Compliance and Data Protection
      Back to home
      1. CyberPedia
      2. Compliance and Data Protection

      Resources to Guide Your NIS2 Work

      Guidance on how your organisation can work with the NIS2 directive.

      The NIS2 Directive is unlike most other cybersecurity rules because it gives a company's leadership (e.g., C-level executives, board members, and legal representatives) the responsibility for ensuring they comply.

      And they can also be penalised if they don't meet the requirements. For instance, they can be temporarily banned from holding leadership positions. 

      In this article, we give you an overview of what NIS2 requires and some resources to support your work with NIS2. If you want to read more about NIS2, we have a blog post that goes into a lot of detail about who it applies to and some recommendations. 

      Technically, NIS2 applies as of October 18, 2024. In some countries, like Denmark, implementation of the directive is delayed. In Denmark, implementation is expected on July 1, 2025.

      Here are some of the highlights. 

      There are 10 new minimum cybersecurity requirements

      1. Policies on risk analysis and information system security  ​

        1. Your risk management should have an all-hazards approach, which means you should consider threats from the physical environment (e.g., floods, fires), telecommunications failure, and unauthorized access to, damage to, or interference with your information technology.

      2. Incident handling  ​
      3. Business continuity, such as backup management and disaster recovery, and crisis management
      4. Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers
        1. For example, it is recommended to include cybersecurity risk management measures in your contracts with direct suppliers.
      5. Security in network and information systems acquisition, development and maintenance, including vulnerability handling and disclosure   ​​
      6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures  ​
      7. Basic cyber hygiene practices and cybersecurity training   ​
        1. Some examples could be:
          1. Having policies on software and hardware updates, changing passwords, managing new installations, restricting administrator level access accounts, and backing up data.
          2. Practices to adopt: zero trust, mandatory software updates, training staff and raising awareness of cyber threats, phishing, and social engineering techniques.
      8. Policies and procedures regarding the use of cryptography and, where appropriate, encryption  ​
      9. Human resources security, access control policies and asset management
      10. The use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity – where appropriate   

      The EU published this draft initiative that covers cybersecurity risk management and reporting obligations for digital infrastructure providers and ICT service managers.


      The annex has concrete guidance for, e.g., what to consider for risk management, what should be included in different security policies, how to approach supply chain security, and much more. Although the guidance is aimed at specific sectors, the information and recommendations within the annexes is largely applicable. It's a great place to start if you are unsure of what the security requirements mean in practice. 

      There are new reporting requirements

      What kind of incident needs to be reported?

      Incidents considered "significant" need to be reported using the new schedule below.

      A significant incident is one that:

      • Has or could cause severe disruption of the services or financial loss for your organisation
      • Has or could affect people by causing considerable material or non-material damage

      The new timeline for reporting 

      Within 24 hours of first becoming aware of an incident 
      Submit an early warning. Indicate whether you suspect illegal or malicious and whether it may have a cross-border impact. 

      Within 72 hours 
      Submit an update. You should provide an initial assessment of the incident’s severity, impact, and indicators of compromise.

      Within 1 month
      Submit a final report. This should have a detailed description of the incident, its severity and impact; what caused the incident; applied and ongoing mitigation measures; and impact across borders.

      Resources to support your NIS2 work

      ENISA Implementing Guidance for NIS2 Security Measures

      ENISA has published draft implementing guidance for NIS2.

      The draft guidance includes: 

      • explanations on what each policy should include
      • guidance on how to work with each security measure with examples

      Note that the guidance is in a draft stage, and is open for industry consultation. 

      External resources

      Bestyrelsesforeningens Center for Cyberkompetencer has some comprehensive free resources for Danish companies.

      For example, they have a ready-made checklist you can use to organise your security work.

      The European Commission published an implementing resolution in October 2024. It goes over the various cybersecurity risk management measures in more detail. It's technically for specific types of organisations (DNS service providers, data centre service providers, and others) but there are a lot of helpful notes about what should be included in different policies and procedures that could guide your work, even if you aren't one of these types of organisations. 

      These are included in the "Annex" document.

      CyberPilot resources

      Here are some resources and the NIS2 requirements they can help you meet.

      Requirement #1 - Policies on risk analysis and information system security


      Requirement #3 - Business continuity and crisis management


      Requirement #6 - Assess the effectiveness of your risk management


      Requirement #7 - Basic cyber hygiene practices and cybersecurity training   ​

      Requirement #9 - Human resources security, access control, and asset management  

      Did you know we have a course about NIS2?

      CyberPilot's NIS2 course for leadership

      We offer a course for leadership to get started with NIS2. This course is meant to be taken by executives, board members, and management. It can also be taken by managers who will be supporting a company's NIS2 compliance work.

      The course provides:

      • Key information about the NIS2 Directive
      • A guide to the 10 cybersecurity requirements in NIS2
      • Examples of how you can work with NIS2

      It's a great way to introduce NIS2 and start working with it in your company.

      Got a question?

      Contact us at support@cyberpilot.io