemy

Saint Kitts And Nevis

Saint Lucia

Saint Martin

Saint Vincent And The Grenadines

Samoa

San Marino

Sao Tome And Principe

Saudi Arabia

Senegal

Serbia

Seychelles

Sierra Leone

Sint Maarten

Slovakia

Slovenia

Solomon Islands

South Africa

South Georgia and the South Sandwich Islands

South Sudan

Sri Lanka

St. Helena

St. Pierre And Miquelon

Suriname

Svalbard And Jan Mayen Islands

Sweden

Switzerland

Taiwan

Tajikistan

Tanzania, United Republic Of

Thailand

Togo

Tokelau

Tonga

Trinidad And Tobago

Tunisia

Turkey

Turkmenistan

Turks And Caicos Islands

Tuvalu

Uganda

Ukraine

United Arab Emirates

United States Minor Outlying Islands

Uruguay

Uzbekistan

Vanuatu

Vatican City State

Venezuela

Vietnam

Virgin Islands (British)

Virgin Islands (U.S.)

Wallis And Futuna Islands

Western Sahara

Yemen

Zambia

Zimbabwe

Job Title

Message

By providing this information, you agree to the processing of your personal data by SANS as described in our Privacy Policy.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Free Course Demos

SANS CISO Primer: 4 Cyber Trends

2024 Security Awareness Report

Security Policy Templates

Join the Community

Our Mission

All you need to know about the new NIS2 Directive

NIS2 Directive Awareness and Readiness Report: a SANS Survey

Difference between NIS & NIS2

Am I considered essential or important under NIS2?

Mapping your path using the ECSF and NIS2

Latest NIS2 News & Updates

“These new regulations reinforce a crucial tenet that we at the SANS Institute have long embraced: effective cybersecurity starts with skilled people first.” - John Pescatore, SANS

How can SANS help prepare for NIS2?

Elevating Cybersecurity: The SANS-ISS Partnership and the Future of Cyber Resilience

Secure Compliance Globally

Speak to a SANS advisor