Executive Liability
NIS2 Article 20: Management bodies are responsible for implementing and overseeing cybersecurity risk management measures. They can be held personally liable for breaches.
NIS2 (EU) & NIS1 (UK): What Businesses Need to Know
NIS2 is now in effect across the EU. NIS1 applies in the UK.
Affected businesses must implement and document
IT security measures demonstrably.
NIS2 Requirements for Businesses
Documentation Requirements
NIS2 Article 21: Businesses must document technical and organizational measures and be able to demonstrate compliance upon request from authorities.
Reporting Obligations
NIS2 Article 23: Significant security incidents must be reported to authorities within 24 hours. A detailed report must follow within 72 hours.
What is NIS2?
The NIS2 Directive (Network and Information Security Directive 2) is an EU directive to strengthen cybersecurity across the European Union. It significantly expands the scope and requirements of the original NIS Directive.
17 October 2024
NIS2 transposition deadline – now in effect
Fines for Non-Compliance
NIS2 provides for fines of up to 10 million euros or 2% of global annual turnover – whichever is higher. The amount depends on the severity of the violation.
What is NIS1 (UK)?
The NIS Regulations 2018 is the UK's implementation of the original EU NIS Directive. Since Brexit, the UK is no longer subject to NIS2, but NIS1 remains in force and imposes similar cybersecurity requirements on operators of essential services and digital service providers.
Since 2018
UK NIS Regulations in force
UK Fines for Non-Compliance
The UK NIS Regulations provide for fines of up to £17 million for the most serious breaches. The UK is also developing the Cyber Security and Resilience Bill to further strengthen requirements.
Which Businesses Are Affected?
NIS2 (EU) and NIS1 (UK) apply to businesses in certain sectors that exceed specific thresholds (typically 50+ employees or 10 million euros turnover):
Essential Entities
Energy (Electricity, Gas, Oil)
Transport (Air, Rail, Water, Road)
Banking & Financial Markets
Healthcare
Drinking Water & Wastewater
Digital Infrastructure
Public Administration
Space
Important Entities
Postal & Courier Services
Waste Management
Chemicals
Food
Manufacturing (Medical Devices, IT, Machinery, Vehicles)
Digital Services
Research
Indirectly Affected Businesses
If you are a supplier or service provider to NIS2-regulated businesses, they will require evidence of your IT security measures. Supply chain security is a central component of NIS2.
Technical Requirements of NIS2 & NIS1
Both directives require similar measures – System Dog helps you implement them:
Asset Management
Automatic inventory of all IT systems and devices in your network.
Vulnerability Management
Continuous CVE monitoring and detection of security vulnerabilities.
Patch Management
Monitoring of software versions and pending updates.
Continuous Monitoring
24/7 monitoring of all systems with intelligent early warnings.
Compliance Documentation
Audit-ready reports and evidence for audits and authorities.
EOL Management
Detection of outdated systems and end-of-life software.
How System Dog Helps with NIS2 & NIS1 Compliance
| NIS2/NIS1 Requirement | System Dog Solution |
|---|---|
| Overview of all IT systems | Automatic IT inventory |
| Vulnerability management | CVE monitoring and alerts |
| Documentation for authorities | Audit-ready compliance reports |
| Detection of security incidents | Continuous monitoring |
| Proof of due diligence | Complete audit trail |
Core Obligations Under NIS2 & NIS1
Both directives require affected businesses to implement the following measures:
- Risk Management (Article 21): Technical and organizational measures to manage cybersecurity risks.
- Incident Reporting (Article 23): Reporting significant security incidents to authorities within 24 hours.
- Registration: Registration with the relevant national authority as an affected entity.
- Management Responsibility (Article 20): Personal responsibility of management for implementation.
Recommendation
Check early whether your business falls under NIS2 (EU) or NIS1 (UK) and start implementing the required measures. Demonstrable IT monitoring is an important building block for compliance.
4 Steps to NIS2 & NIS1 Compliance
1
Assessment
We identify all IT systems in your organization – completely and automatically.
2
Installation
Monitoring agents are installed on all systems – without interrupting operations.
3
Monitoring
Continuous 24/7 monitoring with automatic early warnings when risks are detected.
4
Compliance
Regular reports document your IT security – audit-ready for authorities and audits.
Questions About NIS2 or NIS1 Compliance?
We're happy to advise you on how System Dog can help you meet NIS2 (EU) or NIS1 (UK) requirements.