IT SECURITY

NIS2 - What is it and how can Office-IT help you?

The European Commission has taken an important step to strengthen digital security across Europe with the NIS2 Directive. But what does this mean for your company?

In this article, we explain what the NIS2 Directive entails, which sectors it applies to, what measures you need to take, and how Office-IT can support you.

Want to know more about how Office-IT can help you with NIS2 compliance?

What is NIS2?

The NIS2 Directive is the successor to NIS1 and updates the European legal framework for cybersecurity.

With this directive, the European Commission wants to ensure that companies in critical sectors see cybersecurity as an essential part of their operations. The goal is to better protect important societal and economic activities within the European Union from cybersecurity risks.

Which companies does NIS2 apply to?

To determine whether NIS2 applies to your company, both the type of activity and the size of your business must be assessed.

Company activity

All services falling under NIS2 are listed in Annex I and II:

Annex I: highly critical sectors

Energy

Transport

Banking

Financial market infrastructure

Space industry

Healthcare

Drinking water supply

Wastewater treatment

Digital infrastructure

ICT service management (B2B)

Public administration

Annex II: critical sectors

Postal and courier services

Food production, processing and distribution

Manufacturing and distribution of chemicals

Manufacturing of

- Medical devices

- IT and electronic products

- Electrical equipment

- Machinery and tools not previously mentioned

- Other transport equipment

Digital service providers

Waste management

Research

Company size

NIS2 only applies to medium and large enterprises, as defined in Annex to Recommendation 2003/361/EC.

A medium-sized company has more than 50 employees, or fewer but with turnover/balance sheet exceeding €10 million. A large company has more than 250 employees, or fewer but with turnover over €50 million and a balance sheet over €43 million.

Certain companies always fall under NIS2 regardless of size, such as:

Trust service providers (essential)
Non-qualified trust service providers (important for micro, small or medium-sized enterprises and essential for large enterprises)
DNS providers (essential)
TLD-nameregistration (essential)
Domain registries (only for the registration)
Public electronic communication providers (essential)
Critical infrastructure operators (essential)
Entities designated as operators of critical infrastructure under the Law of 1 July 2011 on the security and protection of critical infrastructure (essential)
Public authorities dependent on the Federal State (essential)

Essential vs important

If we combine both criteria, activity and size, we can determine whether an organization is classified as “important” or “essential.” This distinction mainly relates to how strictly organizations are monitored and sanctioned (see below).

Large enterprises providing services listed in Annex I are classified as “Essential.”
All other enterprises are considered “Important.”

NIS2 obligations

Registration

Companies must register with the Centre for Cybersecurity Belgium (CCB).

Cybersecurity measures

Businesses must implement security measures adapted to their situation,

such as:

Awareness: training, phishing simulations, cyber drills.
Risk analysis: identify threats to processes, products, and data.
Data protection: encryption, access control, data minimization.
Incident management: clear procedures to detect and respond to attacks.
System security: MFA, endpoint security, monitoring.
Business continuity: crisis management and disaster recovery planning. This includes, among other things, backup management and ensuring the continuity of your services in the event of an incident.

Incident reporting:

Significant incidents must be reported to the CCB.

Management responsibility:

Boards are liable if obligations are not met. They must approve measures, oversee implementation, and follow cybersecurity training.

Supervision and sanctions:

Essential entities undergo proactive and reactive inspections, important entities reactive only.

Non-compliance can lead to warnings, fines, or other administrative measures.

How can Office-IT help you?

NIS2 introduces complex requirements, but Office-IT is here to guide you through every step — from assessment to implementation.

Analysis: we perform a detailed review of your current IT environment using a NIS2 checklist to identify potential risks.
Advice: based on the results, we recommend concrete improvements for your IT security and compliance. This advice is tailored to your company.
Implementation: we deploy the necessary solutions — such as MFA, endpoint security, back-up management, monitoring your IT infrastructure and awareness training with Phished — and ensure your infrastructure meets NIS2 standards.

Why act now?

NIS2 is mandatory for many businesses. Acting today ensures compliance, avoids sanctions, and protects your company against cyberthreats.

Even if your company doesn’t fall directly under NIS2, you may still feel its impact. Suppliers of NIS2 companies will be required to meet nearly the same standards. NIS2 will soon become the norm for cybersecurity across European enterprises.

Want to know more about how Office-IT can help you with NIS2 compliance?

Looking for an IT partner for your SME?

Let us know what could be improved within your organisation. Whether you are a small or a large company, we will be pleased to work with you to examine the most suitable solutions, and are able to offer standard plans as well as custom-made options. The choice is yours.

“To be honest, we didn’t look at other systems because we trusted Office-IT’s advice. When they presented a security solution, we quickly went along with it.”

Garden Trade International