Information Security

What is the difference between NIS and NIS2?

What is the difference between NIS and NIS2?
The NIS2 guideline is not simply an update of the original NIS. Whereas the first guideline was primarily about network and information security within a limited group of organizations, NIS2 takes a more fundamental approach. More companies are covered, the requirements have been tightened and the responsibility of administrators has increased. But what does that mean specifically for your organization? And how do you properly prepare for NIS2 compliance?
This article was last updated on
7/11/2025

What was the NIS?

The NIS (Network and Information Systems Directive) was introduced in 2016 to strengthen digital resilience within Europe. The goal: to ensure that vital sectors properly secure their IT systems against cyber threats. At the time, the directive applied mainly to a small group of organizations, such as energy companies, telecom providers and water boards. For many other sectors, the NIS had little direct impact.

 

In practice, that approach proved too limited. Cyber attacks affected not only critical infrastructures, but also municipalities, health care institutions, suppliers and SMEs. Therefore, a revision came: NIS2.

 

What will change with NIS2?

The NIS2 directive greatly expands the obligations. Not only vital organizations, but also essential and important entities must demonstrate that they have their information security in order. The main differences at a glance:

Section NIS NIS2
Application Vital sectors (e.g., energy, transportation, telecom) Broader: also healthcare, government, ICT, financial services and more
Responsibility Mainly operational Directors are also given explicit responsibility
Sanctions National enforcement, less concrete penalty rules Stricter enforcement and clear penalties
Supplier chain Limited attention to chain Chain and suppliers are explicitly covered by the requirements
Security measures General obligations for security More concrete requirements for risk management, incident response and governance
Reporting requirement Reporting major incidents Stricter reporting requirements with short deadlines (e.g., within 24 hours for significant incidents)

NIS2 and ISO 27001: how do they compare?

NIS2 and ISO 27001 have many similarities. ISO 27001 provides a structured framework (ISMS) to implement and safeguard the security measures of NIS2. So with a well-designed ISMS you already meet a large part of the NIS2 obligations. It is not a one-to-one replacement, but it helps your organization demonstrably meet the requirements around risk management, documentation and periodic reviews.

 

Many organizations therefore use ISO 27001 as the basis for their NIS2 implementation. From that base, you can add the specific requirements from the guideline - for example, on governance and supply chain management - in a targeted way.

 

What does this mean for your organization?

Chances are your organization is covered by NIS2, even if it wasn't under the old NIS. Consider:

 

  • Municipalities and government organizations
  • ICT service providers
  • Healthcare institutions (in addition to NEN 7510)
  • Providers of vital or essential services
  • SMEs that are part of a chain

 

Not only technical security is important here, but also policy, risk management and awareness within the organization. Administrators are also given an explicit responsibility. They must be able to demonstrate that they have taken measures and have knowledge of the risks.

 

Where do you start?

The first step is insight. With a free NIS2 check you get a clear picture of where your organization is now and what steps are still needed towards compliance. From there, we guide organizations through the NIS2 implementation, performing internal audits and setting up compliant processes.

 

Want to look further? Then the NIS2 Quality Mark (NIS2 QM) is a valuable seal of approval that allows vendors to demonstrate that they meet the requirements NIS2 organizations set for their partners.

 

Demonstrated compliance

The transition from NIS to NIS2 requires more than just technical measures. It is about demonstrable responsibility, risk management and cooperation throughout the chain. By starting now with a baseline measurement or NIS2 check, you avoid having to act under time pressure later. And with the right guidance you can ensure that your organization is not only compliant, but also works in a truly safer way.

 

Schedule a free, no-obligation 45-minute consultation or start immediately with the free NIS2 check to discover where your organization stands.

Kilian Houthuijzen
Commercial manager & partner
085 773 6005
To news overview

Related articles

News
Fendix kicks off NIS2 Quality Mark implementations
read more
News
New partnership for NIS2: Fendix x Samen Digitaal Veilig
read more
KAM Certificeringen is now Fendix

We are a partner of

SGS
BSI
TUV
DEKRA
KIWA
Brand Compliance
LRQA
DNV
Digitrust