The EU's Network and Information Security Directive 2 (NIS2) represents the most significant overhaul of European cybersecurity legislation in nearly a decade. With enforcement now active across member states, organisations must understand their obligations or face substantial penalties.
This guide explains everything you need to know about NIS2—from determining if it applies to your organisation to implementing the required security measures.
What is NIS2?
NIS2 (Directive (EU) 2022/2555) is the European Union's updated cybersecurity legislation that establishes a common framework for network and information security across all member states. It replaced the original NIS Directive (2016) and significantly expanded both its scope and requirements.
The directive entered into force on 16 January 2023, with EU member states required to transpose it into national law by 17 October 2024. Organisations falling within its scope must now comply with the requirements set out in their national implementing legislation.
Key Objectives of NIS2
NIS2 aims to achieve four primary goals:
- Strengthen cybersecurity resilience across critical sectors in the EU
- Harmonise security requirements to reduce fragmentation between member states
- Improve incident response through mandatory reporting and cooperation
- Enhance supply chain security by extending obligations to service providers
Who Does NIS2 Apply To?
NIS2 significantly expanded the scope of organisations covered compared to its predecessor. The directive applies to two categories of entities: Essential Entities and Important Entities.
Essential Entities (Annex I Sectors)
Essential entities operate in sectors considered most critical to the functioning of the EU economy and society:
| Sector | Examples |
|---|---|
| Energy | Electricity, oil, gas, hydrogen, district heating/cooling |
| Transport | Air, rail, water, road transport operators |
| Banking | Credit institutions, financial services |
| Financial Market Infrastructure | Trading venues, central counterparties |
| Health | Hospitals, healthcare providers, laboratories |
| Drinking Water | Water supply and distribution |
| Waste Water | Waste water collection and treatment |
| Digital Infrastructure | DNS providers, TLD registries, cloud services, data centres, CDNs, trust services |
| ICT Service Management (B2B) | Managed service providers, managed security service providers |
| Public Administration | Central government entities |
| Space | Ground-based infrastructure operators |
Important Entities (Annex II Sectors)
Important entities operate in sectors that, while critical, are subject to slightly less stringent oversight:
| Sector | Examples |
|---|---|
| Postal and Courier Services | Postal operators, parcel delivery |
| Waste Management | Waste collection, treatment, disposal |
| Chemicals | Manufacturing, production, distribution |
| Food | Food production, processing, distribution |
| Manufacturing | Medical devices, computers, electronics, machinery, motor vehicles |
| Digital Providers | Online marketplaces, search engines, social networks |
| Research | Research organisations |
Size Thresholds
NIS2 generally applies to medium and large enterprises within the covered sectors:
- Medium enterprises: 50+ employees OR annual turnover/balance sheet exceeding €10 million
- Large enterprises: 250+ employees OR annual turnover exceeding €50 million
However, certain entities are covered regardless of size, including:
- Trust service providers
- TLD name registries and DNS service providers
- Providers of public electronic communications networks
- Public administration entities
- Entities identified as critical under the Critical Entities Resilience Directive (CER)
- Sole providers of essential services in a member state
Important: Even if your organisation falls below the size thresholds, you may still be in scope if you're part of the supply chain of an essential or important entity and they require NIS2 compliance contractually.
NIS2 vs NIS1: What Changed?
The original NIS Directive had several limitations that NIS2 addresses:
| Aspect | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Scope | ~7 sectors, operators of essential services (OES) | 18+ sectors, essential and important entities |
| Size criteria | Member state discretion | Harmonised EU-wide thresholds |
| Security measures | General requirements | 10 specific minimum measures |
| Incident reporting | Variable timelines | Standardised 24h/72h/1 month timeline |
| Penalties | Member state discretion | Harmonised minimum penalties |
| Supply chain | Limited coverage | Explicit supply chain security requirements |
| Management liability | Not specified | Personal liability for management bodies |
| Supervision | Reactive approach | Proactive supervision for essential entities |
NIS2 Requirements: The 10 Minimum Security Measures
Article 21 of NIS2 mandates that organisations implement appropriate and proportionate technical, operational, and organisational measures. The directive specifies 10 minimum measures that all entities must address:
1. Risk Analysis and Information System Security Policies
Organisations must establish and maintain comprehensive policies for:
- Risk assessment methodologies
- Information system security
- Acceptable use of assets
- Classification of information
What to do: Develop a formal risk management framework aligned with standards like ISO 27001 or the NIST Cybersecurity Framework. Document all policies and review them at least annually.
2. Incident Handling
Establish processes for:
- Detecting security incidents
- Analysing and classifying incidents
- Responding to and containing incidents
- Recovering from incidents
- Learning from incidents
What to do: Create an incident response plan with clear roles, escalation procedures, and communication protocols. Test the plan through regular tabletop exercises.
3. Business Continuity and Crisis Management
Implement measures including:
- Backup management
- Disaster recovery planning
- Crisis management procedures
What to do: Develop business continuity plans (BCP) for critical services. Ensure backups are automated, encrypted, stored securely, and tested regularly for restoration.
4. Supply Chain Security
Address security aspects concerning:
- Direct suppliers
- Service providers
- Product security throughout the lifecycle
What to do: Conduct risk assessments of all third-party vendors. Include security requirements in contracts. Monitor supplier compliance continuously.
5. Security in Network and Information Systems Acquisition, Development, and Maintenance
Ensure security is embedded in:
- System acquisition processes
- Development practices
- Maintenance activities
- Vulnerability handling and disclosure
What to do: Implement secure development practices (DevSecOps). Establish vulnerability management processes with defined SLAs for remediation.
6. Policies and Procedures for Assessing Cybersecurity Risk-Management Effectiveness
Establish mechanisms to:
- Measure the effectiveness of security measures
- Identify gaps and weaknesses
- Drive continuous improvement
What to do: Conduct regular security audits, penetration testing, and vulnerability assessments. Define KPIs for cybersecurity performance.
7. Basic Cyber Hygiene Practices and Cybersecurity Training
Implement:
- Security awareness programmes
- Role-based cybersecurity training
- Regular updates on threats and best practices
What to do: Provide mandatory cybersecurity training for all employees. Conduct phishing simulations. Ensure management receives training on their NIS2 responsibilities.
8. Policies and Procedures for Cryptography and Encryption
Establish standards for:
- Use of cryptographic controls
- Encryption of data at rest and in transit
- Key management
What to do: Define a cryptographic policy specifying approved algorithms, key lengths, and protocols. Implement encryption for sensitive data.
9. Human Resources Security and Access Control
Implement:
- Pre-employment screening where appropriate
- Role-based access control (RBAC)
- Principle of least privilege
- Regular access reviews
What to do: Implement identity and access management (IAM) solutions. Conduct quarterly access reviews. Establish clear offboarding procedures.
10. Multi-Factor Authentication and Secure Communications
Deploy:
- Multi-factor authentication (MFA) for system access
- Continuous authentication where appropriate
- Secured voice, video, and text communications
- Secured emergency communication systems
What to do: Implement MFA across all systems, prioritising privileged accounts and remote access. Use encrypted communication channels.
Incident Reporting Requirements
NIS2 introduces a tiered incident notification system that requires organisations to report significant incidents to their national Computer Security Incident Response Team (CSIRT) or competent authority:
Notification Timeline
| Stage | Deadline | Content Required |
|---|---|---|
| Early Warning | Within 24 hours of becoming aware | Whether the incident is suspected to be caused by unlawful or malicious acts; whether it could have cross-border impact |
| Incident Notification | Within 72 hours of becoming aware | Initial assessment of the incident including severity and impact; indicators of compromise where available |
| Intermediate Report | Upon request | Status update on the incident handling |
| Final Report | Within 1 month of incident notification | Detailed description of the incident; root cause analysis; mitigation measures applied; cross-border impact if applicable |
What Constitutes a "Significant Incident"?
An incident is considered significant if it:
- Has caused or is capable of causing severe operational disruption or financial loss
- Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage
Penalties for Non-Compliance
NIS2 introduces harmonised penalty frameworks across the EU, with maximum fines based on entity classification:
Essential Entities
- Maximum fine of €10,000,000 OR 2% of total worldwide annual turnover, whichever is higher
- Subject to proactive supervision by authorities
- May face compliance orders, binding instructions, and security audit requirements
Important Entities
- Maximum fine of €7,000,000 OR 1.4% of total worldwide annual turnover, whichever is higher
- Subject to reactive supervision (investigations typically following an incident or complaint)
Management Liability
One of NIS2's most significant provisions is personal accountability for management bodies. The directive requires that:
- Management bodies approve cybersecurity risk-management measures
- Management oversees implementation of those measures
- Management bodies can be held personally liable for infringements
- Managers must undergo training to gain sufficient knowledge and skills to identify risks
Note: Member states may impose temporary bans on individuals exercising managerial functions if found responsible for serious breaches.
How to Achieve NIS2 Compliance: Step-by-Step
Step 1: Determine Applicability
Assess whether your organisation falls within NIS2's scope:
- Review Annex I and Annex II sectors
- Evaluate your organisation's size against the thresholds
- Consider whether you're in the supply chain of an in-scope entity
- Check your member state's national implementing legislation for any variations
Step 2: Conduct a Gap Analysis
Compare your current cybersecurity posture against NIS2 requirements:
- Map existing controls to the 10 minimum measures
- Identify gaps in policies, procedures, and technical controls
- Assess incident response capabilities against notification requirements
- Evaluate supply chain security practices
Step 3: Develop a Compliance Roadmap
Create a prioritised plan to address identified gaps:
- Establish governance structures and assign responsibilities
- Prioritise quick wins and high-risk areas
- Define timelines and resource requirements
- Secure management buy-in and budget
Step 4: Implement Required Measures
Execute your compliance roadmap:
- Develop or update security policies and procedures
- Implement technical controls (MFA, encryption, monitoring)
- Establish incident response and business continuity plans
- Train employees and management
- Address supply chain security
Step 5: Establish Ongoing Compliance
Maintain compliance through continuous improvement:
- Conduct regular risk assessments and security audits
- Test incident response procedures
- Monitor regulatory updates and adapt accordingly
- Document all compliance activities for audit purposes
NIS2 and Other Regulations
NIS2 does not exist in isolation. Organisations may need to consider its interaction with other EU regulations:
| Regulation | Relationship with NIS2 |
|---|---|
| GDPR | NIS2 security measures support GDPR security obligations; incident reporting may trigger both NIS2 and GDPR notifications |
| DORA | Financial entities subject to DORA are generally exempt from NIS2 (DORA is lex specialis) |
| CER Directive | Critical entities under CER must also comply with NIS2 |
| Cyber Resilience Act | Product security requirements complement NIS2's operational security focus |
| AI Act | AI systems in scope of NIS2 entities must also consider AI Act requirements |
Frequently Asked Questions
Does NIS2 apply to non-EU companies?
Yes, if you provide services within the EU in a covered sector and meet the size thresholds. Non-EU entities must designate a representative in one of the member states where they provide services.
Can ISO 27001 certification help with NIS2 compliance?
Yes. ISO 27001 provides an excellent foundation for NIS2 compliance as it covers many of the same security domains. However, you may need additional measures to address NIS2-specific requirements, particularly around incident reporting and supply chain security.
What if my organisation operates in multiple EU countries?
You'll primarily be supervised by the member state where your "main establishment" is located. However, you must comply with the national laws of all member states where you operate.
Are there any exemptions?
Certain sectors have specific regulations that take precedence (lex specialis), such as DORA for the financial sector. Additionally, entities exclusively serving national security, public security, or defence purposes are generally exempt.
Conclusion
NIS2 represents a fundamental shift in EU cybersecurity regulation, moving from a fragmented approach to a harmonised framework with real enforcement teeth. For organisations in scope, compliance is not optional—and the penalties for failure are significant.
The key to successful NIS2 compliance lies in:
- Understanding your obligations based on your sector and size
- Implementing the 10 minimum measures in a proportionate manner
- Establishing robust incident response capabilities
- Ensuring management engagement and accountability
- Maintaining continuous improvement through regular assessments
Starting early and taking a risk-based approach will help your organisation not only achieve compliance but also genuinely improve its cybersecurity resilience.
Need help with NIS2 compliance? Vision Compliance provides end-to-end support for organisations navigating NIS2 requirements—from gap assessments to implementation and ongoing compliance monitoring. Contact us for a consultation.