NIS 2 compliance before the regulators come knocking
The EU's toughest cybersecurity directive is live. If your organization operates in a critical or important sector, you need to demonstrate compliance or face significant fines. Genroks gets you there.
What it is
NIS 2 Directive explained
NIS 2 is the EU's updated framework for network and information security. It replaces the original NIS Directive from 2016 with significantly broader scope, stricter requirements, and heavier penalties.
The directive requires organizations in essential and important sectors to implement robust cybersecurity risk management measures, report incidents within strict timelines, and ensure supply chain security. Management bodies are directly accountable and can face personal liability.
Key requirements
Risk management
Implement appropriate technical and organizational measures to manage cybersecurity risks.
Incident reporting
Report significant incidents to authorities within 24 hours (early warning) and 72 hours (full notification).
Supply chain security
Assess and manage cybersecurity risks in your supply chain and third-party relationships.
Business continuity
Maintain backup, disaster recovery, and crisis management capabilities.
Governance & accountability
Management must approve cybersecurity measures and can be held personally liable for failures.
Scope
Who falls under NIS 2?
NIS 2 classifies organizations as either essential or important entities across 18 sectors.
Essential entities
- Energy
- Transport
- Banking & financial markets
- Healthcare
- Water supply & wastewater
- Digital infrastructure
- ICT service management (B2B)
- Public administration
- Space
Important entities
- Postal & courier services
- Waste management
- Chemicals
- Food production & distribution
- Manufacturing
- Digital providers (search, social, marketplaces)
- Research organizations
- Managed security services
- Other critical sectors
Our service
What Genroks delivers
We handle the full NIS 2 preparation, from scoping and gap assessment to regulatory audit readiness.
Scoping & Classification
We determine whether your organization qualifies as an essential or important entity and which NIS 2 obligations apply.
Gap Assessment
We evaluate your cybersecurity posture against NIS 2 requirements and identify what needs to change.
Policy & Procedure Creation
We draft cybersecurity policies, incident response plans, and business continuity procedures aligned with NIS 2.
Incident Reporting Framework
We set up processes and tools for the 24-hour early warning and 72-hour full incident notification requirements.
Supply Chain Risk Management
We review your vendor and supplier relationships and create a third-party risk management framework.
Management Training & Accountability
We prepare your leadership team for their governance obligations and help establish cybersecurity oversight structures.
Process
How we get you NIS 2 ready
Scope & assess
We classify your organization, map applicable NIS 2 obligations, and audit your current cybersecurity posture against requirements.
Build & implement
We create policies, set up incident reporting, build supply chain risk management, and establish governance structures.
Comply & maintain
We prepare you for regulatory audits, train your management team, and set up ongoing monitoring to maintain compliance.
Get started
Find out how we can help
Tell us about your company and compliance needs. We'll reach out with a tailored plan.
FAQ
Common questions about NIS 2
What is NIS 2?
NIS 2 (Network and Information Security Directive 2) is an EU-wide cybersecurity regulation that replaces the original NIS Directive. It expands the scope of covered sectors, introduces stricter security requirements, and enforces significant penalties for non-compliance. EU member states must transpose it into national law.
Who does NIS 2 apply to?
NIS 2 applies to essential and important entities across 18 sectors, including energy, transport, healthcare, digital infrastructure, ICT service management, public administration, and more. Companies with 50+ employees or €10M+ annual revenue in these sectors generally fall in scope.
What are the penalties for non-compliance?
Essential entities face fines up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines up to €7 million or 1.4% of global annual turnover. Management bodies can also be held personally liable.
How is NIS 2 different from ISO 27001?
ISO 27001 is a voluntary international standard for information security management systems. NIS 2 is a mandatory EU regulation with legal obligations and penalties. However, having ISO 27001 certification can significantly support NIS 2 compliance since both frameworks share common controls around risk management, incident response, and security governance.
When did NIS 2 take effect?
The NIS 2 Directive entered into force on 16 January 2023. EU member states had until 17 October 2024 to transpose it into national law. Organizations in scope should already be working toward compliance.
How can Genroks help with NIS 2?
We assess your current posture against NIS 2 requirements, identify gaps, create the required policies and procedures, set up incident reporting processes, and prepare you for regulatory audits. If you already have ISO 27001, we use it as a foundation to accelerate NIS 2 readiness.
Get started
Ready to tackle NIS 2 compliance?
Tell us about your organization and we'll assess your NIS 2 obligations and map the fastest path to compliance.