**Questions? [[Contact us!]]** # Introduction **Purpose and scope** The [NIS 2 Directive](https://eur-lex.europa.eu/eli/dir/2022/2555/oj#ntr21-L_2022333EN.01014301-E0021) expands the scope of [[Cybersecurity]] risk management and reporting requirements for critical sectors. The directive is part of the EU's Cybersecurity Strategy. **Who will be affected?** The NIS 2 affects all entities that provide essential or important services to the European economy and society, including companies and suppliers. For example, organizations in the health sector, including medical device manufacturers, must determine whether they fall under NIS 2 based on factors such as their size, services provided in the EU, and sector classification. They may be classified as "important" or "essential" entities, each subject to different requirements and levels of supervision. **Legislative status** The NIS 2 Directive came into effect on January 16, 2023, replacing the 2016 NIS Directive (NIS 1). Member States were required to transpose it by October 17, 2024, with implementation starting on October 18, 2024. However, in countries like the Netherlands, this deadline has not been met, and completion is not expected until the third quarter of 2025. ## The health sector With the potential for fatal real-life consequences in case of a successful cyberattack, the health sector is deemed essential under the NIS 2 Directive. Therefore, the sector is subjected to the Directive's toughest requirements and obligations. In the context of medical devices and healthcare, NIS 2 now includes an expanded list of entities, such as EU reference laboratories, manufacturers of certain medical devices and pharmaceutical products, and organizations involved in key research and development activities of medicinal products. Key changes introduced by NIS 2 in the healthcare and related sectors include: 1. Broadened Scope: NIS 2 brings a wide range of new industry sectors under its obligations, including healthcare and medical device manufacturers. 2. Direct Obligations: NIS 2 imposes direct cybersecurity obligations on management, with significant penalties for non-compliance. 3. Cybersecurity Risk Management: All covered organizations must implement cybersecurity risk management measures 4. Supply Chain Security: NIS 2 emphasizes the importance of security in supply chains and supplier relationships. 5. Incident Reporting: The directive clarifies and strengthens incident reporting requirements. 6. Supervision and Sanctions: Supervisory authorities have increased powers to oversee companies, and there are higher sanctions for non-compliance. ### Other subjects The cybersecurity risk management measures include risk analysis, incident handling protocols, business continuity plans, supply chain security measures, cybersecurity testing, auditing procedures, cybersecurity training, access control policies, and encryption. Incident reporting obligations have been streamlined under NIS 2, requiring organizations to report significant incidents in stages, including an initial report within 24 hours of becoming aware of an incident. Supervision and enforcement mechanisms vary for essential and important entities, with the possibility of audits and fines for non-compliance. ### Call to action Management bodies of these entities are required to approve and oversee the implementation of cybersecurity risk management measures. Failure to comply can result in personal liability for management. Organizations in the health sector must assess their compliance with NIS 2 requirements, conduct gap analyses, budget for necessary changes, review supply chains, and train staff in cybersecurity awareness.