NIS-2: 10 common misconceptions about the regulation

We wrote here about NIS2 and we will continue to add more content about it.

Because we are getting closer to October 17th, many people are getting more and more nervous about NIS2.

Despite its significance, there are numerous misconceptions and misinterpretations circulating about the scope and implications of this regulation.

This article aims to clarify some of the misconceptions,  which I collected mostly from LinkedIn and articles about NIS-2.



“NIS2” and “NIS-2” are exactly the same thing. I am using both in this article only because of SEO.



1. NIS2 starts being applied in the EU starting 17.10.2024

Truth is that the regulation is already applicable in the EU since it was approved. This deadline applies to the individual countries of the EU to convert and apply the NIS2 requirements in local laws.

If national authorities fail to properly implement EU laws, the Commission may launch a formal infringement procedure against the country in question. If the issue is still not settled, the Commission may eventually refer the case to the Court of Justice of the European Union.


2. Limited scope of application

Contrary to the belief that NIS-2 only applies to large tech companies, the directive significantly broadens its scope compared to its predecessor, NIS.

NIS-2 extends beyond just critical infrastructure sectors like energy and transport, encompassing a wide array of sectors such as digital services, public administration, and healthcare.

It mandates a security and incident reporting framework that applies to both Essential and Important Entities, significantly expanding the list of sectors and services affected.

3. NIS-2 Is Just About Cybersecurity

While cybersecurity is a core component, NIS-2 is not merely about preventing cyberattacks. The directive emphasizes a comprehensive approach to security, which includes resilience against a wide range of threats.

This includes but it is not limited to:

  • supply chain security,
  • incident response, and
  • crisis management.

It establishes a baseline for security measures and incident notifications that entities must adhere to, ensuring a uniform level of security across member states.

4. NIS-2 compliance is the same across all EU countries

Although NIS-2 sets a framework for cybersecurity across the EU, member states have some flexibility in implementation. This means that there can be variations in how directives are enforced from one country to another, depending on local laws and regulations.

Companies operating across multiple jurisdictions need to be aware of and comply with local variations to ensure full compliance.

5. Heavy penalties are the main compliance driver

While it is true that NIS-2 can impose hefty fines for non-compliance, focusing solely on penalties misses the broader objective of the directive.

NIS-2 is designed to cultivate a culture of security and resilience. It encourages entities to proactively manage their cybersecurity risks and to collaborate with national authorities.

This cooperative approach is fundamental to enhancing the overall cybersecurity posture of the EU.

6. NIS-2 does not affect third-party suppliers

NIS-2 places explicit requirements on the security practices of third-party suppliers. Entities covered under the directive are required to ensure that their supply chains are secure.

This includes mandatory risk assessments and incident reporting requirements that extend to service providers, reflecting an understanding that security is only as strong as the weakest link in the supply chain.


7. NIS-2 contains rules for AI, IoT, Industry 4.0.

NIS-2 sets a framework for cybersecurity and it does not address anything in particular. However, the rules described can be very well applied to companies in the fields like those mentioned that fall under the regulation applicability.

The companies active in Digital Infrastructure Services (Internet Nodes, DNS Service Providers, TLD Registries, Cloud Providers, Data Centers, Content Delivery Networks, Trust Services, Communication Networks, Communication Services ) and in

ICT Service Management (B2B only) (Managed Services (IT, Networks/Infrastructure, Applications), Managed Security Services (Risk and Cyber Security) ) are potentially directly affected by the regulation. However, there are clear criteria about which companies are affected.


8. Any company with activity in the domains marked as Important and Essential is affected by NIS-2

Although the domains are under the NIS-2 regulation, a company is affected if it meets the criteria:

  • Essential Entities (EE):
    • at least 250 employees and
    • 50 Mil € revenue
  • Important Entities (IE):
    • at least 50 employees and
    • 10 Mil € revenue

If a company doesn’t have these characteristics, then, in general, it is not affected by the regulation directly. It is highly recommended that even in such cases the companies follow the regulation’s requirements, since it will increase their resilience against cyber attacks.

However, an entity may still be considered “essential” or “important” even if it does not meet the size criteria, in specific cases such as when it is the sole provider of a critical service for societal or economic activity in a Member State.


9. All affected companies must certify for NIS-2

A the time of writing this post there is no certification for NIS-2. This might change in the future, especially when because we don’t know at this time how the regulation will be implemented in each of the EU member states.

There are consulting companies that sell consulting services and guarantee that a company will get the “NIS-2  certification” if they bus their services. While buying consulting is in general a good thing, the only thing that can be obtained is help in meeting the requirements of the regulation.

I recommend to stay away from offers that promise things that don’t exist.


10. Companies can buy software/hardware products to become conform with NIS-2

Although conformity is sometimes made easier by using specialized software and hardware products, there is no requirement or recommendation to purchase anything.

Some security providers and consulting companies are offering On The Shelf  (OTS) products that promise immediate conformity with NIS-2 (or guarantee obtaining a “certification” – see point 9 above).

If you look at the series of articles in the NIS2 area of this website, you will see that actually quite a lot of  steps involve an ISMS, a cybersecurity framework, cybersecurity products and so on.

These can be implemented with commercial or open source products, but there is still need to know where and how to install them in order to become conform.

I can very well imagine that there will be soon commercial offerings with sets of templates for implementing the NIS-2 requirements, just like there are with ISO 27001, TISAX and other certifications.

The post NIS-2: 10 common misconceptions about the regulation first appeared on Sorin Mustaca on Cybersecurity.