{"id":2391,"date":"2025-07-14T11:54:16","date_gmt":"2025-07-14T11:54:16","guid":{"rendered":"https:\/\/magicstone.nl\/en\/?page_id=2391"},"modified":"2026-07-08T08:00:35","modified_gmt":"2026-07-08T08:00:35","slug":"what-is-nis2","status":"publish","type":"page","link":"https:\/\/magicstone.nl\/en\/what-is-nis2\/","title":{"rendered":"What is NIS2"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"2391\" class=\"elementor elementor-2391\" data-elementor-post-type=\"page\">\n\t\t\t\t<section class=\"elementor-element elementor-element-bc06fff e-con-full e-flex wpr-particle-no wpr-jarallax-no wpr-parallax-no wpr-sticky-section-no wpr-column-slider-no wpr-equal-height-no e-con e-parent\" data-id=\"bc06fff\" data-element_type=\"container\" data-e-type=\"container\">\n\t\t\t\t<div class=\"elementor-element elementor-element-27c2292 elementor-widget elementor-widget-html\" data-id=\"27c2292\" data-element_type=\"widget\" data-e-type=\"widget\" data-widget_type=\"html.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<!-- What is NIS2? | Magic Stone Cyber Security -->\r\n\r\n<section class=\"ms-service-page\">\r\n\r\n  <style>\r\n    .ms-service-page { width:100%; font-family:inherit; color:#1f2933; line-height:1.65; }\r\n    .ms-service-page * { box-sizing:border-box; }\r\n    .ms-hero { width:100%; background:linear-gradient(135deg,#0f172a 0%,#1f2937 100%); color:#fff; padding:70px 6%; margin-bottom:45px; }\r\n    .ms-hero h1 { max-width:1120px; font-size:42px; line-height:1.15; margin:0 auto 20px; color:#fff; }\r\n    .ms-hero p { max-width:1120px; font-size:19px; margin:0 auto 28px; color:#e5e7eb; }\r\n    .ms-hero .ms-btn-wrap { max-width:1120px; margin:0 auto; }\r\n    .ms-content { width:100%; max-width:1120px; margin:0 auto; padding:0 20px 55px; }\r\n    .ms-highlight { color:#57A200; font-weight:700; }\r\n    .ms-btn { display:inline-block; background:#57A200; color:#fff!important; padding:14px 26px; border-radius:8px; text-decoration:none; font-weight:700; margin-top:10px; }\r\n    .ms-btn:hover { background:#468500; color:#fff!important; }\r\n    .ms-btn-secondary { display:inline-block; background:transparent; color:#57A200!important; border:2px solid #57A200; padding:12px 24px; border-radius:8px; text-decoration:none; font-weight:700; margin-top:10px; margin-left:10px; }\r\n    .ms-btn-secondary:hover { background:#57A200; color:#fff!important; }\r\n    .ms-section { margin-bottom:48px; }\r\n    .ms-section h2 { font-size:30px; margin-bottom:18px; color:#111827; }\r\n    .ms-grid { display:grid; grid-template-columns:repeat(3,1fr); gap:22px; margin-top:25px; }\r\n    .ms-grid-2 { display:grid; grid-template-columns:repeat(2,1fr); gap:22px; margin-top:25px; }\r\n    .ms-card { background:#fff; border:1px solid #e5e7eb; border-left:4px solid #57A200; border-radius:14px; padding:24px; box-shadow:0 8px 24px rgba(0,0,0,.05); }\r\n    .ms-card.red { border-left-color:#e8192c; }\r\n    .ms-card h3 { margin-top:0; font-size:20px; color:#111827; }\r\n    .ms-card p { font-size:16px; }\r\n    .ms-list { padding-left:22px; }\r\n    .ms-list li { margin-bottom:10px; }\r\n    .ms-strip { background:#f3f8ef; border-left:5px solid #57A200; padding:28px; border-radius:14px; margin:40px 0; }\r\n    .ms-warning-strip { background:#fff7ed; border-left:5px solid #f97316; padding:28px; border-radius:14px; margin:40px 0; }\r\n    .ms-accordion { border:1px solid #e5e7eb; border-radius:14px; overflow:hidden; margin-top:20px; }\r\n    .ms-acc-item { border-bottom:1px solid #e5e7eb; }\r\n    .ms-acc-item:last-child { border-bottom:none; }\r\n    .ms-acc-trigger { width:100%; display:flex; justify-content:space-between; align-items:center; padding:18px 22px; background:none; border:none; cursor:pointer; text-align:left; font-family:inherit; font-size:18px; font-weight:700; color:#111827; gap:16px; }\r\n    .ms-acc-trigger:hover { background:#f9fafb; color:#111827; }\r\n    .ms-acc-icon { font-size:20px; color:#57A200; flex-shrink:0; transition:transform .3s; line-height:1; }\r\n    .ms-acc-item.open .ms-acc-icon { transform:rotate(45deg); }\r\n    .ms-acc-body { max-height:0; overflow:hidden; transition:max-height .35s cubic-bezier(.4,0,.2,1); }\r\n    .ms-acc-body-inner { padding:0 22px 18px; font-size:16px; color:#3d4a5c; line-height:1.7; }\r\n    .ms-faq-item { border-bottom:1px solid #e5e7eb; padding:22px 0; }\r\n    .ms-faq-item h3 { font-size:20px; margin:0 0 10px; }\r\n    .ms-cta { background:#111827; color:#fff; border-radius:18px; padding:45px 35px; text-align:center; margin-top:50px; }\r\n    .ms-cta h2 { color:#fff; font-size:32px; margin-bottom:15px; }\r\n    .ms-cta p { color:#e5e7eb; max-width:780px; margin:0 auto 22px; font-size:18px; }\r\n    .ms-links a { color:#57A200; font-weight:700; text-decoration:none; }\r\n    .ms-links a:hover { text-decoration:underline; }\r\n    #faq { scroll-margin-top:80px; }\r\n    @media(max-width:900px) {\r\n      .ms-grid { grid-template-columns:1fr; }\r\n      .ms-grid-2 { grid-template-columns:1fr; }\r\n      .ms-hero { padding:50px 24px; }\r\n      .ms-hero h1 { font-size:34px; }\r\n      .ms-btn-secondary { margin-left:0; display:block; margin-top:10px; }\r\n    }\r\n  <\/style>\r\n\r\n  <div class=\"ms-hero\">\r\n    <h1>What is NIS2?<\/h1>\r\n    <p>NIS2 is the EU's updated cybersecurity law \u2014 and it changes who is responsible for cybersecurity, what they must do, and what happens when they don't. If your organisation operates in a critical or important sector, compliance is no longer optional. Here is what you need to know.<\/p>\r\n    <div class=\"ms-btn-wrap\">\r\n      <a href=\"https:\/\/tidycal.com\/raviv\/45-minute-meeting\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"ms-btn\">Book a NIS2 Assessment<\/a>\r\n      <a href=\"https:\/\/magicstone.nl\/en\/nis2-compliance-checklist\/\" class=\"ms-btn-secondary\">NIS2 Compliance Checklist &rarr;<\/a>\r\n      <a href=\"https:\/\/magicstone.nl\/en\/nis2-compliance-roadmap\/\" class=\"ms-btn-secondary\">Your NIS2 Roadmap &rarr;<\/a>\r\n    <\/div>\r\n  <\/div>\r\n\r\n  <div class=\"ms-content\">\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>Who Does NIS2 Apply To?<\/h2>\r\n      <p>NIS2 applies to <strong>medium and large organisations<\/strong> (50+ employees or \u20ac10M+ turnover) in two categories:<\/p>\r\n      <div class=\"ms-grid-2\">\r\n        <div class=\"ms-card\">\r\n          <h3>&#9888;&#65039; Essential Entities<\/h3>\r\n          <p>Subject to the strictest obligations and proactive supervision. Includes:<\/p>\r\n          <ul class=\"ms-list\" style=\"margin-top:10px;\">\r\n            <li>Energy (electricity, gas, oil, hydrogen)<\/li>\r\n            <li>Transport (air, rail, road, water)<\/li>\r\n            <li>Banking &amp; financial market infrastructure<\/li>\r\n            <li>Healthcare &amp; pharmaceuticals<\/li>\r\n            <li>Drinking water &amp; wastewater<\/li>\r\n            <li>Digital infrastructure (cloud, DNS, data centres)<\/li>\r\n            <li>Central &amp; regional government<\/li>\r\n            <li>Space<\/li>\r\n          <\/ul>\r\n        <\/div>\r\n        <div class=\"ms-card\">\r\n          <h3>&#128203; Important Entities<\/h3>\r\n          <p>Subject to similar obligations but reactive supervision. Includes:<\/p>\r\n          <ul class=\"ms-list\" style=\"margin-top:10px;\">\r\n            <li>Postal &amp; courier services<\/li>\r\n            <li>Waste management<\/li>\r\n            <li>Chemicals<\/li>\r\n            <li>Food production &amp; distribution<\/li>\r\n            <li>Manufacturing (medical devices, electronics, machinery, vehicles)<\/li>\r\n            <li>Digital providers (online marketplaces, search engines, social platforms)<\/li>\r\n            <li>Research organisations<\/li>\r\n          <\/ul>\r\n        <\/div>\r\n      <\/div>\r\n      <div class=\"ms-warning-strip\" style=\"margin-top:28px;margin-bottom:0;\">\r\n        <strong>Smaller organisations may also be in scope.<\/strong> Size thresholds do not apply if the organisation is deemed critical to society or the economy, is a sole provider of an essential service, or operates critical infrastructure. If you are unsure, assume you are in scope until assessed otherwise.\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>What NIS2 Requires \u2014 Article 21<\/h2>\r\n      <p>Article 21 sets out ten mandatory cybersecurity risk-management measures. These are not optional guidelines \u2014 they are legal obligations.<\/p>\r\n      <div class=\"ms-grid\">\r\n        <div class=\"ms-card\">\r\n          <h3>&#128737; Risk Management<\/h3>\r\n          <p>Regular risk assessments of network and information systems. Documented policies for identifying, assessing, and managing cybersecurity risks.<\/p>\r\n        <\/div>\r\n        <div class=\"ms-card\">\r\n          <h3>&#128680; Incident Handling<\/h3>\r\n          <p>Processes for detecting, responding to, and reporting significant incidents. <strong>24-hour initial notification, 72-hour full report<\/strong> to national authorities.<\/p>\r\n        <\/div>\r\n        <div class=\"ms-card\">\r\n          <h3>&#128190; Business Continuity<\/h3>\r\n          <p>Backup management, disaster recovery, and crisis management procedures \u2014 including tested recovery capabilities for ransomware and other operational disruptions.<\/p>\r\n        <\/div>\r\n        <div class=\"ms-card\">\r\n          <h3>&#128279; Supply Chain Security<\/h3>\r\n          <p>Assessment and management of security risks in relationships with direct suppliers and service providers. Third-party risk management is explicitly required.<\/p>\r\n        <\/div>\r\n        <div class=\"ms-card\">\r\n          <h3>&#128272; Access Controls<\/h3>\r\n          <p>Policies for access management, multi-factor authentication, privileged access control, and zero-trust principles across network and information systems.<\/p>\r\n        <\/div>\r\n        <div class=\"ms-card\">\r\n          <h3>&#127891; Awareness &amp; Training<\/h3>\r\n          <p>Security awareness programmes for all personnel. Employees must be trained to recognise and respond to cybersecurity threats \u2014 including phishing and social engineering.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\">\r\n      <h2>NIS2 Penalties<\/h2>\r\n      <div class=\"ms-grid-2\">\r\n        <div class=\"ms-card red\">\r\n          <h3>&#128683; Essential Entities<\/h3>\r\n          <p>Fines up to <strong>&euro;10 million<\/strong> or <strong>2% of global annual turnover<\/strong> \u2014 whichever is higher. Plus: temporary management bans, public disclosure of violations, and mandatory compliance audits.<\/p>\r\n        <\/div>\r\n        <div class=\"ms-card\">\r\n          <h3>&#9888;&#65039; Important Entities<\/h3>\r\n          <p>Fines up to <strong>&euro;7 million<\/strong> or <strong>1.4% of global annual turnover<\/strong> \u2014 whichever is higher. Reactive supervision with the same enforcement powers available to authorities.<\/p>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-strip\">\r\n      <strong>How Magic Stone helps with NIS2 compliance<\/strong><br><br>\r\n      NIS2 compliance requires both regulatory expertise and operational security controls. Magic Stone delivers the technical side \u2014 ransomware protection, email security, endpoint protection, backup, network security, supply chain risk management, and AI governance \u2014 all chosen to satisfy Article 21's requirements directly.\r\n      <br><br>\r\n      For the compliance assessment, gap analysis, and governance framework, we work in partnership with <strong>GRSee<\/strong> \u2014 NIS2 compliance specialists.\r\n      <br><br>\r\n      <span class=\"ms-links\">\r\n        <a href=\"https:\/\/magicstone.nl\/en\/nis2-assessment\/\">NIS2 Assessment \u2014 find out where you stand &rarr;<\/a><br><br>\r\n        <a href=\"https:\/\/magicstone.nl\/en\/nis2-compliance-roadmap\/\">Your NIS2 Roadmap \u2014 from where you are to where you need to be &rarr;<\/a>\r\n      <\/span>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section\" id=\"faq\">\r\n      <h2>Frequently Asked Questions<\/h2>\r\n      <div class=\"ms-accordion\">\r\n        <div class=\"ms-acc-item\">\r\n          <button class=\"ms-acc-trigger\">Is our organisation in scope for NIS2? <span class=\"ms-acc-icon\">+<\/span><\/button>\r\n          <div class=\"ms-acc-body\"><div class=\"ms-acc-body-inner\">If you operate in one of the listed sectors and have 50+ employees or \u20ac10M+ turnover, you are likely in scope. Some smaller organisations are also in scope if deemed critical. The safest approach is to assume you are in scope and verify \u2014 the cost of a scoping assessment is far lower than the cost of non-compliance discovered during enforcement.<\/div><\/div>\r\n        <\/div>\r\n        <div class=\"ms-acc-item\">\r\n          <button class=\"ms-acc-trigger\">When did NIS2 take effect? <span class=\"ms-acc-icon\">+<\/span><\/button>\r\n          <div class=\"ms-acc-body\"><div class=\"ms-acc-body-inner\">NIS2 was adopted in December 2022 with a transposition deadline of October 2024. In the Netherlands, it entered into force in July 2025 through the Cybersecurity Act. Enforcement is active \u2014 the compliance clock is running.<\/div><\/div>\r\n        <\/div>\r\n        <div class=\"ms-acc-item\">\r\n          <button class=\"ms-acc-trigger\">What is the difference between essential and important entities? <span class=\"ms-acc-icon\">+<\/span><\/button>\r\n          <div class=\"ms-acc-body\"><div class=\"ms-acc-body-inner\">Both categories face the same technical and governance obligations under Article 21. The difference is in supervision: essential entities are subject to proactive (ex ante) oversight \u2014 authorities can audit them at any time. Important entities face reactive (ex post) supervision \u2014 authorities investigate following an incident or complaint. The compliance requirements are effectively identical.<\/div><\/div>\r\n        <\/div>\r\n        <div class=\"ms-acc-item\">\r\n          <button class=\"ms-acc-trigger\">Does NIS2 replace GDPR? <span class=\"ms-acc-icon\">+<\/span><\/button>\r\n          <div class=\"ms-acc-body\"><div class=\"ms-acc-body-inner\">No. NIS2 and GDPR operate in parallel. GDPR governs the protection of personal data. NIS2 governs the security of network and information systems. Most organisations subject to NIS2 are also subject to GDPR. The good news: the security controls required by NIS2 significantly overlap with GDPR's requirement for appropriate technical measures \u2014 satisfying one generally advances compliance with the other.<\/div><\/div>\r\n        <\/div>\r\n        <div class=\"ms-acc-item\">\r\n          <button class=\"ms-acc-trigger\">How does NIS2 relate to DORA? <span class=\"ms-acc-icon\">+<\/span><\/button>\r\n          <div class=\"ms-acc-body\"><div class=\"ms-acc-body-inner\"><a href=\"https:\/\/magicstone.nl\/en\/dora-compliance-made-simple\/\" style=\"color:#57A200;font-weight:700;\">DORA<\/a> (Digital Operational Resilience Act) applies specifically to financial entities and ICT service providers serving the financial sector. For organisations in scope for both, DORA is considered the lex specialis \u2014 it takes precedence over NIS2 for financial sector requirements. The controls largely overlap, so meeting DORA generally satisfies the equivalent NIS2 requirements.<\/div><\/div>\r\n        <\/div>\r\n        <div class=\"ms-acc-item\">\r\n          <button class=\"ms-acc-trigger\">What is the 72-hour incident reporting requirement? <span class=\"ms-acc-icon\">+<\/span><\/button>\r\n          <div class=\"ms-acc-body\"><div class=\"ms-acc-body-inner\">NIS2 requires a three-stage reporting process for significant incidents: an early warning within 24 hours, a full incident notification within 72 hours, and a final report within one month. A \"significant incident\" is one that causes or could cause severe operational disruption, financial loss, or reputational damage. Failure to report within the required timelines is itself a compliance violation subject to penalties.<\/div><\/div>\r\n        <\/div>\r\n      <\/div>\r\n    <\/div>\r\n\r\n    <div class=\"ms-section ms-links\">\r\n      <h2>Related<\/h2>\r\n      <ul class=\"ms-list\">\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/nis2-compliance-roadmap\/\">Your NIS2 Roadmap \u2014 From Where You Are to Where You Need to Be<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/nis2-assessment\/\">NIS2 Assessment \u2014 Gap Analysis &amp; Compliance Roadmap<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/nis2-third-party-risk-management\/\">NIS2 &amp; Third-Party Risk Management<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/nis2-compliance-checklist\/\">NIS2 Compliance Checklist<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/dora-compliance-made-simple\/\">DORA \u2014 Digital Operational Resilience Act<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/eu-ai-act\/\">EU AI Act<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/services\/ransomware-protection\/\">Ransomware Protection<\/a><\/li>\r\n        <li><a href=\"https:\/\/magicstone.nl\/en\/services\/supply-chain-risk\/\">Supply Chain Risk Management<\/a><\/li>\r\n      <\/ul>\r\n    <\/div>\r\n\r\n    <div class=\"ms-cta\">\r\n      <h2>Ready to Get NIS2 Compliant?<\/h2>\r\n      <p>Book an assessment with Magic Stone. We'll tell you whether you're in scope, what your obligations are, and what a compliance roadmap looks like for your organisation.<\/p>\r\n      <a href=\"https:\/\/tidycal.com\/raviv\/45-minute-meeting\" target=\"_blank\" rel=\"noopener noreferrer\" class=\"ms-btn\">Book a NIS2 Assessment<\/a>\r\n    <\/div>\r\n\r\n  <\/div>\r\n<\/section>\r\n\r\n<script type=\"application\/ld+json\">\r\n{\r\n  \"@context\": \"https:\/\/schema.org\",\r\n  \"@type\": \"FAQPage\",\r\n  \"mainEntity\": [\r\n    {\"@type\":\"Question\",\"name\":\"Is our organisation in scope for NIS2?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"If you operate in one of the listed sectors and have 50+ employees or \u20ac10M+ turnover, you are likely in scope. Some smaller organisations are also in scope if deemed critical. Assume you are in scope and verify \u2014 the cost of a scoping assessment is far lower than the cost of non-compliance.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"When did NIS2 take effect?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"NIS2 was adopted in December 2022 with a transposition deadline of October 2024. In the Netherlands, it entered into force in July 2025 through the Cybersecurity Act. Enforcement is active.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"What is the difference between essential and important entities under NIS2?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"Both face the same Article 21 obligations. Essential entities face proactive supervision \u2014 authorities can audit at any time. Important entities face reactive supervision \u2014 authorities investigate following an incident. The compliance requirements are effectively identical.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"Does NIS2 replace GDPR?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"No. NIS2 and GDPR operate in parallel. GDPR governs personal data protection. NIS2 governs network and information system security. The security controls required by NIS2 significantly overlap with GDPR's technical measures requirement.\"}},\r\n    {\"@type\":\"Question\",\"name\":\"What is the 72-hour incident reporting requirement under NIS2?\",\"acceptedAnswer\":{\"@type\":\"Answer\",\"text\":\"NIS2 requires: an early warning within 24 hours, a full incident notification within 72 hours, and a final report within one month. Failure to report within required timelines is itself a compliance violation.\"}}\r\n  ]\r\n}\r\n<\/script>\r\n<script>\r\ndocument.querySelectorAll('.ms-acc-trigger').forEach(btn => {\r\n  btn.addEventListener('click', () => {\r\n    const item = btn.closest('.ms-acc-item');\r\n    const body = item.querySelector('.ms-acc-body');\r\n    const isOpen = item.classList.contains('open');\r\n    document.querySelectorAll('.ms-acc-item').forEach(i => {\r\n      i.classList.remove('open');\r\n      i.querySelector('.ms-acc-body').style.maxHeight = '0';\r\n    });\r\n    if (!isOpen) {\r\n      item.classList.add('open');\r\n      body.style.maxHeight = body.scrollHeight + 'px';\r\n    }\r\n  });\r\n});\r\n<\/script>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>What is NIS2? NIS2 is the EU&#8217;s updated cybersecurity law \u2014 and it changes who is responsible for cybersecurity, what they must do, and what happens when they don&#8217;t. If your organisation operates in a critical or important sector, compliance is no longer optional. Here is what you need to know. Book a NIS2 Assessment NIS2 Compliance Checklist &rarr; Your NIS2 Roadmap &rarr; Who Does NIS2 Apply To? NIS2 applies to medium and large organisations (50+ employees or \u20ac10M+ turnover) in two categories: &#9888;&#65039; Essential Entities Subject to the strictest obligations and proactive supervision. Includes: Energy (electricity, gas, oil, hydrogen) Transport (air, rail, road, water) Banking &amp; financial market infrastructure Healthcare &amp; pharmaceuticals Drinking water &amp; wastewater Digital infrastructure (cloud, DNS, data centres) Central &amp; regional government Space &#128203; Important Entities Subject to similar obligations but reactive supervision. Includes: Postal &amp; courier services Waste management Chemicals Food production &amp; distribution Manufacturing (medical devices, electronics, machinery, vehicles) Digital providers (online marketplaces, search engines, social platforms) Research organisations Smaller organisations may also be in scope. Size thresholds do not apply if the organisation is deemed critical to society or the economy, is a sole provider of an essential service, or operates critical infrastructure. If you are unsure, assume you are in scope until assessed otherwise. What NIS2 Requires \u2014 Article 21 Article 21 sets out ten mandatory cybersecurity risk-management measures. These are not optional guidelines \u2014 they are legal obligations. &#128737; Risk Management Regular risk assessments of network and information systems. Documented policies for identifying, assessing, and managing cybersecurity risks. &#128680; Incident Handling Processes for detecting, responding to, and reporting significant incidents. 24-hour initial notification, 72-hour full report to national authorities. &#128190; Business Continuity Backup management, disaster recovery, and crisis management procedures \u2014 including tested recovery capabilities for ransomware and other operational disruptions. &#128279; Supply Chain Security Assessment and management of security risks in relationships with direct suppliers and service providers. Third-party risk management is explicitly required. &#128272; Access Controls Policies for access management, multi-factor authentication, privileged access control, and zero-trust principles across network and information systems. &#127891; Awareness &amp; Training Security awareness programmes for all personnel. Employees must be trained to recognise and respond to cybersecurity threats \u2014 including phishing and social engineering. NIS2 Penalties &#128683; Essential Entities Fines up to &euro;10 million or 2% of global annual turnover \u2014 whichever is higher. Plus: temporary management bans, public disclosure of violations, and mandatory compliance audits. &#9888;&#65039; Important Entities Fines up to &euro;7 million or 1.4% of global annual turnover \u2014 whichever is higher. Reactive supervision with the same enforcement powers available to authorities. How Magic Stone helps with NIS2 compliance NIS2 compliance requires both regulatory expertise and operational security controls. Magic Stone delivers the technical side \u2014 ransomware protection, email security, endpoint protection, backup, network security, supply chain risk management, and AI governance \u2014 all chosen to satisfy Article 21&#8217;s requirements directly. For the compliance assessment, gap analysis, and governance framework, we work in partnership with GRSee \u2014 NIS2 compliance specialists. NIS2 Assessment \u2014 find out where you stand &rarr; Your NIS2 Roadmap \u2014 from where you are to where you need to be &rarr; Frequently Asked Questions Is our organisation in scope for NIS2? + If you operate in one of the listed sectors and have 50+ employees or \u20ac10M+ turnover, you are likely in scope. Some smaller organisations are also in scope if deemed critical. The safest approach is to assume you are in scope and verify \u2014 the cost of a scoping assessment is far lower than the cost of non-compliance discovered during enforcement. When did NIS2 take effect? + NIS2 was adopted in December 2022 with a transposition deadline of October 2024. In the Netherlands, it entered into force in July 2025 through the Cybersecurity Act. Enforcement is active \u2014 the compliance clock is running. What is the difference between essential and important entities? + Both categories face the same technical and governance obligations under Article 21. The difference is in supervision: essential entities are subject to proactive (ex ante) oversight \u2014 authorities can audit them at any time. Important entities face reactive (ex post) supervision \u2014 authorities investigate following an incident or complaint. The compliance requirements are effectively identical. Does NIS2 replace GDPR? + No. NIS2 and GDPR operate in parallel. GDPR governs the protection of personal data. NIS2 governs the security of network and information systems. Most organisations subject to NIS2 are also subject to GDPR. The good news: the security controls required by NIS2 significantly overlap with GDPR&#8217;s requirement for appropriate technical measures \u2014 satisfying one generally advances compliance with the other. How does NIS2 relate to DORA? + DORA (Digital Operational Resilience Act) applies specifically to financial entities and ICT service providers serving the financial sector. For organisations in scope for both, DORA is considered the lex specialis \u2014 it takes precedence over NIS2 for financial sector requirements. The controls largely overlap, so meeting DORA generally satisfies the equivalent NIS2 requirements. What is the 72-hour incident reporting requirement? + NIS2 requires a three-stage reporting process for significant incidents: an early warning within 24 hours, a full incident notification within 72 hours, and a final report within one month. A &#8220;significant incident&#8221; is one that causes or could cause severe operational disruption, financial loss, or reputational damage. Failure to report within the required timelines is itself a compliance violation subject to penalties. Related Your NIS2 Roadmap \u2014 From Where You Are to Where You Need to Be NIS2 Assessment \u2014 Gap Analysis &amp; Compliance Roadmap NIS2 &amp; Third-Party Risk Management NIS2 Compliance Checklist DORA \u2014 Digital Operational Resilience Act EU AI Act Ransomware Protection Supply Chain Risk Management Ready to Get NIS2 Compliant? Book an assessment with Magic Stone. We&#8217;ll tell you whether you&#8217;re in scope, what your obligations are, and what a compliance roadmap looks like for your organisation. Book a NIS2 Assessment<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"elementor_header_footer","meta":{"_acf_changed":false,"site-sidebar-layout":"no-sidebar","site-content-layout":"","ast-site-content-layout":"full-width-container","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"disabled","ast-breadcrumbs-content":"","ast-featured-img":"disabled","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"class_list":["post-2391","page","type-page","status-publish","hentry"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>What is NIS2? | Directive, Requirements &amp; Compliance<\/title>\n<meta name=\"description\" content=\"What is NIS2? Learn the EU cybersecurity directive, requirements, and how organizations can achieve compliance and manage third-party risk.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/magicstone.nl\/en\/what-is-nis2\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"What is NIS2? | Directive, Requirements &amp; Compliance\" \/>\n<meta property=\"og:description\" content=\"What is NIS2? Learn the EU cybersecurity directive, requirements, and how organizations can achieve compliance and manage third-party risk.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/magicstone.nl\/en\/what-is-nis2\/\" \/>\n<meta property=\"og:site_name\" content=\"Magic Stone\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/MagicStoneNL\" \/>\n<meta property=\"article:modified_time\" content=\"2026-07-08T08:00:35+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:site\" content=\"@magicstone72\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/what-is-nis2\\\/\",\"url\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/what-is-nis2\\\/\",\"name\":\"What is NIS2? | Directive, Requirements & Compliance\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#website\"},\"datePublished\":\"2025-07-14T11:54:16+00:00\",\"dateModified\":\"2026-07-08T08:00:35+00:00\",\"description\":\"What is NIS2? Learn the EU cybersecurity directive, requirements, and how organizations can achieve compliance and manage third-party risk.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/what-is-nis2\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/magicstone.nl\\\/en\\\/what-is-nis2\\\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/what-is-nis2\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"What is NIS2\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/\",\"name\":\"Magic Stone\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#organization\",\"name\":\"Magic Stone\",\"url\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/MS-logo-txt-1024x683.png\",\"contentUrl\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/wp-content\\\/uploads\\\/2026\\\/04\\\/MS-logo-txt-1024x683.png\",\"width\":1024,\"height\":683,\"caption\":\"Magic Stone\"},\"image\":{\"@id\":\"https:\\\/\\\/magicstone.nl\\\/en\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/MagicStoneNL\",\"https:\\\/\\\/x.com\\\/magicstone72\",\"https:\\\/\\\/www.linkedin.com\\\/company\\\/magicstonecyber\"]}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"What is NIS2? | Directive, Requirements & Compliance","description":"What is NIS2? Learn the EU cybersecurity directive, requirements, and how organizations can achieve compliance and manage third-party risk.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/magicstone.nl\/en\/what-is-nis2\/","og_locale":"en_US","og_type":"article","og_title":"What is NIS2? | Directive, Requirements & Compliance","og_description":"What is NIS2? Learn the EU cybersecurity directive, requirements, and how organizations can achieve compliance and manage third-party risk.","og_url":"https:\/\/magicstone.nl\/en\/what-is-nis2\/","og_site_name":"Magic Stone","article_publisher":"https:\/\/www.facebook.com\/MagicStoneNL","article_modified_time":"2026-07-08T08:00:35+00:00","twitter_card":"summary_large_image","twitter_site":"@magicstone72","twitter_misc":{"Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/magicstone.nl\/en\/what-is-nis2\/","url":"https:\/\/magicstone.nl\/en\/what-is-nis2\/","name":"What is NIS2? | Directive, Requirements & Compliance","isPartOf":{"@id":"https:\/\/magicstone.nl\/en\/#website"},"datePublished":"2025-07-14T11:54:16+00:00","dateModified":"2026-07-08T08:00:35+00:00","description":"What is NIS2? Learn the EU cybersecurity directive, requirements, and how organizations can achieve compliance and manage third-party risk.","breadcrumb":{"@id":"https:\/\/magicstone.nl\/en\/what-is-nis2\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/magicstone.nl\/en\/what-is-nis2\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/magicstone.nl\/en\/what-is-nis2\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/magicstone.nl\/en\/"},{"@type":"ListItem","position":2,"name":"What is NIS2"}]},{"@type":"WebSite","@id":"https:\/\/magicstone.nl\/en\/#website","url":"https:\/\/magicstone.nl\/en\/","name":"Magic Stone","description":"","publisher":{"@id":"https:\/\/magicstone.nl\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/magicstone.nl\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/magicstone.nl\/en\/#organization","name":"Magic Stone","url":"https:\/\/magicstone.nl\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/magicstone.nl\/en\/#\/schema\/logo\/image\/","url":"https:\/\/magicstone.nl\/en\/wp-content\/uploads\/2026\/04\/MS-logo-txt-1024x683.png","contentUrl":"https:\/\/magicstone.nl\/en\/wp-content\/uploads\/2026\/04\/MS-logo-txt-1024x683.png","width":1024,"height":683,"caption":"Magic Stone"},"image":{"@id":"https:\/\/magicstone.nl\/en\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/MagicStoneNL","https:\/\/x.com\/magicstone72","https:\/\/www.linkedin.com\/company\/magicstonecyber"]}]}},"_links":{"self":[{"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/pages\/2391","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/comments?post=2391"}],"version-history":[{"count":5,"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/pages\/2391\/revisions"}],"predecessor-version":[{"id":9265,"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/pages\/2391\/revisions\/9265"}],"wp:attachment":[{"href":"https:\/\/magicstone.nl\/en\/wp-json\/wp\/v2\/media?parent=2391"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}