NIS2 introduces significant changes compared to its predecessor, NIS1. The new directive expands the scope of covered sectors and entities, including more industries such as digital services, manufacturing of critical products, and public administration13. It also imposes stricter cybersecurity requirements, mandating a holistic, risk-based approach to cyber and information security4. NIS2 emphasizes the responsibility of management teams to approve and oversee security measures, and introduces more severe penalties for non-compliance, with fines potentially reaching up to 10 million euros or 2% of a company's global turnover4. Additionally, NIS2 extends requirements to subcontractors working for covered companies, effectively broadening its impact throughout supply chains4. The directive aims to standardize cybersecurity practices across EU member states, addressing the vague formulation of NIS1 that led to inconsistent implementation4.

NIS2 introduces a nuanced approach to sector-specific requirements, recognizing that certain industries may already have equivalent cybersecurity measures in place. According to Article 4 of the directive, if sector-specific Union legal acts require entities to adopt cybersecurity risk-management measures or incident reporting obligations that are at least equivalent to NIS2 requirements, those entities may be exempt from the relevant NIS2 provisions4. Currently, the Digital Operational Resilience Act (DORA) for the financial sector is the only recognized equivalent sector-specific legislation2. For sectors not covered by equivalent legislation, NIS2 provisions will continue to apply3. This approach aims to prevent fragmentation of cybersecurity provisions across the EU while ensuring a high level of cybersecurity across all critical sectors15.

NIS2 introduces significant penalties for non-compliance, distinguishing between essential and important entities. For essential entities, the maximum fine is set at €10,000,000 or 2% of the global annual revenue, whichever is higher. Important entities face penalties of up to €7,000,000 or 1.4% of the global annual revenue, whichever is greater.12 Beyond financial penalties, NIS2 grants national authorities additional enforcement powers, including issuing compliance orders, mandating security audits, and temporarily banning individuals from holding management positions in cases of repeated violations.24 The directive also introduces personal liability for top management in cases of gross negligence, aiming to elevate cybersecurity as an organization-wide strategic priority.13

CapaSystems, a Danish IT company, is offering a webinar to help organizations understand and prepare for the NIS2 directive. The webinar, scheduled for Wednesday, August 21st at 10:00 AM, aims to provide clarity on the complex world of NIS223. Participants will have the opportunity to learn about the directive, which is set to take effect at the turn of the year, and gain insights into its implications for businesses1. This educational initiative reflects the growing importance of cybersecurity awareness and compliance in light of the upcoming NIS2 implementation in Denmark.