March 2023 / 10 Min Read

Get Your Organisation Cyber Ready for NIS2


The EU’s new cyber security legislation will affect many more organisations, with the threat of fines for those who do not comply. Read our guide to make sure your organisation is cyber ready for NIS2.

Key Takeaways

  1. The EU’s Network and Information Security (NIS2) Directive will take effect from 18 October 2024 with the UK expected to adopt similar legislation.
  2. More businesses will come under the scope of the legislation with a requirement to strengthen their cyber security arrangements.
  3. Every business should look at the requirements for NIS2 and assess their compliance, or risk possible large fines.

What is the NIS2 Directive?

The European Union’s Network and Information Security (NIS2) Directive Opens in a new tab replaces the NIS Directive 2016 and aims to ensure a “high common level of cybersecurity across the EU’s Member States” by further strengthening cyber security requirements in critical infrastructure, and those industries and organisations that are indispensable for the functioning of the economy.

NIS2 was ratified on 16 January 2023, and each of the EU’s member states must ensure it adopts and publishes measures necessary to comply with the directives by 17 October 2024, with those measures taking effect 18 October 2024. For businesses in the UK, the EU law will not be implemented, but it’s expected that an expansion of the UK NIS Directive will include similar requirements to NIS2. And those UK businesses who operate within the EU will have to comply with NIS2 to ensure they can show consistent levels of cyber security standards.

What are the Main Changes?

The main changes under NIS2 include:

Expansion of industry sectors and entities coming under the scope of NIS2

The original NIS covered so-called operators of essential services like water supply, healthcare, transportation and some digital service providers. NIS2 has been expanded to include industries such as postal and courier, food, space, and waste water, as well as numerous mid-sized companies with 50 or more employees and earnings above €10 million.

Management responsibilities

Management bodies are responsible for approving the cybersecurity risk management measures taken by their company, overseeing their implementation, and can be held liable for infringement. Management members are required to undertake training so that they gain sufficient knowledge and skills to enable them to identify risks and assess cybersecurity risk management practices and their impact to their services.

Strengthened cybersecurity risk-management measures

Organisations should take appropriate and proportionate technical, operational, and organisational measures to manage their cyber risks and to prevent or minimise the impact of incidents on recipients of their services.

There are now minimum requirements that organisations in scope for NIS2 must implement. These range from the use of multi-factor authentication to incident handling and policies and procedures to assess the effectiveness of cybersecurity risk management measures.

Cybersecurity risk-management measures adopted by the organisation must be documented and evidence of implementation of cybersecurity policies must be available. For example, their incident handling must be clearly defined, and they must have disaster recovery plans in place.

In the event of a cyber incident, organisations must fulfill three specific steps within a tight timeframe:

  • Within 24 hours of a cyber attack, an initial warning must be sent to the authority responsible in their country.
  • Within 72 hours, further information about the incident must be provided.
  • Within one month, a final detailed report on the incident must be available.
Supply chain security in scope

Cybersecurity risk management is expanded to include supply chain security. Organisations in scope of NIS2 should consider the vulnerabilities specific to each of their direct suppliers and service providers to prevent or minimise the impact of supply chain incidents on recipients of their services and on other services.

Higher fines

“Essential” companies found to be non-compliant with NIS2 will face administrative fines of a maximum of €10 million or a maximum 2 percent of their total worldwide annual turnover (whichever is higher), while “important” companies will see fines of up to €7 million or 1.4 percent (whichever is higher).

Which Companies are Affected by the NIS2 Directive?

The EU divides the list of companies in scope by NIS2 into ‘essential’ and ‘important’ (see below). This list includes energy providers, online marketplaces, corporations, as well as numerous medium-sized companies and government agencies. While the main targets for NIS2 are medium-sized companies and above, some smaller companies can also come under NIS2’s requirements if certain conditions are met, or they are deemed as essential.

Companies must identify whether they are affected by NIS2. Also, companies which are part of the supply chain of these companies can be affected. An appendix is included in NIS2 legislation. Aon can also work with you to help you understand whether you are affected and the next steps you need to take.




Digital Infrastructure (DNS, IXP, TLD, ICT)


Financial market infrastructures


ICT service management

Public administration



Water and sewage


Digital providers


Manufacture, production, and distribution of chemicals

Postal and courier services

Production, processing, and distribution of food


Waste management

What do Companies Need to do Now

Whether your business is an essential or important entity, every organisation should look at the requirements of NIS2 and assess their compliance ahead of the implementation date in October 2024. These requirements include taking steps around operational cyber risk management; cyber hygiene; incident response; incident reporting; and supply chain security.

As with the EU’s GDPR legislation, it pays for companies to start this process much earlier to avoid problems. As one of the world’s largest cyber security firms with an international network of around 600 cyber security experts, we can offer help, support and advice on every stage of the NIS2 journey.

What NIS2 Demands

How Aon Can Help

Assess the effectiveness of cybersecurity risk-management measures

Optimisation of finite budget investments to help your organisation achieve better maximum Return on Security Investments

Basic cyber hygiene

Provide an assessment of your organisation’s cyber posture and general hygiene to help evaluate and pinpoint risk and security control gaps

Multi-factor or continuous authentication (MFA)

Provide strategic support for the selection, adoption, and deployment of appropriate Multi-factor Authentication solutions

Policies and procedures regarding cryptography

Develop specified models for the construction and rollout of specific user awareness training modules.

Supply chain security

Align cyber risk in the supply chain to your existing corporate risk appetite framework and develop a company specific approach to better analyse and target improved supply chain cyber resilience.

Cyber Incident handling

Analyze your incident response preparedness and the development of comprehensive incident response protocols including:

  • Incident Readiness Assessment
  • Creation of Incident Response Plan (IRP)
  • Offering of Incident Response Retainer (IRR) worldwide
  • Cyber Business Continuity Management
  • Cyber Insurance Claims Protocol Development
Cyber Incident reporting

Assess your company’s incident reporting capabilities and responsiveness and design or adjust existing incident reporting procedures to ensure alignment with new regulatory requirements

Policies on risk analysis and information system security

Develop or review of appropriate risk management systems aligned with enterprise risk management (ERM) frameworks.

Security in network and information systems

Systematically hunt generic and targeted threats within the network and monitor the deep and dark webs for threats and leaked assets.

Policies and procedures to assess effectiveness of risk management

Develop frameworks for risk assessments at an organisational level combined with scenario specific stress testing to examine overall risk management maturity and rigour.

NIS2: Four Questions Every Business Should Ask Themselves



  1. Is my company affected by NIS2?
  2. Is our risk management at the right level for NIS2?
  3. Can my company report cyber security incidents properly or not?
  4. What is the state of my company's supply chain risk management when it comes to cyber security?

Aon helps to empower clients to manage the full lifecycle of their cyber journey. Our holistic suite of cyber risk solutions integrates seamlessly to drive efficiencies and transparency, and help clients be better informed to safeguard their balance sheets and effectively manage risk. Learn how Aon’s Cyber Loop Model can support your organisation on its journey to sustained cyber resilience here.

Click here to download a shareable PDF version of this content.


Contact Us

If you are interested in learning more about how Aon can help your organisation prepare for NIS2, please complete the form below. A member of our team will be in touch shortly.

Aon UK Limited is authorised and regulated by the Financial Conduct Authority. FP.AGRC.1183 SEC