The NIS 2 Directive | Instructor-led Training

First option (online training): Distance learning with a Certificate of Completion awarded after successfully passing an online exam.

Become a NIS 2 Directive Trained Professional (NIS2DTP). The program has been designed to provide with the skills needed to understand and support compliance with the NIS 2 Directive.

It also provides with the skills needed to pass the NIS 2 Directive Trained Professional (NIS2DTP) exam, and to receive the Certificate of Completion, that provides independent evidence to firms and organizations that you have a quantifiable understanding of the subject matter.

You may visit: https://www.nis-2-directive.com/NIS_2_Directive_Trained_Professional_(NIS2DTP).html

---

Second option: Instructor-Led Training. Possible modules of the tailor-made training program:

Part 1

The European Union (EU). How does the legislative process work?
- Key institutions.
- The European Commission, the most important institution for risk and compliance professionals.
- How does the legislative process work?
- The European System of Financial Supervision (ESFS).
- Legal acts after the Treaty of Lisbon.
- Delegated acts, supplementing or amending certain non-essential elements of a basic act.
- Implementing acts.
- Regulatory technical standards (RTS), Implementing technical standards (ITS).
- The European Data Protection Supervisor and the European Data Protection Board.
- The Committee of European Auditing Oversight Bodies (CEAOB).
- The European External Action Service.
- The Common Foreign and Security Policy (CFSP).
- The Common Security and Defence Policy (CSDP).
- The European Network and Information Security Agency (ENISA).
- The European Multidisciplinary Platform Against Criminal Threats. (EMPACT).
- The European framework for Threat Intelligence-based Ethical Red Teaming (TIBER-EU).
- The Euro Cyber Resilience Board for pan-European Financial Infrastructures (ECRB).
- The Cyber Information and Intelligence Sharing Initiative (CIISI-EU).
- The High-Level Expert Group on Artificial Intelligence (AI HLEG).

Part 2

“An Open, Safe and Secure Cyberspace”, the EU's vision on how to prevent cyber disruptions and attacks, and respond to them.
- 1. Achieving cyber resilience.
- 2. Drastically reducing cybercrime.
- 3. Developing cyber defence policy and capabilities related to the Common Security and Defence Policy (CSDP).
- 4. Developing the industrial and technological resources for cyber-security.
- 5. Establishing an international cyberspace policy for the European Union and promote EU core values.

The NIS Directive (EU 2016/1148), the first piece of EU-wide cybersecurity legislation.
- 1. National capabilities.
- 2. Cross-border collaboration.
- 3. National supervision of critical sectors.
- The NIS Cooperation Group.
- The NIS Directive, important parts.
- Transposition of the NIS Directive.

Part 3

Introduction to the NIS 2 Directive.
- The “lex specialis derogat legi generali” (special law repeals general laws) doctrine, accepted by the EU and international law.
- NIS 2 as lex generalis, a general law.
- NIS 2 is a legal obligation only when there is no special law for a sector.
- NIS 2 and Regulation (EU) 2022/2554 (the Digital Operational Resilience Act - DORA).
- NIS 2 and Directive (EU) 2022/2557 (the Critical Entities Resilience Directive - CER).
- NIS 2 and Directive 95/46/EC (General Data Protection Regulation - GDPR).
- Before discussing Article 1 of the NIS 2 Directive.
- NACE Rev. 2.
- Annex I, Sectors of High Criticality.
- Annex II, Other Critical Sectors.

The Articles of the NIS 2 Directive

CHAPTER I, GENERAL PROVISIONS.
- Subject matter.
- Scope.
- Essential and important entities.
- Sector-specific Union legal acts.
- Minimum harmonisation.
- Definitions.

CHAPTER II, COORDINATED CYBERSECURITY FRAMEWORKS.
- National cybersecurity strategy.
- Competent authorities and single points of contact.
- National cyber crisis management frameworks.
- Computer security incident response teams (CSIRTs).
- Requirements, technical capabilities and tasks of CSIRTs.
- Coordinated vulnerability disclosure and a European vulnerability database.
- Cooperation at national level.

CHAPTER III, COOPERATION AT UNION AND INTERNATIONAL LEVEL.
- Cooperation Group.
- CSIRTs network.
- European cyber crisis liaison organisation network (EU-CyCLONe).
- International cooperation.
- Report on the state of cybersecurity in the Union.
- Peer reviews.

CHAPTER IV, CYBERSECURITY RISK-MANAGEMENT MEASURES AND REPORTING OBLIGATIONS.
- Governance.
- Cybersecurity risk-management measures.
- Union level coordinated security risk assessments of critical supply chains.
- Reporting obligations.
- Use of European cybersecurity certification schemes.
- Standardisation.

CHAPTER V, JURISDICTION AND REGISTRATION.
- Jurisdiction and territoriality.
- Registry of entities.
- Database of domain name registration data.

CHAPTER VI, INFORMATION SHARING.
- Cybersecurity information-sharing arrangements.
- Voluntary notification of relevant information.

CHAPTER VII, SUPERVISION AND ENFORCEMENT.
- General aspects concerning supervision and enforcement.
- Supervisory and enforcement measures in relation to essential entities.
- Supervisory and enforcement measures in relation to important entities.
- General conditions for imposing administrative fines on essential and important entities.
- Infringements entailing a personal data breach.
- Penalties.
- Mutual assistance.

CHAPTER VIII, DELEGATED AND IMPLEMENTING ACTS.
- Exercise of the delegation.
- Committee procedure.

CHAPTER IX, FINAL PROVISIONS.
- Review.
- Transposition.
- Amendments.
- Repeal.
- Entry into force.

The NIS 2 Directive for non-EU entities.
- Does NIS 2 apply to companies not established in the EU?
- Article 6 and Article 26 (Jurisdiction and territoriality).
- Preamble 116, Preamble 133.

Other new EU Directives and Regulations.
- The Digital Operational Resilience Act (DORA).
- The Artificial Intelligence Act.
- The Critical Entities Resilience Directive (CER).
- The European Data Act.
- The European Data Governance Act (DGA).
- The European Cyber Resilience Act (CRA).
- The Digital Services Act (DSA).
- The Digital Markets Act (DMA).
- The European Chips Act.
- The Artificial Intelligence Liability Directive.
- The Framework for Artificial Intelligence Cybersecurity Practices (FAICP).
- The EU Cyber Solidarity Act.
- The Digital Networks Act (DNA).
- The European ePrivacy Regulation.
- The European Digital Identity Regulation.
- The European Media Freedom Act (EMFA).
- The Corporate Sustainability Due Diligence Directive (CSDDD).
- The Systemic Cyber Incident Coordination Framework (EU-SCICF).
- The European Health Data Space (EHDS).
- The European Financial Data Space (EFDS).
- The Financial Data Access (FiDA) Regulation.
- The Payment Services Directive 3 (PSD3), Payment Services Regulation (PSR).
- Internal Market Emergency and Resilience Act (IMERA).
- The European Space Law (EUSL).

NIS 2, DORA, or both?
- The Commission's Guidelines about the relationship between the NIS 2 Directive and the Digital Operational Resilience Act (DORA), from 18 September 2023.

---

Instructor.

Our instructors are professionals with extensive, real-world experience in their respective fields. They are equipped to deliver full-time, part-time, or short-form programs, all customized to suit your specific requirements. Beyond teaching, our instructors provide hands-on guidance, offering real-world insights that help bridge the gap between theory and practice. You will always be informed ahead of time about the instructor leading your program.

Terms and conditions.

You may visit: https://www.cyber-risk-gmbh.com/Terms.html

---

Who must comply with the NIS 2 directive?

According to Article 2 (Scope) of the NIS 2 Directive, NIS 2 applies to:

1: Public or private entities of a type referred to in Annex I or II (follows) which qualify as medium-sized enterprises, or exceed the ceilings for medium-sized enterprises, and which provide their services or carry out their activities within the European Union.

A microenterprise is defined as an enterprise which employs fewer than 10 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 2 million. NIS 2 does not apply there.

A small enterprise is defined as an enterprise which employs fewer than 50 persons and whose annual turnover and/or annual balance sheet total does not exceed EUR 10 million. NIS 2 does not apply there too.

A medium-sized enterprise is defined as an enterprise which employ between 50 and 250 persons and which have an annual turnover between EUR 10 million and EUR 50 million, and/or an annual balance sheet total not exceeding EUR 43 million. NIS 2 applies there.

In ANNEX I we have:

1. Energy.

a. Electricity.
— Electricity undertakings.
— Distribution system operators.
— Transmission system operators.
— Producers.
— Nominated electricity market operators.
— Market participants.

b. District heating and cooling.
— Operators of district heating or district cooling.

c. Oil.
— Operators of oil transmission pipelines.
— Operators of oil production, refining and treatment facilities, storage and transmission.
— Central stockholding entities.

d. Gas.
— Supply undertakings.
— Distribution system operators.
— Transmission system operators.
— Storage system operators.
— LNG system operators.
— Natural gas undertakings.
— Operators of natural gas refining and treatment facilities.

e. Hydrogen.
— Operators of hydrogen production, storage and transmission.

2. Transport.

a. Air.
— Air carriers used for commercial purposes.
— Airport managing bodies, airports, including the core airports and entities operating ancillary installations contained within airports.
— Traffic management control operators providing air traffic control (ATC) services.

b. Rail.
— Infrastructure managers.
— Railway undertakings, including operators of service facilities.

c. Water.
— Inland, sea and coastal passenger and freight water transport companies.
— Managing bodies of ports, including their port facilities, and entities operating works and equipment contained within ports.
— Operators of vessel traffic services (VTS).

d. Road.
— Road authorities responsible for traffic management control, excluding public entities for which traffic management or the operation of intelligent transport systems is a non-essential part of their general activity.
— Operators of Intelligent Transport Systems.

3. Banking.
— Credit institutions.

4. Financial market infrastructures.
— Operators of trading venues.
— Central counterparties (CCPs).

5. Health.
— Healthcare providers.
— EU reference laboratories.
— Entities carrying out research and development activities of medicinal products.
— Entities manufacturing basic pharmaceutical products and pharmaceutical preparations.
— Entities manufacturing medical devices considered to be critical during a public health emergency (public health emergency critical devices list).

6. Drinking water.
— Suppliers and distributors of water intended for human consumption, excluding distributors for which distribution of water for human consumption is a non-essential part of their general activity of distributing other commodities and goods.

7. Waste water.
— Undertakings collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water, excluding undertakings for which collecting, disposing of or treating urban waste water, domestic waste water or industrial waste water is a non-essential part of their general activity.

8. Digital infrastructure.
— Internet Exchange Point providers.
— DNS service providers, excluding operators of root name servers.
— TLD name registries.
— Cloud computing service providers.
— Data centre service providers.
— Content delivery network providers.
— Trust service providers.
— Providers of public electronic communications networks.
— Providers of publicly available electronic communications services.

9. ICT service management (business-to-business).
— Managed service providers.
— Managed security service providers.

10. Public administration.
— Public administration entities of central governments as defined by a Member State in accordance with national law.
— Public administration entities at regional level as defined by a Member State in accordance with national law.

11. Space.
Operators of ground-based infrastructure, owned, managed and operated by Member States or by private parties, that support the provision of space-based services, excluding providers of public electronic communications networks.

ANNEX II

1. Postal and courier services.

2. Waste management.
— Undertakings carrying out waste management, excluding undertakings for whom waste management is not their principal economic activity.

3. Manufacture, production and distribution of chemicals.
— Undertakings carrying out the manufacture of substances and the distribution of substances or mixtures, and undertakings carrying out the production of articles.

4. Production, processing and distribution of food.
— Food businesses which are engaged in wholesale distribution and industrial production and processing.

5. Manufacturing.

(a) Manufacture of medical devices and in vitro diagnostic medical devices.
— Entities manufacturing medical devices, and entities manufacturing in vitro diagnostic medical devices.

(b) Manufacture of computer, electronic and optical products.

(c) Manufacture of electrical equipment.

(d) Manufacture of machinery and equipment.

(e) Manufacture of motor vehicles, trailers and semi-trailers.

(f) Manufacture of other transport equipment.

6. Digital providers.
— Providers of online marketplaces.
— Providers of online search engines.
— Providers of social networking services platforms.

7. Research.
— Research organisations.

Important note: This is an overview, not a detailed list of activities. Depending on their products or services, and where their products or services belong in NACE (the statistical classification of economic activities in the European Union), entities must carefully consider if they must comply with the NIS 2 Directive or not.

For example, in the category "manufacture of computer, electronic and optical products" there are undertakings carrying out any of the economic activities referred to in section C division 26 of NACE Rev. 2:

26.1 Manufacture of electronic components and boards.
26.2 Manufacture of computers and peripheral equipment.
26.3 Manufacture of communication equipment.
26.4 Manufacture of consumer electronics.
26.5. Manufacture of instruments and appliances for measuring, testing and navigation; watches and clocks.
26.6. Manufacture of irradiation, electromedical and electrotherapeutic equipment.
26.7 Manufacture of optical instruments and photographic equipment.
26.8. Manufacture of magnetic and optical media.

Another example, in the category "banking" belong "Credit institutions as defined in Article 4, point (1), of Regulation (EU) No 575/2013". In Regulation (EU) No 575/2013, "credit institution" means an undertaking the business of which is to take deposits or other repayable funds from the public and to grant credits for its own account.

---