What Is the NIS2 Directive?
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's updated network and information security law. It replaces the original NIS Directive from 2016 and sets a higher common baseline for cybersecurity risk management and incident reporting across all 27 Member States. The European Parliament adopted NIS2 in November 2022, it entered into force on 16 January 2023, and Member States were required to transpose it into national law by 17 October 2024.
NIS2 exists because the original directive left too many gaps. Inconsistent national transpositions, a narrow list of covered sectors, and weak enforcement meant that critical organisations across Europe still faced preventable breaches. NIS2 closes those gaps by expanding scope, tightening obligations, and introducing fines comparable to GDPR.
Who Must Comply with NIS2?
NIS2 applies to medium-sized and large organisations operating in 18 designated sectors. The directive splits covered entities into two tiers:
Essential Entities (Annex I Sectors)
- Energy -- electricity, oil, gas, hydrogen, district heating and cooling
- Transport -- air, rail, water, road
- Banking and financial market infrastructures
- Health -- hospitals, reference laboratories, pharmaceutical R&D
- Drinking water and wastewater
- Digital infrastructure -- DNS, TLD registries, cloud providers, data centres, CDNs, trust services, public telecoms
- ICT service management -- managed service providers (MSPs) and managed security service providers (MSSPs)
- Public administration (central and regional)
- Space -- ground-based infrastructure operators
Important Entities (Annex II Sectors)
- Postal and courier services
- Waste management
- Manufacturing -- medical devices, electronics, machinery, motor vehicles
- Chemicals -- production, storage, transport
- Food production, processing, and distribution
- Digital providers -- online marketplaces, search engines, social networks
- Research organisations
Small and micro-enterprises are generally exempt unless they are sole providers of a critical service in a Member State or operate in digital infrastructure. The practical threshold is typically 50+ employees or EUR 10 million+ annual turnover.
What Are the Core NIS2 Requirements?
Article 21 of the directive lists ten minimum cybersecurity risk-management measures that every in-scope organisation must implement. These measures must be proportionate to the entity's risk profile, size, and the potential societal impact of an incident.
The 10 Mandatory Measures
- Risk analysis and information-system security policies -- regular risk assessments, documented security policies, and asset inventories.
- Incident handling -- detection, analysis, containment, eradication, recovery, and post-incident review processes.
- Business continuity and crisis management -- backup management, disaster recovery plans, and crisis communication protocols.
- Supply-chain security -- risk assessment of direct suppliers, contractual security clauses, and ongoing monitoring of third-party providers.
- Security in system acquisition, development, and maintenance -- secure-by-design practices, vulnerability management, and patch policies.
- Policies and procedures to assess the effectiveness of measures -- penetration testing, security audits, and continuous improvement cycles.
- Cybersecurity hygiene and training -- mandatory awareness programmes for all staff, role-based training for IT and security teams.
- Policies on cryptography and encryption -- encryption standards for data at rest and in transit.
- Human-resources security and access control -- least-privilege access, identity management, multi-factor authentication (MFA).
- Use of multi-factor authentication and secured communications -- MFA for privileged and remote access, encrypted internal communications.
Management bodies are directly accountable. Under Article 20, the board or executive leadership must approve risk-management measures, oversee their implementation, and can be held personally liable for infringements.
How Does NIS2 Incident Reporting Work?
NIS2 introduces a strict, multi-stage reporting framework for significant cybersecurity incidents. An incident is considered significant if it causes or can cause severe operational disruption, financial loss, or considerable damage to other persons.
Three Reporting Stages
| Stage | Deadline | What to Report |
|---|
| Early warning | Within 24 hours | Initial alert: suspected malicious cause, potential cross-border impact |
| Intermediate update | Within 72 hours | Severity assessment, initial indicators of compromise (IoCs) |
| Final report | Within 1 month | Root-cause analysis, mitigation measures, cross-border impact, lessons learned |
Reports go to the relevant national CSIRT or competent authority. Voluntary reporting of less significant incidents is encouraged to improve collective threat intelligence across the EU.
What Are the Penalties for Non-Compliance?
NIS2 introduces GDPR-level fines that dwarf the penalties under the original directive:
- Essential entities -- up to EUR 10 million or 2 % of global annual turnover, whichever is higher.
- Important entities -- up to EUR 7 million or 1.4 % of global annual turnover, whichever is higher.
Beyond fines, competent authorities can issue binding instructions, order security audits, require immediate remediation, suspend certifications, and publish non-compliance statements. For essential entities, supervision is proactive (ex-ante) -- authorities can audit at any time. For important entities, supervision is generally reactive (ex-post), triggered by evidence of non-compliance or a reported incident.
How Does NIS2 Address Supply-Chain Security?
Supply-chain attacks (such as the SolarWinds and MOVEit incidents) demonstrated that an organisation's security is only as strong as its weakest supplier. NIS2 responds with explicit supply-chain obligations:
- Supplier inventory -- maintain a complete register of direct suppliers and service providers that interact with network and information systems.
- Risk assessment -- evaluate each critical supplier's cybersecurity posture through questionnaires, audits, or certification reviews (e.g., ISO 27001, SOC 2).
- Contractual clauses -- embed cybersecurity requirements, incident-reporting obligations, audit rights, and data-portability terms in supplier contracts.
- Ongoing monitoring -- continuously track vulnerability disclosures, breach notifications, and security-posture changes among key vendors.
- Exit planning -- define secure termination and data-migration procedures to prevent lock-in risks from undermining resilience.
For MSPs and MSSPs, NIS2 creates a dual obligation: they must comply as in-scope entities themselves and they must support their customers' compliance efforts with transparent security practices.
Which Sectors Are Most Affected?
Energy and Utilities
Energy entities face ex-ante supervision and must address the convergence of IT and Operational Technology (OT). Legacy SCADA systems, industrial control networks, and smart-grid components all fall within scope. Supply-chain risk management for hardware and firmware vendors is particularly critical.
Healthcare
Hospitals, laboratories, and pharmaceutical manufacturers handle sensitive patient data and deliver life-critical services. NIS2 complements GDPR by requiring robust business continuity plans. Ransomware attacks on healthcare systems -- which surged across Europe in 2023-2025 -- make incident-response readiness a top priority.
Digital Infrastructure and ICT Services
Cloud providers, DNS operators, data centres, and managed service providers form the backbone of the digital economy. A breach at a major cloud provider can cascade across thousands of downstream customers. NIS2 requires these entities to define clear shared-responsibility models with their clients regarding cybersecurity obligations.
Manufacturing
Manufacturers of medical devices, electronics, machinery, and vehicles are classified as important entities. Securing Industrial Control Systems (ICS) and integrating cybersecurity into product-development lifecycles are the primary challenges in this sector.
Transport and Logistics
Airlines, railways, shipping, and road logistics depend on interconnected scheduling, navigation, and fleet-management systems. The convergence of physical safety and cybersecurity demands integrated risk frameworks that cover both domains.
NIS2 vs. NIS1: What Changed?
| Aspect | NIS1 (2016) | NIS2 (2022) |
|---|
| Sectors covered | 7 (OES + DSP) | 18 (essential + important) |
| Entity classification | Member State discretion | Harmonised size-based rules |
| Security measures | General principles | 10 prescriptive minimum measures |
| Incident reporting | No fixed timelines | 24 h / 72 h / 1 month stages |
| Supply-chain security | Not addressed | Explicit obligations |
| Management liability | None | Personal liability for executives |
| Max fine (essential) | Varied by Member State | EUR 10 M or 2 % of turnover |
| Supervision (essential) | Mixed | Proactive ex-ante audits |
How Should Organisations Prepare?
Whether your organisation is newly in scope or was already covered under NIS1, a structured approach to NIS2 readiness is essential:
- Scope assessment -- determine whether your entity qualifies as essential or important under the directive's sector and size criteria.
- Gap analysis -- map your current controls against the 10 mandatory measures in Article 21 and identify shortfalls.
- Board engagement -- brief the management body on their personal liability under Article 20 and secure budget approval for remediation.
- Incident-response upgrade -- verify that your detection, reporting, and recovery processes meet the 24-hour early-warning deadline.
- Supply-chain review -- audit critical suppliers, update contracts with NIS2-aligned security clauses, and establish ongoing monitoring.
- Training rollout -- implement mandatory cybersecurity-awareness programmes for all employees and specialised training for IT staff.
- Documentation -- maintain evidence of policies, risk assessments, audits, and training records for regulatory inspection.
- Continuous improvement -- treat compliance as an ongoing cycle of assessment, remediation, and validation rather than a one-time project.
Working with a managed service provider experienced in EU regulatory compliance can accelerate NIS2 readiness, particularly for organisations that lack in-house security expertise or need to address complex multi-cloud environments.
Frequently Asked Questions
Does NIS2 apply to non-EU companies?
Yes. If a non-EU company provides services within the EU in a covered sector and meets the size thresholds, it must comply. The directive requires such entities to designate an EU-based representative.
How does NIS2 relate to GDPR?
NIS2 and GDPR are complementary. GDPR protects personal data; NIS2 protects network and information systems. A single cyber incident can trigger obligations under both. Organisations should align their incident-response and data-breach notification procedures across both frameworks.
Is ISO 27001 certification sufficient for NIS2 compliance?
ISO 27001 provides a strong foundation but does not guarantee NIS2 compliance. The directive's prescriptive measures -- especially multi-stage incident reporting, supply-chain obligations, and management-body liability -- go beyond the ISO standard. Certification demonstrates maturity but must be supplemented with NIS2-specific controls.
What happens if a Member State has not transposed NIS2?
Several Member States missed the October 2024 transposition deadline. While the directive itself is not directly applicable until transposed, the European Commission has launched infringement proceedings. Organisations should prepare against the directive's requirements regardless, as national laws will eventually align.
Can NIS2 fines be combined with GDPR fines?
Yes. A cybersecurity incident involving personal data can attract both a NIS2 fine from the cybersecurity authority and a GDPR fine from the data-protection authority. The directive includes provisions to avoid double punishment for the same breach, but separate violations under each framework can be penalised independently.
Editorial standards: This article was written by a certified practitioner and peer-reviewed by our engineering team. We update content quarterly to ensure technical accuracy. Opsio maintains editorial independence — we recommend solutions based on technical merit, not commercial relationships.
