November 2, 2023

NIS2: What It Is, Why It's Important and How to Prepare

Part 1 of our NIS2 Series
Kevin Oliveira

Regulatory compliance continues to grow globally, with one of the latest (and largest) being the NIS2 Directive addressing cybersecurity across the EU.  This is the first in a series of blogs from Forcepoint looking at this important directive and how organizations can be prepared to be compliant.

NIS1 was the first EU-wide cybersecurity legislation, going live in 2016. It was designed to boost overall levels of cybersecurity in the EU but it had a number of shortcomings that made it challenging to enforce and confusing for the targeted organizations to comply. The outcome was member states had little incentive to penalize organizations that violated NIS1. 

On 16th January 2023, NIS2 was introduced to address these shortcomings. NIS2 has a broader scope, expanding to cover a wider range of entities and introducing more stringent security requirements. NIS2 details have already been released and “came into force in 2023,” but the key deadline is October 2024 where national legislatures in the EU will need to have enforceable laws in place.

Key changes from NIS1 to NIS2 include: 

  • Expanded scope: NIS2 applies to a wider range of entities than NIS1, including essential and important entities. Essential entities are those that provide critical services to society, such as energy, transport, and healthcare. Important entities are those that play a significant role in the economy or society, such as financial institutions and telecommunications companies. It’s estimated that this will address about 160,000 organizations.
  • More stringent security requirements: NIS2 introduces more specific security requirements than NIS1. These requirements cover areas such as risk management, incident detection and response, and information security awareness and training.
  • Incident reporting: NIS2 requires organizations to report cybersecurity incidents to the authorities. This will help the authorities to track the threat landscape and to coordinate responses to major incidents.
  • Enforcement through penalties: As is the custom with EU initiatives, this one shows its teeth through administrative fines of up to €10 million or 2% of the entity’s total turnover worldwide, whichever is higher, for “Essential Entities” (and there is a slightly lower fine too—€7 million or 1.4% global turnover for “Important Entitles”). These would be additional to any fines that may be applied due to a single incident also falling foul of GDPR rules.


NIS2 will apply to any organization with more than 50 employees whose annual turnover exceeds €10 million, and any organization previously included in the original NIS Directive.

Forcepoint is been a leader in empowering organizations to secure their data and key to this is enabling companies to remain compliant with regulations globally. We have a range of data security solutions that specifically address the stringent security requirements of NIS2, specifically addressing risk management and incident detection and response.

This post is the beginning of a blog series we will be publishing weekly to address specifically how Forcepoint equips organizations to comply with the key areas outlined in NIS2.  Watch for the next post that will tackle the topic of risk management.

Kevin Oliveira

Kevin serves as Senior Product Marketing Manager for Forcepoint’s Data Security products and solutions.  He has over 20 years experience helping enterprises with their data and security initiatives with leadership positions at Dell EMC and IBM. 

Read more articles by Kevin Oliveira

Über Forcepoint

Forcepoint ist einer der weltweit führenden Anbieter von Cyber-Sicherheit im Bereich Anwender- und Datensicherheit und hat es sich zur Aufgabe gemacht, Organisationen zu schützen und gleichzeitig die digitale Transformation und das Wachstum voranzutreiben. Unsere Lösungen passen sich in Echtzeit an das Nutzerverhalten an und ermöglichen Mitarbeitern einen sicheren Datenzugriff bei voller Produktivität.