Network and Information Security 2 (NIS2)
The Network and Information System Directive 2 (NIS2) is a European directive setting out rules and requirements for cybersecurity and ICT systems and networks. It has been in force since the beginning of 2023 as a follow-up to the NIS directive, improving the existing cyber security status across EU via harmonization of security requirements and reporting obligations; introduction of new areas of interest, such as supply chain, vulnerability management, and cyber hygiene; and enhancement of collaboration and knowledge-sharing amongst the EU Member States.
Deloitte NIS2 Maturity Assessment Tool
Croatia adopted national legislation reflecting NIS2. Until 15th February 2025, competent CSIRT’s had to notify entities about carried out categorization into essential or important. Is your entity categorized as essential or important?
The Network and Information System Directive 2 (NIS2) is a European directive setting out rules and requirements for cybersecurity and ICT systems and networks. It has been in force since the beginning of 2023 as a follow-up to the NIS directive, improving the existing cyber security status across EU via harmonization of security requirements and reporting obligations; introduction of new areas of interest, such as supply chain, vulnerability management, and cyber hygiene; and enhancement of collaboration and knowledge-sharing amongst the EU Member States. Thus, alongside the DORA (Digital Operational Resilience Act) regulation and CER directive, NIS2 is another European Union's legislative instrument aimed at enhancing the digital operational resilience and cybersecurity of all relevant actors operating in the EU.
The final form of NIS2 was published in the Official Journal of the EU on 27 December 2022 in all official languages. Since it is a directive, individual Member States are responsible for its transposition into their laws. Croatia adopted the Cybersecurity act on 15th February 2024 and Cybersecurity regulation on 30th November 2024.
In Slovenia, the draft Information Security Act (ZInfV-1), which will transpose the NIS2 directive into national law, is currently under discussion in the National Assembly. Following the conclusion of these discussions, the act is expected to be adopted and enter into force shortly after its publication, becoming applicable to entities in Slovenia in 2025.
What are your next steps?
It’s crucial to start the compliance journey as soon as possible, keeping in mind that benchmarking, detailed gap analysis, action plan creation and implementation of all weaknesses take several months and are resource intensive.
The new rules formulated in the directive apply to any regulated service providers, not only from the EU but also those operating in the EU. NIS2 applies to public and private entities that qualify at least as medium-size enterprises operating in 18 different sectors as illustrated below.
Distinguishment between entities who apply as large and medium-size enterprises is assessed based on number of employees and annual turnover or total assets, as depicted below.
NIS2 introduces additional rules and obligations for businesses in four key areas: risk management, corporate accountability, business continuity, and reporting.
Entities subject to NIS2 will be required to implement measures to address specific cyber threats and minimize their impact, ensure that the management body oversees, approves, and receives proper training in cybersecurity, establish processes for reporting security incidents with a significant impact on service provision or recipients, and develop comprehensive business continuity plans to prepare for major cyber incidents.
Test your organization
If you are interested in seeing how your organization stands in the context of preparedness for NIS2, take a short pre-assessment test using the simplified version of the NIS2 Maturity Assessment Tool.
Our team of professionals will analyse your response and get back to you with a high-level overview of strength and weakness, indicating your organization's overall level of maturity with the aim to help you gaining clarity on the NIS2-related gaps and develop tailored strategies to address them.
In case you would like to know more about our NIS2-related services, please do not hesitate to contact us directly, or to visit our content dedicated to our services to foster and preserve a security-conscious culture within your organization.
Opens in new window
