What is the primary objective of **NIS2**?

**The primary objective of NIS2 is to establish a high common level of cybersecurity and resilience across EU member states by strengthening critical infrastructure and digital services against cyber threats.** It expands upon the original NIS Directive, imposing obligations on **essential entities** (typically 250+ employees, €50M+ turnover, or €43M+ balance sheet) and **important entities** (50+ employees, €10M+ turnover, or €10M+ balance sheet) in sectors like energy, transport, health, and digital infrastructure, including supply chain security and incident reporting.

Who is legally or professionally required to comply with **NIS2**?

**NIS2 applies to all medium-sized and large entities in specified sectors classified as 'essential' or 'important' entities operating within the EU.** **Essential entities** generally have 250+ employees, €50M+ annual turnover, or €43M+ balance sheet total; **important entities** have 50+ employees, €10M+ turnover, or €10M+ balance sheet. Scope covers expanded sectors like energy (electricity, oil, gas, district heating), public administration, waste management, digital providers (cloud computing, online marketplaces), with size-cap rule overriding for sole critical service providers. EU member states transposed by October 17, 2024.

Does **NIS2** require an external audit or third-party certification?

**NIS2 does not mandate external audits or third-party certification but empowers national authorities for supervision, including spot checks and real-time evidence demands.** Compliance shifts to continuous assurance via dynamic risk registers, OT/IT asset inventories, and verifiable controls, with registration required to central authorities providing entity details, sector, and operating states. Authorities like CSIRTs oversee enforcement.

How often should an assessment for **NIS2** be performed?

**NIS2 requires ongoing, continuous risk assessments rather than fixed intervals, with quarterly updates to dynamic risk registers and asset inventories recommended for compliance.** Entities must maintain proactive risk management, including regular vulnerability identification, supply chain reviews, and closed-loop improvements to support real-time spot checks by national authorities.

What are the consequences of non-compliance with **NIS2**?

**Non-compliance with NIS2 incurs fines up to €10 million or 2% of total global annual turnover for essential entities, and up to €7 million or 1.4% for important entities.** Additional sanctions include business suspension, remedial orders, and personal liability for senior management, enforced by national authorities with powers for on-site inspections and incident data access.

An **NIS2** be mapped to other international frameworks?

**Yes, EU member states incorporate standards like ISO 27001 and NIST CSF into national NIS2 frameworks to facilitate mapping and compliance.** Organizations leverage these for risk management, supply chain security, and incident response, aligning with NIS2's all-hazards approach without direct cross-references in the directive.

What is the first step to begin implementing **NIS2**?

**The first step to implement NIS2 is to determine applicability by assessing entity size, sector, and operations against essential/important criteria.** Conduct a gap analysis of current risk management, register with national authorities, and establish governance with senior management accountability for cybersecurity measures.

What is the primary objective of **RoHS**?

**The primary objective of **RoHS** is to restrict hazardous substances in electrical and electronic equipment (EEE) to protect human health and the environment during waste management and recycling.** Directive 2011/65/EU (RoHS 2), amended by 2015/863, limits ten substances—**lead (Pb)**, **mercury (Hg)**, **cadmium (Cd)**, **hexavalent chromium (Cr(VI))**, **PBB**, **PBDE**, **DEHP**, **BBP**, **DBP**, **DIBP**—at maximum concentration values (**MCV**) of **0.1%** by weight (1000 ppm) in homogeneous materials, except **0.01%** (100 ppm) for Cd. This supports WEEE recyclability by reducing toxic burdens in waste streams.

Who is legally or professionally required to comply with **RoHS**?

**Manufacturers, importers, distributors, and authorized representatives placing EEE on the EU market must comply with **RoHS****. Scope covers all EEE categories in Annex I (e.g., appliances, IT, lighting, medical devices) unless excluded (Article 2(4), e.g., large-scale fixed installations, military equipment). Compliance applies at **homogeneous material** level—smallest mechanically separable units like solders or coatings—for products with electrical/electronic components.

Does **RoHS** require an external audit or third-party certification?

**No, **RoHS** does not require external audits or third-party certification.** Compliance relies on internal conformity assessment: manufacturers issue an **EU Declaration of Conformity (DoC)** backed by **technical documentation** (per EN IEC 63000:2018), retained for 10 years. Risk-based verification uses supplier declarations and targeted testing (IEC 62321); CE marking applies where relevant.

How often should an assessment for **RoHS** be performed?

**RoHS assessments must be performed continuously as part of a living compliance system, with periodic reviews tied to changes and risks.** Initial assessment occurs pre-market; re-assess on supplier changes, design updates, or exemption expiries (Annex III/IV). Annual audits for high-risk materials, plus screening (XRF) on incoming lots, ensure ongoing conformity amid delegated directive updates.

What are the consequences of non-compliance with **RoHS**?

**Non-compliance with **RoHS** results in decentralized enforcement by EU Member States, including product withdrawal, recalls, sales bans, and administrative fines.** Penalties vary nationally (no unified EU schedule); risks include market exclusion, customs seizures, and liability for importers/distributors. Technical file deficiencies trigger scrutiny during surveillance.

An **RoHS** be mapped to other international frameworks?

**Yes, **RoHS** substance lists and thresholds align partially with frameworks like China RoHS 2 (core six substances, broader EEE scope with marking/E-PUP requirements).** EU RoHS serves as baseline for global compliance; map via shared MCVs but account for divergences (e.g., no EU exemptions in China, state-level US rules). Use IPC-1752 for cross-framework declarations.

What is the first step to begin implementing **RoHS**?

**The first step to implement **RoHS** is scoping products against Annex I categories and exclusions (Article 2(4)).** Map BOMs to **homogeneous materials**, identify risks, and collect supplier declarations. Establish governance, then build technical file per EN IEC 63000.

NIS2 vs RoHS | GRADUM

Standards Comparison

NIS2

Mandatory

2022

EU regulation strengthening cybersecurity for critical infrastructure sectors

RoHS

Mandatory

2011

EU regulation restricting hazardous substances in EEE

Quick Verdict

NIS2 mandates cybersecurity resilience for EU critical sectors via risk management and rapid incident reporting, while RoHS restricts hazardous substances in electronics for environmental safety through material testing. Companies adopt NIS2 for regulatory compliance and cyber defense; RoHS for EU market access and sustainability.

Cybersecurity

NIS2

Directive (EU) 2022/2555 on critical entity resilience

Cost

€€€€

Complexity

Medium

Implementation Time

12-18 months

Key Features

Expands scope with size-cap rule for medium/large entities
Mandates strict 24-hour early warning incident reporting
Imposes direct senior management accountability
Levies fines up to 2% global annual turnover
Requires continuous risk management and supply chain security

Hazardous Substances

RoHS

Directive 2011/65/EU (RoHS 2)

Cost

€€€€

Complexity

High

Implementation Time

6-12 months

Key Features

Restricts 10 substances at 0.1% in homogeneous materials
Open scope: all EEE unless specifically excluded
Requires technical file and EU Declaration of Conformity
Time-limited exemptions renewed via delegated acts
Tiered testing: XRF screening and IEC 62321 confirmation

Detailed Analysis

A comprehensive look at the specific requirements, scope, and impact of each standard.

NIS2 Details

What It Is

NIS2 Directive (EU) 2022/2555 is an EU regulation expanding the original NIS Directive to enhance cybersecurity resilience across member states. It targets essential and important entities in broadened sectors like energy, transport, health, and digital services via a size-cap rule (50+ employees or €10M turnover). Adopting a risk-based, all-hazards approach, it mandates proactive measures against cyber threats.

Key Components

**Four pillarsrisk management, incident reporting, business continuity, corporate accountability.
Strict timelines: 24-hour early warnings, 72-hour notifications, one-month final reports to CSIRTs.
Continuous assurance with supply chain security, access controls, encryption.
Senior management liability; no fixed control count, but aligns with ISO 27001, NIST CSF.

Why Organizations Use It

Legal compliance avoids fines up to 2% global turnover; builds resilience against threats like APTs, ransomware. Enhances trust, operational continuity, cross-border cooperation; strategic for multi-state operations.

Implementation Overview

Enterprise-wide transformation: gap assessments, risk registers, training, supplier audits. Applies to medium/large EU entities in covered sectors; transposition by Oct 2024, with audits/spot checks. Leverage standards for 12-18 month rollout.

RoHS Details

What It Is

RoHS (Directive 2011/65/EU, recast as RoHS 2) is an EU regulation restricting hazardous substances in electrical and electronic equipment (EEE) to protect health and environment during waste management. It uses an open-scope approach (all EEE unless excluded) with homogeneous material concentration limits and time-limited exemptions.

Key Components

Restricts 10 substances (e.g., Pb, Cd, Hg, phthalates) at 0.1% (Cd 0.01%) in homogeneous materials.
Annexes III/IV for exemptions; updated via delegated acts.
Built on CE-marking framework with technical documentation and EU Declaration of Conformity (DoC).
Compliance via risk-based supplier declarations and IEC 62321 testing.

Why Organizations Use It

Mandatory for EU market access; prevents fines, recalls.
Enhances recyclability, supply chain integrity, ESG reporting.
Reduces risks from exemptions expiry, global variants (e.g., China RoHS 2).
Builds stakeholder trust, competitive edge in sustainability.

Implementation Overview

Phased: scoping, gap analysis, supplier controls, testing, documentation.
Applies to manufacturers/importers of EEE; all sizes, global reach.
No certification; 10-year technical file retention for audits.

Key Differences

Aspect	NIS2	RoHS
Scope	Cybersecurity risk management, incident reporting, resilience	Hazardous substances restriction in EEE materials
Industry	Essential/important entities in EU sectors (energy, transport)	Electrical/electronic equipment manufacturers EU-wide
Nature	Mandatory EU directive, national transposition, fines	Mandatory EU product regulation, market surveillance
Testing	Risk assessments, audits, spot checks by authorities	XRF screening, lab analysis (IEC 62321) of materials
Penalties	Up to 2% global turnover or €10M for essential entities	Fines, product recalls, market bans by Member States

Scope

NIS2

Cybersecurity risk management, incident reporting, resilience

RoHS

Hazardous substances restriction in EEE materials

Industry

NIS2

Essential/important entities in EU sectors (energy, transport)

RoHS

Electrical/electronic equipment manufacturers EU-wide

Nature

NIS2

Mandatory EU directive, national transposition, fines

RoHS

Mandatory EU product regulation, market surveillance

Testing

NIS2

Risk assessments, audits, spot checks by authorities

RoHS

XRF screening, lab analysis (IEC 62321) of materials

Penalties

NIS2

Up to 2% global turnover or €10M for essential entities

RoHS

Fines, product recalls, market bans by Member States

Frequently Asked Questions

Common questions about NIS2 and RoHS

NIS2 FAQ

RoHS FAQ

You Might also be Interested in These Articles...

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

Bust 10 NIST CSF 2.0 myths like 'only for critical infrastructure' or 'Govern replaces Identify'. Plain-English breakdowns, evidence, and fixes for flexible ris

Top 10 SOC 2 Mistakes Startups Make (and Fixes with Automation)

Avoid top 10 SOC 2 mistakes like scope creep & evidence gaps. See fail/pass visuals, client quotes, Vanta/Drata automation fixes for bootstrapped startups. Quic

SEC Cybersecurity Rules Materiality Determination Framework: Step-by-Step Guide with Checklists and Real-World Examples

Master SEC Form 8-K Item 1.05 materiality determinations with our step-by-step framework, checklists, case law factors, and real-world examples. Avoid enforceme

Run Maturity Assessments with GRADUM

Transform your compliance journey with our AI-powered assessment platform

Assess your organization's maturity across multiple standards and regulations including ISO 27001, DORA, NIS2, NIST, GDPR, and hundreds more. Get actionable insights and track your progress with collaborative, AI-powered evaluations.

100+ Standards & Regulations

AI-Powered Insights

Collaborative Assessments

Actionable Recommendations

Check out these other Gradum.io Standards Comparison Pages

APPI vs ISO 30301

Compare APPI vs ISO 30301: Japan's privacy law meets records management stds. Align compliance, cut risks, boost data strategy for Japan ops. Dive in now!

ISO 27032 vs WELL

Explore ISO 27032 vs WELL: cybersecurity guidelines for internet threats meet healthy building standards. Secure data & boost wellness—compare strategies now!

FISMA vs NIST 800-53

Unlock FISMA vs NIST 800-53: Key differences, RMF steps, control baselines & compliance strategies for federal cybersecurity. Achieve risk mastery now!

NIS2

RoHS

Quick Verdict

NIS2

Key Features

RoHS

Key Features

Detailed Analysis

NIS2 Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

RoHS Details

What It Is

Key Components

Why Organizations Use It

Implementation Overview

Key Differences

Scope

Industry

Nature

Testing

Penalties

Frequently Asked Questions

NIS2 FAQ

What is the primary objective of NIS2?

Who is legally or professionally required to comply with NIS2?

Does NIS2 require an external audit or third-party certification?

How often should an assessment for NIS2 be performed?

What are the consequences of non-compliance with NIS2?

An NIS2 be mapped to other international frameworks?

What is the first step to begin implementing NIS2?

RoHS FAQ

What is the primary objective of RoHS?

Who is legally or professionally required to comply with RoHS?

Does RoHS require an external audit or third-party certification?

How often should an assessment for RoHS be performed?

What are the consequences of non-compliance with RoHS?

An RoHS be mapped to other international frameworks?

What is the first step to begin implementing RoHS?

You Might also be Interested in These Articles...

Top 10 NIST CSF 2.0 Myths Busted: Separating Hype from Reality for Smarter Adoption

Top 10 SOC 2 Mistakes Startups Make (and Fixes with Automation)

SEC Cybersecurity Rules Materiality Determination Framework: Step-by-Step Guide with Checklists and Real-World Examples

Run Maturity Assessments with GRADUM

Check out these other Gradum.io Standards Comparison Pages

APPI vs ISO 30301

ISO 27032 vs WELL

FISMA vs NIST 800-53