What are the NIS2 categories?

NIS2 categorises entities as essential or important, with both needing to meet similar baseline requirements. The difference lies in supervision and penalties. Essential entities face immediate oversight, while important entities are subject to ex-post supervision based on evidence of non-compliance. Scoping is simplified with a sector-based list, automatically including large and medium enterprises. However, member states can extend requirements to small or micro-organisations if they play a critical role in society, the economy, or specific sectors. The categorisation of entities as essential or important can vary by member state, but generally, the following sectors are included: Essential sectors: Energy Transport Banking Financial market infrastructures Health Drinking water and wastewater Digital infrastructure, including internet exchange points, DNS, and cloud computing services Important sectors: Digital providers, including online marketplaces, online search engines, and social networking services platforms Public administration Space Postal and courier services Waste management Industrial manufacturing Manufacturing and distribution of chemicals Food production processing and distribution Research

Am I affected by NIS2? What are the thresholds?

To determine whether your company is affected by NIS-2 there are some helpful criteria that give you an indication whether you will have to fulfil the full scope of the NIS2 cybersecuriy requirements. It is estimated that over 100,000 organizations across the EU are affected by NIS2. Contrary to previous practice, these no longer merely include critical infrastructure operators, but also numerous large companies and SMEs in critical sectors. These include, for example, banks, energy suppliers, transport companies, telecommunications providers, hospitals, airports, and food producers and retailers. Currently, companies have to determine themselves whether they fall within the scope of NIS2, however, TÜV SÜD is willing to support you in determining whether you are affected or not. In most EU Member states the national cybersecurity authorities, such as Germany's Federal Office for Information Protection (BSI), offer support and guidance in determining whether your organization is likely to be affected ( NIS-2 Applicability Check in German ). The following criteria are decisive for this: The size of the company: If companies have more than 50 employees and generate more than 10 million euros in revenue per year, they are affected by NIS2 if they operate in a relevant sector. The sector: NIS2 defines 18 affected sectors that are considered as either essential or important and will have to abide by the same baseline cybersecurity requirements, with stricter requirements for essential entities in the most critical sectors. Some organizations are also affected regardless of their size. This applies, for example, if systemic risks exist in the event of a failure.

What is the transition timeline for NIS2?

7 June 2016 the Network and Information Security (NIS) Directive is adopted. 5 September 2018 member states transpose NIS into national law. 7 July 2020 European Commission starts consulting on NIS reform. 16 December 2020 The European Commission publishes a proposal for NIS2. 13 May 2022 European Parliament votes to adopt NIS2. 10 November 2022 The Council of the EU approved NIS2. 28 November 2022 NIS2 is published in the Official Journal. 16 January 2023 NIS2 enters into force. 17 October 2024 member states transpose NIS2 into national law. From 17 October 2024 onwards NIS2 Directive becomes enforceable. Organisations across the EU must meet the cybersecurity requirements by this date to ensure compliance.

Is there a certification for NIS2?

As of now there is no official NIS2 certification that is valid across all EU member states, however, it is possible for organizations to get certified according to the international standard ISO 27001, which allows them to demonstrate their compliance with most NIS-2 requirements. Companies that are likely to be impacted by NIS2 should begin with implementing an Information Security Management System (ISMS) in accordance with ISO 27001, which provides organizations with a clear framework to systematically and continuously assess and improve their processes and IT systems for vulnerabilities. With an ISMS, companies can reduce their cyber-attack surface and ensure consistent business continuity. Ideally, affected companies should contact their auditors as soon as possible to discuss the approach and avoid last-minute pressure. Learn more about how TÜV SÜD can help you with the auditing and certification of your ISMS.

NIS2 EU Compliance & Directive Services UK

What is NIS2

NIS2 is the EU’s updated Directive on Security of Network and Information Systems. It strengthens cybersecurity requirements for essential and important entities, expands sector coverage, and introduces stricter reporting obligations. NIS2 aims to enhance cyber resilience and harmonise security across all EU member states.

TÜV SÜD’s NIS2 services ensure you have a trusted partner with the expertise, resources, and global presence to help protect your organization from cybersecurity threats while effectively meeting regulatory requirements.

Why NIS2 compliance is important

NIS2 compliance is crucial for organizations active within the European Union (EU). By adhering to NIS2, businesses can effectively identify and mitigate cybersecurity risks, reducing the chances of operational disruptions caused by cyber incidents and avoiding significant fines or reputational damage.

Customers and clients are increasingly aware of cybersecurity vulnerabilities that can affect network and information systems along their entire supply chain. Achieving NIS2 compliance not only builds trust and confidence but also provides a competitive edge, reassuring them that their data and information are secure when partnering with your organization.

TÜV SÜD’s NIS2 services not only safeguard your business against cyber threats but also position you as a reliable and secure partner, enhancing your reputation and fostering long-term growth and sustainability. With our support, you ensure continuous protection and compliance, allowing your business to adapt to evolving cyber threats while maintaining a strong market position.

What our NIS2 services include

A well-executed cybersecurity strategy ensures you achieve and maintain NIS2 compliance for your network and information systems. Our NIS2 services are designed to help you build a resilient program that not only addresses current cyber threats but also adapts to evolving risks and aligns with your digital business strategies. We don’t just focus on assessing and implementing the present state of your cybersecurity posture; we also prepare your organization for your future vision and growth.

TÜV SÜD’s experts provide clear insights into your cyber risk posture and capabilities, enabling you to make informed investment decisions. We assist in implementing a strategic cybersecurity programme that incorporates structured decision-making. With social engineering being a common tactic in cyberattacks, we enhance your risk awareness through targeted staff education and training to minimize human error.

Our approach consits of:

Preparation
Scoping
Risk assessment
Documentation review
Interviews and observations
Gap analysis
Reporting

How TÜV SÜD’s NIS2 services can help you with compliance

TÜV SÜD is a globally recognised leader in testing, inspection, and certification services. We have extensive experience in cybersecurity and regulatory compliance, working with more than 10,000 customers globally. With a presence in over 1,000 locations, our experts can support your organisation's NIS2 compliance needs across multiple jurisdictions and markets.

To ensure full compliance, our comprehensive NIS2 services offer end-to-end support tailored to meet NIS2 requirements. This includes a thorough NIS2 Risk Assessment, gap analysis, audits, and implementation assistance. Our client-centric approach focuses on understanding your unique business needs, allowing us to tailor our services to deliver practical, effective solutions.

TÜV SÜD is renowned worldwide as an independent and impartial advisor and auditor. Global acceptance of our validations is the result of our commitment to rigorous quality standards, ensuring thorough and reliable NIS2 Risk Assessments that meet regulatory requirements and industry best practices.

Get started with TÜV SÜD

Start your NIS2 services journey with us today.

Request a reachout

What are the NIS2 categories?
NIS2 categorises entities as essential or important, with both needing to meet similar baseline requirements. The difference lies in supervision and penalties. Essential entities face immediate oversight, while important entities are subject to ex-post supervision based on evidence of non-compliance. Scoping is simplified with a sector-based list, automatically including large and medium enterprises. However, member states can extend requirements to small or micro-organisations if they play a critical role in society, the economy, or specific sectors. The categorisation of entities as essential or important can vary by member state, but generally, the following sectors are included:

Essential sectors:
- Energy
- Transport
- Banking
- Financial market infrastructures
- Health
- Drinking water and wastewater
- Digital infrastructure, including internet exchange points, DNS, and cloud computing services
Important sectors:
- Digital providers, including online marketplaces, online search engines, and social networking services platforms
- Public administration
- Space
- Postal and courier services
- Waste management
- Industrial manufacturing
- Manufacturing and distribution of chemicals
- Food production processing and distribution
- Research
Am I affected by NIS2? What are the thresholds?
To determine whether your company is affected by NIS-2 there are some helpful criteria that give you an indication whether you will have to fulfil the full scope of the NIS2 cybersecuriy requirements.

It is estimated that over 100,000 organizations across the EU are affected by NIS2. Contrary to previous practice, these no longer merely include critical infrastructure operators, but also numerous large companies and SMEs in critical sectors. These include, for example, banks, energy suppliers, transport companies, telecommunications providers, hospitals, airports, and food producers and retailers.

Currently, companies have to determine themselves whether they fall within the scope of NIS2, however, TÜV SÜD is willing to support you in determining whether you are affected or not. In most EU Member states the national cybersecurity authorities, such as Germany's Federal Office for Information Protection (BSI), offer support and guidance in determining whether your organization is likely to be affected (NIS-2 Applicability Check in German).

The following criteria are decisive for this:
- The size of the company: If companies have more than 50 employees and generate more than 10 million euros in revenue per year, they are affected by NIS2 if they operate in a relevant sector.
- The sector: NIS2 defines 18 affected sectors that are considered as either essential or important and will have to abide by the same baseline cybersecurity requirements, with stricter requirements for essential entities in the most critical sectors.
Some organizations are also affected regardless of their size. This applies, for example, if systemic risks exist in the event of a failure.
What is the transition timeline for NIS2?
- 7 June 2016  the Network and Information Security (NIS) Directive is adopted.
- 5 September 2018 member states transpose NIS into national law.
- 7 July 2020 European Commission starts consulting on NIS reform.
- 16 December 2020 The European Commission publishes a proposal for NIS2.
- 13 May 2022 European Parliament votes to adopt NIS2.
- 10 November 2022 The Council of the EU approved NIS2.
- 28 November 2022 NIS2 is published in the Official Journal.
- 16 January 2023 NIS2 enters into force.
- 17 October 2024 member states transpose NIS2 into national law.
- From 17 October 2024 onwards NIS2 Directive becomes enforceable. Organisations across the EU must meet the cybersecurity requirements by this date to ensure compliance.
Is there a certification for NIS2?

As of now there is no official NIS2 certification that is valid across all EU member states, however, it is possible for organizations to get certified according to the international standard ISO 27001, which allows them to demonstrate their compliance with most NIS-2 requirements. Companies that are likely to be impacted by NIS2 should begin with implementing an Information Security Management System (ISMS) in accordance with ISO 27001, which provides organizations with a clear framework to systematically and continuously assess and improve their processes and IT systems for vulnerabilities. With an ISMS, companies can reduce their cyber-attack surface and ensure consistent business continuity.

Ideally, affected companies should contact their auditors as soon as possible to discuss the approach and avoid last-minute pressure.

Learn more about how TÜV SÜD can help you with the auditing and certification of your ISMS.