AB NIS 2 Direktifi: InHand Networks Uyumlu ve Güvenli Kalmanıza Nasıl Yardımcı Olur?

At InHand Networks, we see NIS 2 not just as a regulation but as a roadmap to a stronger digital Europe. With our secure-by-design product portfolio, globally recognized certifications, and transparent Product Security Advisory program, we’re helping our customers prepare for a future where cybersecurity is a baseline expectation, not an afterthought.

NIS 2 Introduction

The NIS 2 Directive marks a paradigm shift in EU cybersecurity, replacing voluntary guidelines with a mandatory, risk-based framework to ensure a high common level of resilience across member states.

By classifying organizations as essential or important entities, the directive enforces tailored, stringent cybersecurity risk-management and reporting requirements based on sector criticality. This ensures that vital services—from energy and healthcare to digital infrastructure and public administration—remain secure and operational, minimizing societal and economic disruption.

For businesses, the Directive is more than just a compliance mandate — it is an opportunity to strengthen resilience, reduce risk, and build more trusted supply chains.

Who Must Comply: Essential vs Important Entities

The NIS 2 Directive expands coverage to a broader set of sectors and organizations, classifying them into Essential and Important entities based on their size, sector, and criticality.

Both groups must meet the same baseline cybersecurity requirements—but with different levels of supervision and enforcement.

The rules generally apply to medium and large enterprises as defined by the EU recommendation (typically >50 employees and >€10m turnover/€10m balance sheet total), but certain entities are included “regardless of their size” (e.g., top-level domain registries, DNS service providers, providers of public electronic communications networks).

Category	Size of Entity	Classification
Always Essential (regardless of size) Trust service providers, DNS operators, TLD registries, public electronic communications networks/services, CER-designated critical entities	Any size	Essential
Annex I (Sectors of High Criticality) Energy, Transport, Banking, Financial Infrastructure, Healthcare, Drinking Water, Digital Infrastructure, Public Administration, Space	Large	Essential
Annex II (Other Critical Sectors) Postal & Courier, Waste Management, Chemicals, Food, Manufacturing (e.g. medical devices), Digital Providers, Research	Medium or Large	Important

Explanation of size criteria:

Large : ≥ 250 employees OR (Turnover > €50M Ve Balance Sheet > €43M)

Medium 50–249 employees AND (Turnover ≤ €50M Ve Balance Sheet ≤ €43M)

The NIS 2 Compliance Challenge for Organizations

The NIS 2 Directive presents a significant compliance challenge by fundamentally expanding the scope, scale, and stringency of cybersecurity obligations across the EU. Organizations now face a multi-faceted challenge:

Category of Challenge	What Organizations Need to Do
1. Know Your Category	• Confirm if you fall under entities always in scope regardless of size (Art. 2(2)–(4)). If yes, you are an Essential Entity. • If not, check Annex I/II to see if you are Essential or Important (Art. 3). • Prepare for the corresponding supervision regime (Arts. 31–33).
2. Leadership Accountability	• Ensure top management approves and oversees cybersecurity risk-management (Art. 20(1)). • Provide regular training for management and staff (Art. 20(2)). • Note: top management may be personally liable; essential entities may face temporary bans (Art. 32(5)).
3. Implement Security Measures	• Put in place appropriate and proportionate measures (Art. 21(1)). • Measures must cover: risk analysis, incident handling, business continuity, supply chain security, vulnerability management, secure design, cryptography, access control, secure comms, multi-factor authentication (Art. 21(2)).
4. Meet Incident Reporting Timelines	Report major incidents in three steps: • Within 24h: Early warning (Art. 23(2)). • Within 72h: Incident notification with assessment (Art. 23(4)). • Within 1 month: Final report with root cause & mitigation (Art. 23(6)).
5. Manage Supply Chain Security	• Address risks in supplier and service provider relationships (Art. 21(2)(d)). • Assess and monitor third-party cybersecurity practices.
6. Ensure readiness for Supervision & Enforcement	• Essential entities: proactive audits, inspections, and security scans (Arts. 31–32). • Important entities: reactive checks after incidents or evidence of non-compliance (Art. 33). • Non-compliance fines: up to €10M or 2% of global turnover (essentials) / €7M or 1.4% (importants) (Art. 34).

Key Requirements of NIS 2

1. Leadership Accountability (Art. 20, Art. 32(5))

Cybersecurity is now a top management responsibility — executives must approve and oversee risk-management measures.
Both leadership and employees must receive regular cybersecurity training.
Be aware: management may face personal liability, and essential entities risk temporary bans for leaders in case of serious failures.

2. Comprehensive Cybersecurity Measures (Art. 21)

Entities must adopt a full set of technical, operational, and organizational safeguards.
This includes:

Risk analysis and information system security policies.
Incident handling.
Business continuity, including backup management, disaster recovery, and crisis management.
Supply chain security, including security-related aspects for supplier relationships.
Security in acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure.
Policies and procedures for assessing effectiveness of cybersecurity measures.
Basic cyber hygiene practices and cybersecurity training.
Policies and procedures for cryptography and, where appropriate, encryption.
Human resources security, asset management, and access control.
Use of multi-factor (or continuous) authentication, secure voice/video/text communications, and secure emergency communications systems.

(Think of this as building “defense-in-depth” across your organization and ecosystem.)

3. Incident Reporting (Art. 23)

Organizations must follow a three-step reporting process:

Within 24h: Submit an early warning to the CSIRT/authority if an incident may be malicious or cross-border.
Within 72h: Provide a detailed incident notification with an initial assessment.
Within 1 month: Deliver a final report with root cause, impact, and mitigation measures.

(The clock starts when you become aware of the incident — not when you’ve finished analyzing it.)

4. Supervision & Enforcement (Arts. 31–36)

Essential Entities
- Supervision: Proactive → audits, inspections, technical scans, security assessments (Art. 32).
- Penalties (Art. 34): up to €10M or 2% of global turnover (whichever is higher).
- Additional Measures (Art. 32(4)):
  - Temporary bans on executives (e.g., CEO, legal representative) from exercising managerial functions.
  - Suspension of authorisations or certifications.
  - Binding compliance orders.
  - Public naming (naming-and-shaming).
Important Entities
- Supervision: Reactive (ex-post) → triggered by incidents or evidence of non-compliance (Art. 33).
- Penalties (Art. 34): up to €7M or 1.4% of global turnover (whichever is higher).
- Corrective Measures: Binding instructions and orders.

How InHand Networks Supports NIS 2 Compliance

The NIS 2 Directive sets high expectations for governance, risk management, and resilience. At InHand Networks, we help organizations not only meet compliance requirements but also build lasting cyber resilience. Our secure-by-design approach, international certifications, Ve transparent product security practices make us a trusted partner for Essential and Important entities under NIS 2.

1. Governance & Accountability (Art. 20)

ISO/IEC 27001 certification demonstrates our commitment to systematic information security management.

2. Cybersecurity Risk-Management Measures (Art. 21)

IEC 62443-4-1 certified secure development lifecycle: ensures all InHand products are designed, tested, and maintained with security at the core.
IEC 62443-4-2 certified industrial routers and IoT edge gateways: provide trusted building blocks for secure connectivity in critical infrastructures such as energy, transport, and healthcare.
EN 18031 certification: reinforces robustness testing of our devices to resist cyberattacks.

Together, these certifications directly support the technical and organizational measures mandated by NIS 2.

3. Incident Handling & Vulnerability Disclosure (Arts. 21 & 23)

InHand Networks operates a dedicated Product Security Incident Response Team (PSIRT) and a Coordinated Vulnerability Disclosure (CVD) process.
Through our Product Security Advisories (PSA) [link], customers receive timely updates, patches, and mitigation guidance—helping them comply with NIS 2 incident response and vulnerability handling obligations.

4. Supply Chain Security (Art. 21(2)(d))

By selecting NIS 2–aligned, internationally certified products, organizations can strengthen their own supply-chain security posture.
Our rigorous development and testing process reduces risks that propagate through third-party dependencies, a critical aspect under NIS 2.

5. Supervision & Enforcement Readiness (Arts. 31–36)

Customers deploying InHand solutions benefit from verifiable, standards-backed security evidence, supporting audits and inspections.
Our compliance foundation (ISO 27001, IEC 62443, EN 18031) provides the documentation needed to demonstrate conformity to regulators.

The Four Pillars of InHand Security Excellence

Meeting the stringent requirements of the NIS 2 Directive requires more than isolated technical fixes — it demands a holistic and sustainable security framework. That’s why InHand Networks has defined the Four Pillars of Security Excellence, a comprehensive model that integrates governance, product integrity, certifications, and operational resilience into a unified approach.

Built on globally recognized standards such as ISO/IEC 27001 Ve IEC 62443, the Four Pillars reflect years of investment in secure development practices, robust product engineering, and transparent vulnerability management. They ensure that security is not just a feature, but a foundation across every stage of the product lifecycle.

For organizations preparing for NIS 2 compliance, the Four Pillars translate the Directive’s legal and regulatory requirements into practical, verifiable measures. Each pillar directly maps to core NIS 2 obligations — from leadership accountability and secure product development to incident handling and supply chain assurance.

Together, the Four Pillars provide the bridge between compliance and resilience: helping organizations demonstrate conformity to regulators while building stronger, more trustworthy systems to face the evolving cyber threat landscape.

1. Secure Development

Built on IEC 62443-4-1 (Practiced Level) secure development lifecycle methodology.
Defined, consistently applied and repeated across projects.
Embeds Secure by Design, Secure by Default, and Defense in Depth into every stage of engineering.
Continuous threat modeling, code reviews, and penetration testing to minimize vulnerabilities before release.

2. Secure Products

IEC 62443-4-2 Certified industrial routers and IoT edge gateways for critical OT/IT environments.
EN 18031 Certified for robustness—tested against advanced cyberattacks.
Trusted performance across energy, transport, healthcare, manufacturing, and digital infrastructure sectors.

3. Secure Certifications

Globally recognized certifications that provide compliance assurance :

ISO 27001 – Information Security Management System (ISMS).
IEC 62443-4-1 (Practiced Level) – Secure development lifecycle maturity.
IEC 62443-4-2 – Industrial product cybersecurity.
EN 18031 – Common Security Requirements for Radio Equipment.

Together, these certifications prove InHand’s commitment to the highest international standards of information and product security.
They also give customers and procurement teams confidence that our solutions meet rigorous security and quality benchmarks.

4. Secure Operations

Dedicated PSIRT (Product Security Incident Response Team) for vulnerability handling.
Established Coordinated Vulnerability Disclosure (CVD) process.
Transparent Product Security Advisories (PSA) portal: View PSAs.
ISMS in practice: continuous monitoring, risk assessments, and policy enforcement based on ISO 27001.
Ongoing lifecycle support and security maintenance to keep customers ahead of evolving threats.

Conclusion: Turning Compliance into Cyber Resilience

The NIS 2 Directive raises the bar for cybersecurity governance, requiring organizations across Europe to demonstrate not only compliance, but also the ability to withstand and recover from evolving threats. Essential and Important entities alike must now prove that cybersecurity is embedded at every level — from leadership accountability to product integrity, supply chain security, and incident readiness.

At InHand Networks, we deliver more than just compliant products — we provide the secure foundation for resilience. With internationally recognized certifications, a transparent vulnerability management process, and a secure-by-design portfolio trusted across critical sectors, we help organizations confidently navigate the NIS 2 landscape.

By partnering with InHand Networks, you gain more than compliance:

Risk reduction — through secure-by-design engineering and internationally certified products.
Regulator confidence — with verifiable, standards-backed evidence mapped directly to NIS 2 obligations.
İş sürekliliği — with robust operations, lifecycle support, and incident readiness built into our model.

Uyumluluktan dayanıklılığa kadar InHand Networks, NIS 2 hazırlığı için güvenilir ortağınızdır.

IEC 62443 Certified Products