EU NIS2 DIRECTIVE · IN FORCE OCTOBER 2024

EU NIS2 Directive
Network & Information Security

The EU NIS2 Directive (Network and Information Security Directive 2) entered into force in October 2024, replacing NIS1 and dramatically expanding mandatory cybersecurity obligations across 18 critical sectors. Organizations operating in the EU or supplying EU critical infrastructure face significant new requirements - and Canadian organizations in EU supply chains are increasingly affected.

Book NIS2 Assessment See Requirements →
18Critical sectors covered - expanded from NIS1's 7
€10MOr 2% of global revenue - maximum penalty for "essential entities"
24 hoursInitial notification to national authority after significant incident discovery
72 hoursDetailed incident notification deadline to competent authority

NIS2 Key Requirements

Risk Management Measures

Mandatory risk-analysis and information-system security policies, incident handling procedures, business continuity measures, supply chain security, network security, access control, and use of MFA and cryptography.

Incident Reporting - 24/72 Hour

Significant incidents require early warning to the national competent authority within 24 hours of discovery, followed by a detailed notification within 72 hours, and a final report within one month. This aligns with Canada's Bill C-8 72-hour reporting structure.

Supply Chain Security

Organizations must address cybersecurity risks in supply chains and relationships with direct suppliers. This includes requiring appropriate security measures from technology providers and conducting security assessments of critical dependencies.

Governance & Board Accountability

Management bodies must approve cybersecurity risk management measures, are liable for non-compliance, and must undergo security training. Board members can be personally held liable for NIS2 violations - a significant escalation from NIS1.

Essential vs. Important Entities

NIS2 distinguishes between "Essential Entities" (larger operators in high-criticality sectors, subject to full proactive supervision) and "Important Entities" (mid-size operators in other critical sectors, subject to reactive supervision). The penalty regime differs between the two.

Vulnerability Disclosure

NIS2 introduces requirements around vulnerability disclosure and handling - organizations must have processes for receiving and acting on vulnerability reports, aligning with global best practices for responsible disclosure.

Energy (electricity, oil, gas, hydrogen) Transport (air, rail, water, road) Banking & Financial Market Infrastructure Health (hospitals, labs, pharma) Water Supply & Wastewater Digital Infrastructure (IXPs, DNS, TLD) ICT Service Management Public Administration Space Postal & Courier Services Waste Management Chemical Manufacture Food Production Manufacturing (medical devices, electronics, machinery) Digital Providers (search, cloud, marketplace) Research Organizations

Does NIS2 Apply to Canadian Companies?

NIS2 applies to organizations that provide services within the EU or operate infrastructure in the EU - regardless of where they are headquartered. A Canadian SaaS company providing services to EU hospitals, energy operators, or financial institutions may be a "digital service provider" subject to NIS2. Canadian critical infrastructure operators with EU operations are directly in scope. ThreeShield assesses your NIS2 obligation status as part of a gap assessment.

Three Ways to Achieve NIS2 Compliance

Self-Serve

DIY via Lavawall®

For organizations with internal security teams that need NIS2-aligned continuous monitoring and evidence

  • Lavawall® GRC with NIS2/NIST CSF control mapping
  • 24/72-hour incident detection capability
  • Supply chain risk monitoring
  • Continuous vulnerability management
Start with Lavawall®
Recommended

Supported

Expert NIS2 gap assessment and remediation roadmap alongside your team

  • NIS2 applicability assessment (essential vs. important)
  • Gap assessment against all NIS2 requirements
  • Incident reporting workflow for 24/72-hour deadlines
  • Supply chain security program
  • Board accountability documentation
Get Supported Engagement
Fully Managed

Done-for-You

Complete NIS2 compliance program for EU operations

  • Full NIS2 compliance program documentation
  • Risk management measures implementation
  • Incident notification workflow with EU authority contacts
  • Annual program review and board reporting
  • ThreeShield Information Security Ltd (UK) engagement for EU/UK coverage
Book Done-for-You

Frequently Asked Questions

Both frameworks impose mandatory cybersecurity programs on critical infrastructure operators with incident reporting obligations and supply chain risk management requirements. NIS2 covers more sectors (18 vs. Canada's 5) and has specific board accountability provisions. The 72-hour detailed notification aligns with C-8's 72-hour CSE reporting. Organizations in multiple jurisdictions can build a unified program that satisfies both - ThreeShield maps the overlap to avoid duplicate effort.

ThreeShield operates in the UK through ThreeShield Information Security Ltd (UK) and can support EU NIS2 compliance engagements through our network of European partners. Canadian organizations with EU operations benefit from ThreeShield's cross-jurisdictional compliance expertise - we map Canadian (Bill C-8, PIPEDA), US (CMMC, HIPAA), and EU (NIS2, GDPR) requirements simultaneously.

Does NIS2 Apply to Your Organization?

ThreeShield's NIS2 applicability assessment determines whether your organization is in scope as an essential or important entity - and what compliance requires. Available for EU operations and Canadian organizations with EU customers.

Book NIS2 Assessment

Also covers EU GDPR · UK Cyber Essentials · ISO 27001 · Bill C-8 CCSPA