What is NIS2?
NIS2 is the new European directive on network and information security. It introduces stricter requirements on cybersecurity, risk management, and incident reporting.
The goal? To better protect our digital society against cyber threats and to ensure the continuity of essential and important services.
BENEFITS
Why?
Cyberattacks are becoming more frequent and more complex. A single vulnerability in one
organization can impact an entire sector – or even a country.
With NIS2, the European Union aims to:
Protection of Critical Infrastructure
Improve the protection of critical infrastructure and businesses
Rapid Incident Detection & Reporting
Ensure faster detection and reporting of incidents
Harmonized EU Cybersecurity Rules
Establish harmonized rules across all EU member states
For whom?
NIS2 is mandatory for organizations considered essential or important, such as:
- Energy and utilities
- Transport and logistics
- Healthcare
- Financial institutions
- Government services
- Digital infrastructure & cloud providers
In addition, medium and large enterprises in high-risk sectors are also covered by the directive.
NIS2 Timeline (According to CCB – Centre for Cybersecurity Belgium)
Most provisions of NIS2 apply from 18 October 2024. Below is an overview of the key deadlines and obligations:
From 18 October 2024 – Immediate obligations
- Implement minimum measures for managing cybersecurity risks
- Report all significant incidents
- Cooperate with competent authorities during supervision
- For governing bodies:
- Approve and oversee cybersecurity risk management measures
- Monitor implementation of measures
- Accept liability for violations by the entity
- Participate in cybersecurity training
Registration with CCB ( via Safeonweb@Work)
Digital sector entities
register by 18 December 2024 (within 2 months)
All other entities
register by 18 March 2025 (within 5 months)
Conformity assessment via CyFun® Framework
(by an accredited Conformity Assessment Body – CAB)
- By 18 April 2026 (18 months after entry into force):
- Basic level: verification required
- Important level: verification at Basic or Important required
- Essential level: first verification at Basic or Important required
- By 18 April 2027 (extra 12 months):
- Important level: final verification at Important required
- Essential level: full certification at Essential required
Alternative routes
- ISO/IEC 27001:
- By 18 April 2026: submit scope & SoA to the CCB
- By 18 April 2027: certification by an accredited CAB required
- Direct inspection by CCB:
- By 18 April 2026: submit self-assessment (CyFun® Basic/Important) or ISO/IEC 27001 documentation
- By 18 April 2027: submit progress report on compliance
Below you can find the official timeline provided by the Centre for Cybersecurity Belgium (CCB). It highlights the key milestones and deadlines for NIS2 compliance.
HOW IT WORKS
Call toActions
Do you want to know if your organization falls under NIS2 and what steps you need to take?
Our experts are here to help.
Risk Assessments
Security & Incident Response
24-Hour Incident Reporting
Appointed Security Officer
Compliance Proof
Performing risk assessments
Establishing security and incident response procedures
Reporting incidents within 24 hours
Appointing a security officer (CISO/DPO/ISMS)
Providing periodic proof of compliance
HOW WE HANDLE
How do we handle it at Normnest?
At NormNest, we help organizations get ready for NIS2
with our Trust-as-a-Service approach:
Gap analysis
Roadmap
Implementation support
Continuous monitoring
Training & awareness
assess where you stand today versus requirements
create a concrete action plan toward compliance
policies, processes & technical measures
Continuous monitoring through our Trust Platform
Training & awareness for employees