What Is NIS2? The Complete Guide to EU Cybersecurity Compliance in 2026
August 19, 2025
Updated: February 22, 2026
24 min read
Cybersecurity
NIS2 (Directive (EU) 2022/2555) is the European Union's landmark cybersecurity legislation — the most significant overhaul of European network and information security rules in nearly a decade. With national transposition deadlines passed and enforcement now active across member states, organisations in scope must comply or face fines up to EUR 10 million and personal liability for management. This guide covers everything from determining whether NIS2 applies to you to implementing the required security measures.
Key Takeaways
NIS2 covers 18 sectors and applies to medium and large enterprises (50+ employees or EUR 10M+ turnover).
Organisations must implement 10 minimum security measures covering risk management, incident handling, supply chain security, and more.
Cyber incidents must be reported within 24 hours (early warning) and 72 hours (incident notification).
Fines reach EUR 10 million or 2% of global turnover for essential entities.
Management bodies are personally liable — directors must approve, oversee, and undergo cybersecurity training.
NIS2 complements GDPR and works alongside DORA (financial sector) and the Cyber Resilience Act (products).
Directive (EU) 2022/2555, known as the Network and Information Security Directive 2 (NIS2), is the EU's comprehensive cybersecurity framework. It establishes a common baseline of security requirements across all 27 member states and replaces the original NIS Directive from 2016.
Share article
Need help with compliance?
Contact us for a free consultation
NIS2 was adopted on 14 December 2022, entered into force on 16 January 2023, and member states were required to transpose it into national law by 17 October 2024. Organisations falling within its scope must now comply with the requirements set out in their national implementing legislation.
The directive has four core objectives:
Strengthen cybersecurity resilience across critical and important sectors
Harmonise security requirements to eliminate fragmentation between member states
Improve incident detection and response through mandatory reporting and cooperation
Enhance supply chain security by extending obligations to critical service providers
Key statistic: According to ENISA's 2024 Threat Landscape report, ransomware attacks increased by over 150% in the past five years, with critical infrastructure being the primary target. NIS2 is the EU's direct regulatory response to this escalation.
Why Was NIS2 Introduced?
The original NIS Directive (2016/1148) was groundbreaking as the EU's first cybersecurity law, but it had significant limitations:
Inconsistent transposition — member states implemented the directive differently, creating a patchwork of requirements
Narrow scope — only 7 sectors covered, leaving major industries unregulated
Weak enforcement — no harmonised penalties; some countries imposed minimal fines
No management accountability — cybersecurity was treated as an IT issue, not a board-level responsibility
Limited supply chain coverage — the weakest link in many organisations' security was unaddressed
The COVID-19 pandemic and the surge in ransomware attacks on hospitals, energy providers, and government agencies made clear that a stronger, broader framework was urgently needed.
NIS2 vs NIS1: What Changed?
Aspect
NIS1 (2016)
NIS2 (2022)
Sectors covered
~7 sectors
18 sectors (Annex I + Annex II)
Entity classification
Operators of essential services (OES), digital service providers
Essential entities + important entities
Size criteria
Member state discretion
Harmonised EU-wide thresholds (50+ employees or EUR 10M+)
Proactive for essential entities, reactive for important entities
Cooperation
Basic CSIRT network
Enhanced EU-CyCLONe network for crisis management
Who Must Comply with NIS2?
NIS2 applies to medium and large enterprises operating in one of the 18 covered sectors. The size thresholds are:
Size Category
Employees
Annual Turnover
Balance Sheet
Medium enterprise
50-249
EUR 10M-50M
EUR 10M-43M
Large enterprise
250+
Over EUR 50M
Over EUR 43M
Micro/small
Fewer than 50
Under EUR 10M
Under EUR 10M
Micro and small enterprises are generally excluded, with important exceptions:
Trust service providers (eIDAS)
TLD name registries and DNS service providers
Public electronic communications networks or services
Public administration entities
Sole providers of an essential service in a member state
Entities where disruption could impact public safety, security, or health
Entities identified as critical under the CER Directive
Supply chain effect: Even if your organisation is below the size thresholds, you may be contractually required to meet NIS2 standards if you are a supplier to an essential or important entity. NIS2 Article 21(2)(d) explicitly requires in-scope entities to address supply chain security.
Essential vs Important Entities
NIS2 divides in-scope organisations into two categories, which determine the level of supervision and maximum penalties.
Essential Entities (Annex I — High Criticality)
Sector
Examples
Energy
Electricity (generators, DSOs, TSOs), oil, gas, hydrogen, district heating/cooling
Transport
Air, rail, water, and road transport operators and infrastructure managers
Banking
Credit institutions as defined by CRD
Financial market infrastructure
Trading venues, central counterparties, central securities depositories
Health
Hospitals, healthcare providers, EU reference laboratories, medical device manufacturers
Drinking water
Water supply and distribution operators
Waste water
Waste water collection, treatment, and disposal operators
Digital infrastructure
IXPs, DNS providers, TLD registries, cloud computing, data centres, CDNs, trust services, electronic communications
ICT service management (B2B)
Managed service providers (MSPs), managed security service providers (MSSPs)
Public administration
Central government entities (excluding judiciary, parliament, central banks)
Space
Operators of ground-based infrastructure supporting space services
Important Entities (Annex II — Other Critical)
Sector
Examples
Postal and courier
Postal service operators, courier and parcel delivery
Waste management
Waste collection, treatment, recovery, and disposal
Chemicals
Manufacturing, production, and distribution of chemical substances
Food
Food production, processing, and wholesale distribution
Manufacturing
Medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, trailers, other transport equipment
Digital providers
Online marketplaces, online search engines, social networking platforms
Research
Research organisations
The 10 Minimum Security Measures
Article 21 mandates that all in-scope entities implement appropriate and proportionate technical, operational, and organisational measures. The directive specifies 10 domains that must be addressed:
#
Measure
What It Covers
1
Risk analysis and information security policies
Risk assessment methodology, security policies, asset classification, acceptable use
2
Incident handling
Detection, analysis, classification, containment, recovery, and lessons learned
Awareness programmes, phishing simulations, role-based training, management training
8
Cryptography and encryption
Encryption standards, key management, data protection at rest and in transit
9
HR security and access control
Screening, RBAC, least privilege, access reviews, offboarding procedures
10
Multi-factor authentication and secure communications
MFA for all systems, encrypted communications, emergency communication channels
Proportionality Principle
The measures must be proportionate to:
The size of the entity
The likelihood and severity of potential incidents
The state of the art and cost of implementation
The entity's exposure to risks
The potential societal and economic impact of an incident
Practical guidance: An SME with 60 employees in the food manufacturing sector will not be expected to implement the same controls as a major energy utility. However, both must demonstrate that they have addressed all 10 domains proportionate to their risk profile.
Incident Reporting Requirements
NIS2 introduces a four-stage notification system for significant cybersecurity incidents:
Stage
Deadline
Content
Early warning
Within 24 hours
Whether the incident is suspected to be unlawful/malicious; whether it may have cross-border impact
Incident notification
Within 72 hours
Initial assessment of severity and impact; indicators of compromise where available
Intermediate report
Upon request by CSIRT/authority
Status update on incident handling and response measures
Final report
Within 1 month of incident notification
Detailed description; root cause analysis; mitigation measures; cross-border impact assessment
What Is a "Significant Incident"?
An incident qualifies as significant if it:
Has caused or is capable of causing severe operational disruption of the service or financial loss to the entity
Has affected or is capable of affecting other persons by causing considerable material or non-material damage
Reporting to Whom?
Reports go to the national CSIRT (Computer Security Incident Response Team) or the designated competent authority in each member state. ENISA coordinates cross-border incidents through the EU-CyCLONe network.
Double reporting obligation: If the incident also involves personal data, GDPR's 72-hour notification to the data protection authority applies simultaneously. The NIS2 24-hour early warning is a separate, additional obligation.
Management Liability
One of NIS2's most significant innovations is personal accountability for management bodies (Article 20).
What Management Must Do
Obligation
Detail
Approve risk management measures
Management must formally approve the cybersecurity risk-management measures adopted under Article 21
Oversee implementation
Active supervision of whether measures are actually implemented and effective
Undergo training
Management members must obtain sufficient knowledge and skills to identify cybersecurity risks and assess practices
Ensure staff training
All employees must receive regular cybersecurity awareness training
Personal Consequences
Member states must ensure that management bodies can be held personally liable for infringements of Article 21. This may include:
Personal fines against individual directors
Temporary bans on exercising managerial functions
Public disclosure of non-compliance
Civil liability for damages caused by failure to fulfil obligations
This changes the dynamic fundamentally. Cybersecurity is no longer just an IT department responsibility — it is a board-level governance obligation with personal consequences for directors who fail to act.
Penalties and Enforcement
Maximum Fines
Entity Type
Maximum Fine
Supervision
Essential entities
EUR 10,000,000 or 2% of global annual turnover (whichever is higher)
Germany, France, Netherlands, Czech Republic, Poland, Finland, Sweden
Delayed / in progress
Spain, Ireland, Portugal, Austria, Denmark, and others
Note: Even in countries where national transposition is delayed, the European Commission can take infringement proceedings. Organisations should not wait for national legislation to begin their compliance programmes.
FAQ
Does NIS2 apply to non-EU companies?
Yes. If you provide services within the EU in a covered sector and meet the size thresholds, NIS2 applies. Non-EU entities must designate a representative in one of the member states where they provide services.
Can ISO 27001 certification replace NIS2 compliance?
No, but it covers approximately 70-80% of NIS2 requirements. ISO 27001 is an excellent foundation that demonstrates a mature information security management system. However, NIS2 has specific requirements around incident reporting timelines, management liability, and registration that ISO 27001 does not cover.
What if my organisation operates in multiple EU countries?
You will primarily be supervised by the member state where your main establishment is located (where cybersecurity decisions are predominantly made). However, you must comply with national laws in all member states where you operate.
Are there exemptions?
Certain sectors have specific regulations that take precedence (lex specialis). DORA applies to financial entities instead of NIS2 for overlapping requirements. Entities exclusively serving national security, defence, or law enforcement are generally exempt.
How does NIS2 interact with GDPR breach notification?
A cyber incident may trigger both NIS2 and GDPR notification obligations simultaneously. NIS2 requires a 24-hour early warning to the CSIRT/competent authority; GDPR requires a 72-hour notification to the data protection authority if personal data is affected. These are separate obligations to separate authorities.
What happens if management refuses to comply?
NIS2 allows member states to impose personal sanctions on individual managers, including fines and temporary bans from exercising managerial functions. This is unprecedented in EU cybersecurity regulation.
Should I start compliance now or wait for national legislation?
Start now. The directive's requirements are clear, and most national transpositions closely follow the directive text. Early preparation avoids the rush and demonstrates proactive governance to regulators.
What is the cost of NIS2 compliance?
Costs vary significantly based on organisation size and current security maturity. Organisations with existing ISO 27001 certification may need EUR 50,000-150,000 to close NIS2-specific gaps. Organisations starting from a lower maturity level should budget EUR 200,000-500,000+ for the initial compliance programme, including technical controls, documentation, and training.
Conclusion
NIS2 represents a fundamental shift in EU cybersecurity governance. It moves from the voluntary, fragmented approach of the original NIS Directive to a mandatory, harmonised framework with real enforcement power and personal accountability for leadership.
For organisations in scope, the message is clear:
Determine your status — are you essential or important? In one or multiple member states?
Close the gaps — map your existing controls against the 10 minimum measures and address shortfalls
Engage management — NIS2 makes cybersecurity a board-level obligation with personal consequences
Build resilience — the goal is not just compliance but genuine cybersecurity maturity
Maintain continuously — NIS2 compliance is an ongoing programme, not a one-time project
The organisations that treat NIS2 as an opportunity to strengthen their security posture — rather than a checkbox exercise — will be best positioned to manage cyber risks and meet regulatory expectations.
Need support with NIS2 compliance? Vision Compliance provides end-to-end support — from initial gap assessment and risk analysis to implementation, training, and ongoing monitoring.
Robert Lozo, mag. iur., is a Partner at Vision Compliance specializing in EU regulatory compliance. He advises organizations on GDPR, NIS2, AI Act, and financial regulation, delivering audit-ready documentation and compliance roadmaps across regulated industries.