By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
CIPP/E Study Guide – NIS2 Directive & Cybersecurity
The NIS2 Directive (EU 2022/2555) updates the original NIS (2016) rules to create a harmonised, higher‑level cybersecurity regime for “essential” and “important” entities across the EU. It obliges organisations to adopt robust security measures, report incidents promptly, and cooperate with national authorities.
Real‑world example: A pan‑European medical‑device manufacturer (classified as an “essential entity”) must secure the patient‑monitoring data it streams from hospitals in Germany, France, and Spain. When a ransomware attack disables the data‑flow in France, NIS2 forces the firm to notify the French CSIRT within 24 hours and to demonstrate that it had a risk‑based security policy in place.
Mistake: Assuming NIS2 only applies to organisations with a physical EU presence. Correction: NIS2’s territorial scope is activity‑based; any entity delivering essential services to EU users, regardless of location, must comply.
Mistake: Treating incident reporting as optional “best practice” rather than a legal duty. Correction: Failure to report within 24 hours can trigger the maximum fines; the duty is statutory under Article 16.
Mistake: Over‑looking supply‑chain obligations and expecting the regulator to police only the primary entity. Correction: The primary entity is jointly liable for its providers’ security gaps; conduct due‑diligence contracts and regular audits of vendors.
Mistake: Believing that existing ISO 27001 certification automatically satisfies NIS2. Correction: While ISO 27001 is a strong baseline, NIS2 adds specific risk‑management, reporting, and supervisory requirements that must be addressed separately.
Mistake: Confusing NIS2 with GDPR data‑protection duties and treating them as interchangeable. Correction: NIS2 focuses on security of network & information systems; GDPR still governs personal data processing. Both must be complied with, but they have distinct obligations and enforcement bodies.
Scenario: A French cloud‑service provider (classified as an “important entity”) discovers a data‑leak affecting customers in Germany and Italy. What is the latest time it can submit its incident report to the French authority? Answer: Within 24 hours of becoming aware of the incident. Explanation: NIS2 mandates a 24‑hour reporting window for significant incidents, regardless of where the impact occurs.
Scenario: A U.S. medical‑device manufacturer supplies equipment to hospitals in Spain. The equipment processes patient vital signs (personal data). Does NIS2 apply, and why? Answer: Yes, because the manufacturer provides an essential service (healthcare) to EU data subjects, triggering NIS2’s activity‑based territorial scope.
Scenario: An EU‑based online marketplace (digital service provider) has an ISO 27001 certificate. A regulator asks for evidence of NIS2 compliance. What must the marketplace provide beyond the ISO certificate? Answer: A risk‑based cybersecurity policy, incident‑response plan, and proof of 24‑hour reporting procedures as required by NIS2.
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.