{"id":8676,"date":"2026-05-21T11:00:30","date_gmt":"2026-05-21T16:00:30","guid":{"rendered":"https:\/\/bluecatnetworks.com\/?p=982245"},"modified":"2026-05-21T11:00:30","modified_gmt":"2026-05-21T16:00:30","slug":"complying-with-the-nis2-cybersecurity-directive","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/05\/21\/complying-with-the-nis2-cybersecurity-directive\/","title":{"rendered":"Complying with the NIS2 Cybersecurity Directive"},"content":{"rendered":"
Executive Summary<\/h2>\n
As cybersecurity threats and risks evolve, so does the regulatory environment. The second iteration of the European Union\u2019s Network and Information Security Directive, called NIS 2, is an updated cybersecurity regulatory framework set to be transposed into member states\u2019 laws in October 2024.<\/p>\n
Designed to tackle the escalating cybersecurity challenges and vulnerabilities facing its member states, NIS 2 regulations will impact many organizations. The NIS 2 directive outlines the requirements placed upon medium- to large-sized public and private entities that provide critical infrastructure or services vital to the European Union economy and society. Covered entities are divided into two categories, essential and important.<\/p>\n
Compared to its predecessor, the updated NIS 2 directive has stricter requirements for cybersecurity risk management and incident reporting, expands the scope of entities that it covers, and imposes stiffer penalties for non-compliance.<\/p>\n
The NIS 2 directive aims to boost cybersecurity with requirements across four key areas: risk management, corporate governance, incident reporting, and business continuity. To support these four overarching areas, the directive spells out 10 baseline security measures that entities must implement to manage risks. Penalties for non-compliance include non-monetary remedies, administrative fines, and criminal sanctions for management bodies.<\/p>\n
According to the NIS 2 directive, upholding and preserving a reliable, resilient, and secure DNS is crucial to maintaining the integrity of the internet and is essential for its continuous and stable operation. But as networks grow increasingly complex and expand to the cloud, it becomes an even greater challenge to maintain a single source of truth for D N S.<\/p>\n
A consolidated, automated, and streamlined approach to managing the core network services of DNS, DHCP, and IP address management (together known as DDI), particularly when combined with protective solutions and network observability tools, offers a robust answer to meeting the NIS 2 mandate. Together, these solutions address many elements of the directive, including risk management, incident handling, operational security, and reporting obligations.<\/p>\n
Three of BlueCat\u2019s products\u2014Integrity, Edge, and Infrastructure Assurance\u2014offer core capabilities and features that can help enterprises comply with NIS 2 directive requirements. A mapping table provides detailed descriptions of how BlueCat products can help address specific mandates in NIS 2 directive articles.<\/p>\n
Supported by BlueCat\u2019s solutions for unified DDI, protective DNS, and network observability and health, organizations can more easily rise to the mandate to meet NIS 2 requirements.<\/p>\n
Introduction to the NIS 2 directive<\/h2>\n
The Network and Information Security (NIS) Directive was a landmark cybersecurity regulatory framework established in the European Union (EU) in 2016.<\/p>\n
The EU recently introduced a second iteration, Directive (EU) 2022\/2555, known as NIS 2, to tackle the escalating cybersecurity challenges and vulnerabilities facing its member states, particularly those relating to critical infrastructure and services. The NIS 2 entered into force in January 2023, and each member state must transpose this updated directive into national law by October 17, 2024.<\/p>\n
As our reliance on digital systems continues to grow, so does related risk. The risk of exploitation by bad actors and the potential impact on society from critical sector cyberattacks requires heightened security postures. NIS 2 seeks to reinforce and build better foundations for all aspects of network and information security, from coordinated incident response and reporting to fortifying cybersecurity defenses and practices. Our growing interconnectedness also means we must be able to trust and rely on our critical supply chains as they form networks at organizational, national, and regional levels.<\/p>\n
Under the NIS 2 directive, member states are tasked with creating or improving their:<\/p>\n
\n
National cybersecurity frameworks<\/li>\n
Competent authorities<\/li>\n
Crisis management frameworks<\/li>\n
Computer security incident response teams<\/li>\n
Vulnerability databases<\/li>\n
Cooperation<\/li>\n
Risk assessments<\/li>\n
Reporting<\/li>\n
Certification schemes<\/li>\n<\/ul>\n
Compared to its predecessor, the updated NIS 2 directive features stricter requirements for cybersecurity risk management and incident reporting, expands the scope of entities that it covers, and imposes stiffer penalties for non-compliance.<\/p>\n
Does the NIS 2 directive apply to my organization?<\/h2>\n
Much of the NIS 2 directive covers the responsibilities and requirements placed upon medium- to large-sized public and private entities that provide critical infrastructure or services vital to the EU economy and society. NIS 2 significantly expands the list of covered sectors from just seven in the original directive. In NIS 2, covered entities are divided into two categories, essential and important, which are defined by size and type.<\/p>\n
Essential and important entities<\/h3>\n
Under the NIS 2, an essential entity is a large organization that operates in a sector of high criticality (see the list of high criticality sectors below). While it can vary slightly by sector, the NIS 2 generally defines the threshold for a large organization as one with at least 250 employees and an annual turnover of at least \u20ac50 million or an annual balance sheet of at least \u20ac43 million.<\/p>\n
High criticality sectors for essential entities include:<\/p>\n
\n
Energy<\/li>\n
Transport<\/li>\n
Banking and financial market infrastructure<\/li>\n
Health<\/li>\n
Drinking water and wastewater<\/li>\n
Digital infrastructure<\/li>\n
Information and communication technology (ICT) service management (business-to-business managed service providers and managed security service providers)<\/li>\n
Public administration<\/li>\n
Space<\/li>\n<\/ul>\n
Digital infrastructure refers to services that are crucial to network operations. It includes internet exchange point providers, DNS service providers, top-level domain name registries, cloud computing services, data center service providers, content delivery networks, trust services, public electronic communications networks, and publicly available electronic communications services.<\/p>\n
Meanwhile, an important entity is an organization that is at least medium-sized and operates in other critical sectors that don\u2019t fall under the essential category. Again, while the definition can vary slightly by sector, the threshold for medium-sized is having at least 50 employees and an annual turnover of at least \u20ac10 million or a \u20ac10 million balance sheet.<\/p>\n
Other critical sectors for important entities include:<\/p>\n
\n
Postal and courier services<\/li>\n
Waste management<\/li>\n
Manufacture, production, and distribution of chemicals<\/li>\n
Production, processing, and distribution of food<\/li>\n
Manufacturing<\/li>\n
Digital providers (search engines, online marketplaces, and social networks)<\/li>\n
Research<\/li>\n<\/ul>\n
It\u2019s important to note that critical sector organizations that do not meet the minimum size requirements of the \u2018essential\u2019 category are still deemed to be \u2018important\u2019 entities.<\/p>\n\n
\n
\n
\n
\n
\n
\n
Did You Know?<\/h3>\n
Essential entities are subject to additional supervision requirements, such as ad-hoc audits and proactive monitoring, and higher fines for non-compliance. Supervision of important entities is reactive, such as upon evidence of non-compliance.<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/section>\n
NIS 2 essential vs. important entities<\/h3>\n
\n
\n\n
\n
<\/th>\n
Sector<\/th>\n
Headcount<\/th>\n
Annual turnover<\/th>\n
oR<\/th>\n
Balance sheet total<\/th>\n<\/tr>\n<\/thead>\n
\n
\n
Essential entity<\/strong><\/td>\n
Essential entity <\/p>\n
\n
Energy<\/li>\n
Transport<\/li>\n
Banking and financial market infrastructure<\/li>\n
Health<\/li>\n
Drinking water and wastewater<\/li>\n
Digital infrastructure<\/li>\n
ICT service management<\/li>\n
Public administration<\/li>\n
Space<\/li>\n<\/ul>\n<\/td>\n
250 employees<\/td>\n
\u20ac50 million<\/td>\n
<\/td>\n
\u20ac43 million<\/td>\n<\/tr>\n
\n
Important entity<\/strong><\/td>\n
Important entity <\/p>\n
\n
Postal and courier services<\/li>\n
Waste management<\/li>\n
Manufacture, production, and distribution of chemicals<\/li>\n
Production, processing, and distribution of food<\/li>\n
Manufacturing<\/li>\n
Digital providers<\/li>\n
Research<\/li>\n<\/ul>\n
Plus, all sectors that fall under essential but are within the size threshold for important entities.<\/p>\n<\/td>\n
Mandatory applicability regardless of size<\/h3>\n
The NIS 2 has mandatory applicability for certain organizations regardless of their size. This includes:<\/p>\n
\n
Providers of public electronic communications networks or publicly available electronic communications services<\/li>\n
Trust service providers<\/li>\n
Top-level domain name registries and DNS service providers<\/li>\n<\/ul>\n
Applicability is also mandatory for smaller organizations in cases such as if the entity is the sole provider of a service in a member state that is essential for maintaining critical societal or economic activities, or if disruption of the entity\u2019s services would induce systemic risk or have a significant impact on public safety, security, or health. Member states may also deem an entity critical because of its specific importance at the national or regional level.<\/p>\n
Determining jurisdiction<\/h3>\n
Under NIS 2, essential and important entities fall under the jurisdiction of the member state in which they are established. If entities provide services in more than one member state, they fall under the separate and concurrent jurisdiction of each member state.<\/p>\n
However, the NIS 2 also accounts for the somewhat borderless nature of digital entities. Public electronic communications networks or publicly available electronic communications services fall under the jurisdiction of the member state in which they provide their services.<\/p>\n
The entities below fall under the jurisdiction of the EU member state in which they have their main establishment. The NIS 2 defines a main establishment as where decisions related to cybersecurity risk management measures are predominantly made, where cybersecurity operations are carried out, or where the greatest number of EU-based employees are located. This applies to:<\/p>\n
\n
DNS service providers<\/li>\n
Top-level domain name registries<\/li>\n
Entities providing domain name registration services<\/li>\n
Cloud computing service providers<\/li>\n
Data center service providers<\/li>\n
Content delivery networks<\/li>\n
Managed service providers and managed security service providers<\/li>\n
Online marketplaces<\/li>\n
Search engines<\/li>\n
Social networks<\/li>\n<\/ul>\n
Applicability to supply chains<\/h3>\n
An entity\u2019s supply chain and its suppliers, such as providers of data storage and processing services, play an important role in cybersecurity. Numerous times, entities have been the victim of cyberattacks wherein malicious perpetrators compromised the security of an entity\u2019s network and information systems by exploiting vulnerabilities affecting third-party products and services. According to the NIS 2, essential and important entities must assess and consider the overall quality and resilience of products and services they procure, the cybersecurity risk-management measures embedded in them, and the cybersecurity practices of their suppliers and service providers, including their secure development procedures. Entities are encouraged to incorporate cybersecurity risk-management measures into contractual arrangements with their direct suppliers and service providers.<\/p>\n
Finalizing entities that fall under the scope of NIS 2<\/h3>\n
By April 17, 2025, member states must identify the essential and important entities in their state that fall under the scope of NIS 2. Organizations will need to determine if they fall within the scope of NIS 2, identify which member states they provide in-scope services to, and register before the deadline.<\/p>\n\n
\n
\n
\n
\n
\n
\n
Did You Know?<\/h3>\n
In addition to submitting basic organizational details to a member state\u2019s competent authority, registered in-scope entities will also be required to submit their assigned IP address ranges. If entities make any changes, they will have to notify authorities about them within two weeks. How robust is your IP address management tool, and does it include all the IP address ranges you route or administer?<\/p>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/section>\n
It is important that your organization carefully reviews the language of the NIS 2 directive to understand specific criteria and thresholds and determine if you fall within its scope.<\/p>\n
Figure 1. NIS 2 timeline for key dates<\/strong><\/p>\n
Key requirements and impacts of the NIS 2 directive<\/h2>\n
The NIS 2 directive aims to boost cybersecurity with requirements across four key areas: risk management, corporate governance, incident reporting, and business continuity.<\/p>\n
Four areas of focus to boost cybersecurity<\/h3>\n
Risk management<\/h3>\n
Organizations are required to implement comprehensive risk management strategies to minimize cyber threats. They must conduct regular risk assessments, establish security policies, and implement measures to protect the integrity, confidentiality, and availability of their systems. Entities are also obligated to monitor and document their security practices on an ongoing basis, ensuring they can quickly identify and address emerging threats.<\/p>\n
Corporate governance<\/h3>\n
Management bodies are responsible for overseeing and approving their respective entities\u2019 protocols for cybersecurity risk management. They must also ensure they are implemented effectively. Management bodies are also required to undergo cybersecurity training and should offer similar training to their employees.<\/p>\n
Incident reporting<\/h3>\n
Covered entities must report significant incidents to relevant authorities promptly, providing detailed information about the nature of the incident and the mitigation measures taken. Entities must provide initial notification no later than 24 hours after learning of a cyber incident, a full report no later than 72 hours after, and a final report one month later.<\/p>\n
Business continuity<\/h3>\n
Entities are required to create a strategy that details how they will respond to and recover from incidents, with a goal of minimizing disruptions and ensuring business continuity following an attack.<\/p>\n
Baseline security measures that entities must implement<\/h2>\n
To support these four overarching areas, the directive spells out 10 baseline security measures that organizations must implement to manage risks. They include:<\/p>\n
\n
Policies on risk analysis and information system security<\/li>\n
Incident handling<\/li>\n
Business continuity, such as backup management and disaster recovery, and crisis management<\/li>\n
Supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers<\/li>\n
Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure<\/li>\n
Policies and procedures to assess the effectiveness of cybersecurity risk-management measures<\/li>\n
Basic cyber hygiene practices and cybersecurity training<\/li>\n
Policies and procedures regarding the use of cryptography and, where appropriate, encryption<\/li>\n
Human resources security, access control policies, and asset management<\/li>\n
The use of multi-factor authentication or continuous authentication solutions; secured voice, video, and text communications; and secured emergency communication systems within the entity, where appropriate<\/li>\n<\/ol>\n
Sanctions for non-compliance<\/h2>\n
The NIS 2 directive has much harsher penalties for non-compliance than its previous iteration, including non-monetary remedies, administrative fines, and criminal sanctions for management bodies.<\/p>\n
Non-monetary remedies<\/h3>\n
The NIS 2 gives member states\u2019 supervisory authorities the power to levy non-monetary remedies against non-compliant entities, including compliance orders, binding instructions, security audit implementation orders, and threat notification orders to entities\u2019 customers.<\/p>\n
Administrative fines<\/h3>\n
Fines can vary by member state, but the NIS 2 directive sets maximum fine levels for essential and important entities.<\/p>\n
Fines for essential entities vs. important entities<\/h3>\n
\n
\n\n
\n
Fines for essential entities<\/th>\n
Fines for important entities<\/th>\n<\/tr>\n<\/thead>\n
\n
\n
A maximum fine of up to \u20ac10,000,000<\/strong> or 2% of global annual revenue<\/strong>, whichever is higher.<\/td>\n
A maximum fine of up to \u20ac7,000,000<\/strong> or 1.4% of global annual revenue<\/strong>, whichever is higher.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n
Criminal sanctions for management bodies<\/h3>\n
To reduce the pressure on IT and security teams, the NIS 2 directive includes measures that can hold top management personally liable if gross negligence is proven after a cybersecurity incident. Supervisory authorities can order organizations to publicly disclose violations or make public statements identifying the person(s) responsible for the incident. If the organization is an essential entity, an authority can temporarily ban executives from holding management positions.<\/p>\n
DNS: A core element of a secure network under NIS 2<\/h2>\n
The Domain Name System (DNS) is a hierarchical naming system that allows communication across devices on a network. Most commonly, it translates human-readable domain names (like bluecatnetworks.com) to computer-friendly Internet Protocol (IP) addresses (like 104.239.197.100). Essentially, it allows us to connect to websites without having to memorize a string of numbers. With DNS, all we need to know when we open web browsers are websites\u2019 names.<\/p>\n
According to the NIS 2 directive, \u201cUpholding and preserving a reliable, resilient and secure domain name system (DNS) are key factors in maintaining the integrity of the internet and are essential for its continuous and stable operation, on which the digital economy and society depend.\u201d<\/p>\n
DNS was built first and foremost to correctly and efficiently respond to queries, not question their intent. As a result, DNS has inherent limitations and potential to be used as a vector for cyberattacks. In a DNS attack, a bad actor either tries to compromise the infrastructure that provides DNS services or takes advantage of its inherently open attributes to conduct a broader attack. A well-orchestrated DNS attack against an unprotected network can bring an organization to its knees.<\/p>\n
As networks grow increasingly complex and expand to hybrid and multicloud environments, it becomes an even greater challenge to maintain a single source of truth for DNS.<\/p>\n
A consolidated, automated, and streamlined approach to managing DNS, dynamic host configuration protocol (DHCP), and IP address management (together known as DDI), particularly when combined with protective DNS and network observability tools, offer a robust answer to meeting the NIS 2\u2019s mandate.<\/p>\n
<\/figure>\n
Figure 2. DNS, DHCP, and IP address management are at the heart of the digital enterprise<\/strong><\/p>\n
Unified DDI<\/h3>\n
Unified DDI solutions integrate DNS, DHCP, and IP address management (IPAM) functionalities into a single platform, providing centralized visibility and control of IP resources and core network services. Unified DDI supports NIS 2 requirements by offering:<\/p>\n
\n
Improved network visibility: A centralized and unified view of your DDI data provides comprehensive visibility into network assets, their configurations, and their interactions. This is essential for identifying vulnerabilities and ensuring robust network security.<\/li>\n
Automated network management: Automation reduces the risk of human error and enhances the efficiency of managing namespaces, IP addresses, and related services, ensuring that configurations are consistent and secure.<\/li>\n
Compliance and auditing: Unified DDI platforms often come with auditing and logging capabilities, which help organizations maintain detailed records of network configurations and changes. This facilitates compliance with NIS 2 requirements for documentation, reporting, and accountability.<\/li>\n<\/ul>\n
Protective DNS solutions<\/h3>\n
Protective DNS solutions enhance network security by monitoring and filtering DNS traffic to block malicious queries and prevent access to harmful sites or attackers\u2019 command-and-control channels. When considering NIS 2 requirements, protective DNS solutions help with:<\/p>\n
\n
Threat detection and mitigation: DNS security solutions often offer what is known as protective DNS: a service that analyzes DNS queries and mitigates or blocks connections to malicious domains. By blocking access to known malicious domains and records, protective DNS helps with early detection and prevention of cyber threats, reducing the risk of security incidents.<\/li>\n
Incident response: Protective DNS solutions provide deep visibility into DNS traffic, enabling quicker identification of\u2014and incident response to\u2014anomalies and potential threats.<\/li>\n
Compliance and reporting: Logging and monitoring DNS queries and responses helps with maintaining records required for compliance with NIS 2 and facilitates reporting to regulatory authorities.<\/li>\n<\/ul>\n
Network observability and health<\/h3>\n
Network observability and health solutions focus on ensuring that your network infrastructure is secure, reliable, and resilient. Network observability and health capabilities that can help meet NIS 2 requirements include:<\/p>\n
\n
Continuous monitoring and assessment: These tools continuously monitor the network for vulnerabilities and compliance with security policies, helping to identify and remediate issues before they can be exploited.<\/li>\n
Resilience and redundancy: Network observability and health solutions help you design and maintain a resilient network infrastructure with adequate redundancy, ensuring that critical services remain available even during incidents or outages.<\/li>\n
Incident response and recovery: These solutions provide tools and processes for effective incident response and recovery, ensuring that organizations can quickly restore normal operations after an operational or security incident.<\/li>\n<\/ul>\n
Together, these types of solutions and capabilities address many elements of the NIS 2 directive. They provide actionable and demonstrable utility for:<\/p>\n
\n
Risk management: Unified DDI, protective DNS, and network observability and health solutions help identify and mitigate risks through enhanced visibility, threat detection, and automated prevention.<\/li>\n
Incident handling: These solutions provide tools for quick detection, response, and reporting of cybersecurity incidents, aiding in effective incident handling and reducing the mean time to recovery.<\/li>\n
Operational security: By automating and centralizing network management, these solutions ensure consistent, fresh, and secure configurations, reducing vulnerabilities and enhancing operational security.<\/li>\n
Reporting obligations: The logging and auditing capabilities of these solutions help meet reporting obligations under NIS 2, ensuring that organizations can provide the necessary information to authorities when required.<\/li>\n<\/ul>\n
BlueCat products that help meet the NIS 2 directive<\/h2>\n
Three of BlueCat\u2019s products\u2014Integrity, Edge, and Infrastructure Assurance\u2014offer core capabilities and features that can help enterprises comply with NIS 2 requirements.<\/p>\n
![](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/complying-with-the-nis2-cybersecurity-directive.png?resize=640%2C277&ssl=1\")
<\/figure>\n![](\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/05\/complying-with-the-nis2-cybersecurity-directive-1.png?resize=640%2C259&ssl=1\")
<\/figure>\n