NIS2 in detail: who, what, when

NIS2: a directive that expands the scope

NIS2 (Directive 2022/2555) replaces the original NIS Directive and dramatically expands both the number of sectors covered and the stringency of requirements. Member states were required to transpose NIS2 into national law by October 17, 2024, though several have done so behind schedule, with full enforcement expected across the EU by late 2026.

The significance of NIS2 extends beyond its technical requirements. It establishes cybersecurity as a governance matter — not just a technical one — with explicit personal accountability for senior management and harmonized minimum standards across the EU single market.

Who is covered

Essential entities (maximum obligations): energy, transport, health, drinking water, digital infrastructure, public administration, space.

Important entities (lighter obligations): postal and courier services, waste management, chemicals, food production, manufacturing, research, and digital services.

Size thresholds: generally, organizations with more than 50 employees or annual turnover exceeding EUR 10M operating in covered sectors are in scope. Certain entities are designated regardless of size (critical infrastructure, sole providers).

The expansion from NIS1 to NIS2 is substantial. NIS1 covered operators of essential services and digital service providers in seven sectors. NIS2 covers 18 sectors and includes medium-sized organizations that were previously exempt. Estimates suggest NIS2 brings over 160,000 new entities into scope across the EU.

Organizations operating across multiple EU member states must comply with NIS2 as transposed in each relevant jurisdiction, although the directive aims for harmonization. In practice, national implementations vary in details, particularly around which national authority receives notifications and specific sectoral requirements.

Determining if you are in scope

Self-assessment requires evaluating three dimensions:

  1. Sector: does your organization operate in one of the 18 covered sectors?
  2. Size: do you meet the medium-enterprise threshold (50+ employees or EUR 10M+ turnover)?
  3. Nature: are you a critical or sole provider that triggers mandatory designation regardless of size?

For organizations with operations in multiple sectors, every sector activity should be assessed independently. An organization primarily in manufacturing that also operates critical digital infrastructure may be an important entity for manufacturing and an essential entity for the infrastructure activity.

The 10 key requirements

  1. Information security policy and governance
  2. Incident management (detection, response, reporting)
  3. Business continuity and crisis management
  4. Supply chain security
  5. Security in acquisition, development and maintenance of IT systems
  6. Effectiveness assessment of security measures (audits, testing)
  7. Cyber hygiene practices and staff training
  8. Cryptography and encryption policies
  9. Human resources security and access control
  10. Multi-factor authentication (MFA) for all privileged access

These requirements align closely with established frameworks like ISO 27001 and the NIST Cybersecurity Framework. Organizations with mature security programs based on these frameworks will find NIS2 compliance largely achievable through gap analysis and targeted remediation rather than starting from scratch.

Supply chain security (requirement 4) deserves particular attention as it extends NIS2 obligations beyond the organization’s own perimeter. In-scope entities must assess the security of their key suppliers and service providers and reflect supply chain risks in their risk management framework.

Incident reporting timelines

  • Early warning: within 24 hours of detection
  • Incident notification: within 72 hours
  • Final report: within 1 month

The tiered reporting structure is designed to balance the need for rapid situational awareness with the practical challenge of gathering accurate information during an active incident. The 24-hour early warning is explicitly not expected to be a complete report — it confirms the incident occurred and provides initial indicators. The 72-hour notification adds known impact and initial response measures. The one-month final report provides a complete post-incident analysis.

Organizations should establish incident classification criteria before an incident occurs, so that the determination of whether an event triggers NIS2 reporting can be made rapidly and consistently. Ambiguity during incident response about whether to notify is a common cause of deadline breaches.

Management accountability

Senior management is personally liable for NIS2 compliance. Directors and executives must complete cybersecurity training and can be held personally responsible for compliance failures. This is a significant departure from previous frameworks where cybersecurity was treated as a purely technical matter.

The personal liability provision has concrete consequences: NIS2 allows competent authorities to impose temporary bans on individuals from exercising management functions in the event of significant NIS2 breaches attributable to management failures.

The cybersecurity training requirement for management is not a one-time box to check. It reflects the regulatory expectation that board members and executives maintain sufficient cybersecurity literacy to exercise meaningful oversight of security programs, understand significant risks, and make informed decisions about security investments.

Preparing for compliance

Organizations approaching NIS2 compliance should structure their program around three workstreams:

Governance: establish a named CISO or equivalent, brief the board on NIS2 obligations, implement management training, and document the governance structure.

Technical measures: conduct a gap analysis against the 10 requirements, prioritize remediation based on risk, and implement missing controls with documented evidence.

Operational procedures: develop or update incident response procedures to meet reporting timelines, test business continuity plans, and implement supply chain assessment processes.

NIS2 penalties for non-compliance reach EUR 10M or 2% of global annual turnover for essential entities, and EUR 7M or 1.4% of global annual turnover for important entities. The financial exposure justifies serious investment in compliance programs.

Advertisement