Get A Quote

About NIS 2

NIS 2 is the EU directive that replaces the original Network & Information Systems Directive (NIS 1). It builds upon, extends, and replaces NIS 1 with the aim of ensuring a high level of cyber security across the European Union. It establishes new obligations and increases the powers available to regulators including fines of up to €10m and personal liability for executives.

NIS 2 Scope

NIS 2 applies to organisations providing services in one of 17 critical sectors within the EU. Most entities in scope will be medium-sized or larger, and established within an EU country, but some entities based outside the EU may also be in scope. Organisations in scope are classified as Essential or Important with different supervision and enforcement rules applying to each.

Why Choose Evalian To Support You With NIS 2 Compliance?

Comprehensive Cyber Security Service


We support all aspects of NIS 2 directive compliance, including gap analysis, risk management, supply chain security and more.

Pragmatic Advice


Our highly qualified consultants are experienced in supporting organisations to comply with the first NIS directive.

Accredited Consultant


We are certified to ISO 27001, 9001 & Cyber Essentials+. We are accredited by CREST and an NCSC Assured Service Provider.

Cost Effective Solutions Evalian


We do the heavy lifting for you, saving you time & money from hiring in-house & reducing the risk of fines & enforcement.

New NIS 2 Organisational Requirements

If you are in scope of NIS 2, it is likely that you will need to improve your cybersecurity risk management measures to meet the required level of security resilience. Areas of focus should include:

Security Governance

Security governance processes through which executives are responsible for approving and overseeing implementation of cyber risk management measures.

Risk Management

Cyber risk management covering identification, assessment and treatment. Ongoing monitoring and reporting into the security governance process

Policy Framework

A security management system, including an information security policy and framework of topic specific security policies, procedures and records.

Business Continuity

Operational resilience measures including business continuity and crisis management plans, and backup and disaster recovery procedures.

Supplier Security​

Identification and security risk assessment of critical suppliers, including security obligations in contracts and identification of specific risks.

Incident Reporting

Incident response and communication plans that include criteria for identifying and reporting incidents having a significant impact within the NIS 2 deadlines.

Who Does NIS 2 Apply To?

To learn more about the scope criteria, visit our FAQ section.

NIS 2 Entities in Scope 2

Evalian’s NIS 2 Services

We are experienced in supporting organisations required to comply with the first NIS Directive. We can help you prepare for all aspects of NIS 2 compliance. Our services include:

Legal Scoping
Systems Scoping
Gap Analysis
Improvement Planning
Security Governance
Risk Assessments
Risk Management
Policies & Procedures
BC Planning & Exercising
IR Planning
IR Exercising
Supplier Security
Exec Training
User Training
Vulnerability Scanning
Pen Testing
Security Auditing
Controls Monitoring

Steps To NIS 2 Compliance

Step 1 Simple1. Scoping
Determine if your organisation is in scope & whether it is an EE or an IE.
Step 2 Simple2. Gap Analysis
Assess your compliance against NIS 2 security requirements & develop improvement plan.
Step 3 Simple3. Impact & Risk Assessments
Conduct impact & risk assessments for IT & OT systems in scope, develop risk treatment plans.
Step 4 Simple4. Security Management
Build security management to include governance, risk, controls & continual improvement.
Step 5 Simple5. Supply Chain
Identify suppliers & potential impacts, assess their security measures, identify & manage risks.
Step 6 Simple6. Business Continuity
Establish business continuity, backup & disaster recovery plans & exercise them.
Step 7 Simple7. Incident Management
Establish incident response & notification plans & playbooks & exercise them.
Step 8 Simple8. Security Assurance
Undertake security assurance activities; audits, pen tests, business continuity & incident response exercises.

Get Your Free Consultation

We know it can seem challenging for organisations to prepare for the NIS 2 Directive. You should not underestimate the work required to meet the NIS 2 requirements, but with guidance from cybersecurity experts, you can be confident that you are getting the correct support to meet your organisation’s unique needs.

Based on our experience of supporting organisations to comply with NIS-D, we advise you on the work required to comply with the new law.

We can support you with a gap analysis review of where you are today and the areas for improvement to comply with NIS 2. We can also help with all elements of improvement. Contact our friendly team for more information.

“The training has definitely helped with our cyber security awareness overall, particularly with our more senior level members of the business, who wouldn’t usually have visibility over this kind of situation.”

– St John’s College

Evalian is committed to protecting and respecting your privacy. By proceeding with your inquiry, you agree to the terms of our Privacy Policy.

  • This field is for validation purposes and should be left unchanged.


How does NIS 2 differ from the original NIS directive?

NIS 2 builds upon and supersedes the original Network and Information Systems Directive. It expends the number of sectors in scope from 7 to 17 and introduces minimum security risk management measures which must be implemented by entities in scope. NIS 2 provides regulators with increased supervisory and enforcement powers to ensure compliance. These include fines of up to €10m and being able to hold executives personally liable for breach of their duties to ensure compliance.

For a deeper dive, read our detailed blog on the NIS 2 overview and background, featured above.​

Who does NIS 2 apply to?

NIS 2 primarily applies to medium and large size organisations operating within the sectors listed Annex 1 or Annex 2 of the directive. Medium entities are those with more than €10m in revenue or 50+ employees. Large companies are those with more than €50m in annual revenue or 250+ employees. All qualified trust service providers, top level domain name registries and DNS providers are in scope irrespective of their size.

Annex 1 of NIS covers the following sectors:

  • Energy*
  • Transport*
  • Health*
  • Drinking Water*
  • Financial Market Infrastructure*
  • Banking*
  • Digital Infrastructure*
  • Public Administration Entities (defined by member states)
  • Waste Water
  • ICT Service Management
  • Space

*  These were previously in scope of NIS 1, the final four listed above are new to NIS 2.

Annex 2 covers the following sectors:

  • Post & Courier
  • Food Production, Processing & Distribution
  • Waste Management
  • Digital Providers
  • Manufacturing
  • Chemical Manufacture, Production & Distribution
  • Research

For a deeper dive, read our detailed blog on the NIS 2 scope featured above.

Does NIS 2 apply to UK Companies?

Essential or Important Entities established in an EU member state will be within the scope NIS 2. UK organisations not established in the EU will not be in scope unless they provide services within the EU which are deemed to be essential by a member state or do so as a provider of:

  • DNS services
  • TLD or domain name registration services
  • Cloud computing
  • Data centre services
  • CDN services
  • Manage services, including managed security services
  • Online marketplaces
  • Online search engines
  • Social networking service platforms

If you are not directly in scope of NIS 2 you may still fall within its requirements indirectly if you are a supplier to an organisation in scope. As such, you may still need to take steps to comply with the minimum measures to meet your own’s customers contractual expectations.

For a deeper dive, read our detailed blog on the NIS 2 scope featured above.

How long does it take to get NIS 2 compliant?

Depending on your currents security practices and their maturity, you should plan for at least 12 months to be fully prepared and potentially longer. Essential entities working with Operational Technology (OT) and IT in complex environments should plan for multi year improvement projects based on the supervisory guidance provided by the NIS 2 competent authorities.

You should plan and start the scoping and assessment stages of your NIS 2 compliance now and use this work as the basis for seeking executive support, resourcing and budget for your improvement plans.

We are ISO 27001 certified. Will that make us compliant?

Being ISO 27001 certified will not automatically make your organisation compliant with NIS 2 but a certified ISMS should provide strong foundations upon which to build your compliance programme (depending on the scope and quality of your ISMS).