Information Security

What is the difference between NIS and NIS2?

What is the difference between NIS and NIS2?
The NIS2 guideline is not simply an update of the original NIS. Whereas the first guideline was primarily about network and information security within a limited group of organizations, NIS2 takes a more fundamental approach. More companies are covered, the requirements have been tightened and the responsibility of administrators has increased. But what does that mean specifically for your organization? And how do you properly prepare for NIS2 compliance?
This article was last updated on
January 7, 2026

What was the NIS?

The NIS (Network and Information Systems Directive) was introduced in 2016 to strengthen digital resilience within Europe. The aim was to ensure that vital sectors properly secure their IT systems against cyber threats. At the time, the directive mainly applied to a small group of organizations, such as energy companies, telecom providers, and water boards. For many other sectors, the NIS had little direct impact.

In practice, this approach proved to be too limited. Cyberattacks affected not only critical infrastructures, but also municipalities, healthcare institutions, suppliers, and SMEs. That is why a revision was introduced: NIS2.

 

What will change with NIS2?

The NIS2 directive greatly expands the obligations. Not only vital organizations, but also essential and important entities must demonstrate that they have their information security in order. The main differences at a glance:

Section NIS NIS2
Application Vital sectors (e.g., energy, transportation, telecom) Broader: also healthcare, government, ICT, financial services and more
Responsibility Mainly operational Directors are also given explicit responsibility
Sanctions National enforcement, less concrete penalty rules Stricter enforcement and clear penalties
Supplier chain Limited attention to chain Chain and suppliers are explicitly covered by the requirements
Security measures General obligations for security More concrete requirements for risk management, incident response and governance
Reporting requirement Reporting major incidents Stricter reporting requirements with short deadlines (e.g., within 24 hours for significant incidents)

NIS2 and ISO 27001: how do they compare?

NIS2 and ISO 27001 have many similarities. ISO 27001 provides a structured framework (ISMS) for implementing and safeguarding the security measures of NIS2. With a well-designed ISMS, you already comply with a large part of the NIS2 obligations. It is not a one-to-one replacement, but it helps your organization to demonstrably comply with the requirements for risk management, documentation, and periodic evaluations.

Many organizations therefore use ISO 27001 as the basis for their NIS2 implementation. From that basis, you can add the specific requirements from the directive—for example, on governance and chain management—in a targeted manner.

 

What does NIS2 mean for your organization?

Chances are your organization is covered by NIS2, even if it wasn't under the old NIS. Consider:

  • Municipalities and government organizations
  • ICT service providers
  • Healthcare institutions (in addition to NEN 7510)
  • Providers of vital or essential services
  • SMEs that are part of a chain

Not only technical security is important here, but also policy, risk management and awareness within the organization. Administrators are also given an explicit responsibility. They must be able to demonstrate that they have taken measures and have knowledge of the risks.

 

Where do you start with NIS2?

The first step is insight. With a free NIS2 check, you will gain clarity on where your organization currently stands and what steps are still needed to achieve compliance. From there, we guide organizations through NIS2 implementation, conducting internal audits, and setting up processes that comply with the directive.

Want to take it a step further? The NIS2 Supply Chain certificate (NIS2 SC) is a valuable quality mark that allows suppliers to demonstrate that they meet the requirements that NIS2 organizations impose on their partners.

Demonstrated NIS2 compliance

The transition from NIS to NIS2 requires more than just technical measures. It is about demonstrable responsibility, risk management and cooperation throughout the chain. By starting now with a baseline measurement or NIS2 check, you avoid having to act under time pressure later. And with the right guidance you can ensure that your organization is not only compliant, but also works in a truly safer way.

 

Schedule a free, no-obligation 45-minute consultation or start immediately with the free NIS2 check to discover where your organization stands.

Kilian Houthuijzen
Commercial manager & partner
085 773 6005
To news overview

Related articles

News
NIS2 Quality Mark is now called NIS2 Supply Chain
read more
News
Fendix launches NIS2 Supply Chain implementations
read more
KAM Certificeringen is now Fendix

We collaborate with:

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust