New call-to-action

NIS2 Directive: Prepare your organisations to meet the compliance

08-04-2025 | 5 min read | Cybersecurity, GDPR Compliance

Author: Priyasha Purkayastha, Global Content Manager, TJC Group

More often than not, organisations across the world fall under the malicious scanners of cybercriminals. Governments around the globe are putting their best foot forward to come up with directives and policies that will help safeguard organisations from such cyberattacks and threats. The security of Network and Information Systems, or the NIS, aims the same. Read this blog to gain an in-depth understanding of what this directive is all about.

Table of contents

Introduction | The implementation of the NIS Directive

The directive on the security of Network and Information Systems (NIS) was established in July 2016 with the aim of increasing and enhancing cyber resilience across the EU. The NIS focuses on strengthening cybersecurity at a national level through regulatory measures, thereby improving collaboration between the member states of the European Union. While aiming to make cyber resilience the DNA of organisations, the authorities came up with two groups of businesses that must comply with the NIS Directive. The groups are –

a) operators of essential services

b) digital service providers.

Interestingly, the NIS Directive, in effect for several years, has caused a significant shift in the mindset on approaching cybersecurity through institutional and regulatory approaches. However, it did face challenges, some of which resulted in a divided approach at the Member State level. As a matter of fact, the rapid expansion of the digital landscape, including the cyber warfare component, led to the growth of the threat landscape. Therefore, changes in the NIS Directive were much more imperative than one could anticipate.

NIS2 Directive | The much-needed upgrade

Keeping the recent digital landscape and cyber warfare in mind, the European Union adopted a new, upgraded version of the Network and Information Security Directive, i.e., NIS2, in January 2023. With its aim to establish a higher level of cybersecurity and resilience, EU members implemented the upgraded directive into their national legislation on October 17, 2024. Organisations must now prepare to ensure compliance with the NIS2 Directive. However, before that, let’s take a look at the new updates in the directive.

What is the NIS2 Directive | The extension of the scope?

As per the NIS2 Directive, organisations have to protect the confidentiality, integrity, and availability of data within the company’s network and information systems against any cyber threats. Additionally, it also comes with mandates for detecting and reporting significant security incidents within a prescribed period, including incidents that impact business-critical solutions.

The directive of NIS2 defines two scope categories for organisations: important and essential. Establishments falling under both categories must meet the exact requirements. However, the difference in the categories will come in the form of supervisory measures and penalties. While important entities will be subject to ex-post supervision, essential entities are required to meet supervisory requirements as of the introduction of NIS2. For important entities, ex-post supervision means that if authorities receive any evidence of non-compliance with the directive, action will be taken.

Overall, the NIS2 Directive has helped simplify the scoping exercise the authorities have to make. Additionally, a set of sectors was identified, establishing a fundamental rule that states: any large enterprise (with a headcount exceeding 250 or revenue above 50 million) or medium-sized enterprise (with a headcount over 50 or revenue exceeding 10 million) within these sectors will be automatically included in the NIS2 scope. Having said that, it is imperative to keep in mind that small and micro-organisations are not strictly excluded. As a matter of fact, Member States have the discretion to extend these requirements if an enterprise meets specific criteria demonstrating its significant role in society, the economy, or particular sectors or services.

NIS2 Directive | Registration of essential establishments

With the NIS2 Directive in the EU, the members are required to identify the essential establishments that are in the scope of the mandate. The deadline for this is April 17, 2025. Furthermore, identified establishments must determine if their services fall within the NIS2 scope; then, identify the member states that provide in-scope services and register before the deadline in each member state. The following are the requisites that establishments have to provide for the registration –

  • The name, address, contact details, and registration number of the organisation
  • The sector (or sub-sector) under which they fall in NIS2
  • The member states in which the organisation operates – can be one or more than one state
  • The detailed list of the IP addresses assigned to them

Other than these, the final registration and additional list of required information will be determined during the transposition of the NIS2 Directive into the law.

Download our latest eBook: https://www.tjc-group.com/resource/driving-genai-innovation-in-s-4hana-transformation-with-decommissioning/

Driving GenAI innovation in S/4HANA transformation with decommissioning

Implementing secure elements in the NIS2 Directive

An important aspect of the new Network and Information System (NIS2) mandate is its objective, which is to make the coordination of cyber incidents and threats within the EU member states more streamlined. Under this, the European Union Agency for Cybersecurity (ENISA) will establish a European Vulnerability disclosure database, which will help facilitate the sharing of information and knowledge between the member states.

In addition to this, a new timeline has been designed under the NIS2 Directive for reporting incidents. Here’s what you need to know –

  • Every incident, no matter what the impact is, must be reported by the establishment without any delay.
  • Within 24 hours, an early warning must be given out, along with some premises about the kind of incident.
  • After 72 hours, establishments must communicate a detailed report comprising the incident assessment, severity and impact, and indicators of any losses.
  • After 30 days, organisations must submit a final report.

Bear in mind that all the reports and communications must be submitted to the Computer Security Incident Response Teams or CSIRT of the EU member states.

Having said that, the NIS2 mandate encourages to make the incident reporting process as simple as possible. This is ensured by implementing a single entry point for incidents that will further reduce the administrative burden for authorities within the member states as well as cross-member states.

Apart from this, as per the new directive, the CSIRT or the competent authority of the EU member state must report to the ENISA on the incidents. It has to report every three months using anonymised information. Furthermore, ENISA will report every six months on the incidents that occurred, enabling both the establishments and member states to learn from the incidents and bring in any crucial change in the NIS2 directive if needed.

Legacy systems | Obsolescence doesn’t go hand in hand with security

How to comply with the NIS2 Directive for SAP solutions?

In a gist, the NIS2 Directive comes with necessities that will help protect the confidentiality, integrity, and availability of data in any network and information system. The directive is created to offer data protection to systems against cyber threats and help detect and report security incidents, including incidents on data that impact business-critical solutions.

SAP solutions play an essential role in organisations, managing a plethora of sensitive data – starting from financial to personal data. A breach in data security, whether through data leaks, financial fraud, or system downtime, leads to serious consequences. Therefore, to safeguard these critical systems, the NIS2 Directive comes in handy with its clear guidelines. Organisations using SAP solutions emphasise the need to protect network and information systems while ensuring incidents are reported timely.

For SAP environments, security measures should include compliance with industry benchmarks and SAP’s best practices for system hardening, patching, and securing custom code. SAP’s security guides and standards offer detailed recommendations for each product and area. Additionally, organisations must implement mechanisms for detecting, investigating, and reporting security incidents using SAP logs. Several advanced techniques, such as pattern matching and anomaly detection, can significantly enhance the monitoring of data security in the systems.

At TJC Group, we emphasise data security as well as data privacy, implementing stringent measures that help protect SAP systems from cyber-attacks and impending threats. You can read more about our data security measures here!

To get more information on overall data management for S/4HANA migration, compliance, and more, contact us now!

Back to all Blogs
Business to Government compliance Careers Cybersecurity DART Data Management for S/4HANA Migration Decommissioning of Legacy Systems Enterprise Legacy System Application (ELSA) Events Fichier des Écritures Comptables (FEC) GDPR Compliance Global e-invoicing and e-reporting IT Trends SAF-T Compliance SAP BTP SAP Data Archiving SAP Data Management SAP Highlights SAP Information Lifecycle Management Sustainability Tax and Audit Readiness TJC Group Corporate
April 2025March 2025February 2025January 2025December 2024November 2024October 2024September 2024August 2024July 2024June 2024May 2024April 2024March 2024February 2024January 2024December 2023November 2023October 2023September 2023August 2023July 2023June 2023May 2023April 2023March 2023February 2023January 2023December 2022November 2022October 2022September 2022August 2022June 2022April 2022March 2022February 2022December 2021November 2021October 2021September 2021July 2021June 2021May 2021April 2021March 2021February 2021January 2021December 2020November 2020October 2020September 2020August 2020June 2020May 2020April 2020March 2020February 2020January 2020December 2019October 2019September 2019July 2019November 2018August 2018July 2018June 2018April 2018February 2018December 2017May 2017February 2016December 2015May 2015February 2014March 2013

Recent Articles

SAP data archiving and sustainability: An amalgamation for a better future
SAP data archiving and sustainability: An amalgamation for a better future

27/03/2025 |  

5 min read
SAP data archiving compliance, legal requirements, and more: A deeper insight
SAP data archiving compliance, legal requirements, and more: A deeper insight

26/03/2025 |  

5 min read

More Like This

Virginia's data privacy law

Data privacy law: Everything you need to know about Virginia’s CDPA 

12/12/2024 |  

5 min read
New Jersey's Data Privacy

Understanding the NJDPA – New Jersey’s data privacy law in detail

11/12/2024 |  

7 min read
SAP DRC

Understanding the key benefits of SAP DRC for organisations

09/12/2024 |  

5 min read