What Is the NIS2 Directive?

The Network and Information Security 2 (NIS2) Directive is the European Union's updated framework for cybersecurity obligations across critical sectors. It replaces the original NIS Directive (2016) and entered into force in January 2023, with EU member states required to transpose it into national law by October 2024.

NIS2 represents a significant expansion in scope, specificity, and enforcement strength compared to its predecessor. Where the original NIS Directive focused on a relatively narrow set of "operators of essential services," NIS2 casts a much wider net — affecting thousands more organizations across Europe and, in some cases, their non-EU supply chain partners.

Who Does NIS2 Apply To?

NIS2 applies to medium and large organizations operating in sectors classified as either essential or important:

Essential Sectors

  • Energy (electricity, oil, gas, hydrogen)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Health (hospitals, laboratories, pharmaceutical manufacturing)
  • Drinking water and wastewater
  • Digital infrastructure (internet exchange points, DNS, TLD registries, cloud providers, data centres)
  • ICT service management (managed service providers, managed security service providers)
  • Public administration
  • Space

Important Sectors

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food production and distribution
  • Manufacturing (medical devices, computers, machinery, vehicles)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organisations

As a general rule, the directive applies to organizations with at least 50 employees or an annual turnover exceeding €10 million. Smaller organizations in critical sectors may also be captured.

Core NIS2 Requirements

Cybersecurity Risk Management Measures

Organizations must implement appropriate and proportionate technical, operational, and organizational measures to manage risks to their network and information systems. These include:

  • Risk analysis and information system security policies
  • Incident handling procedures
  • Business continuity and crisis management (including backup management and disaster recovery)
  • Supply chain security — assessing the security practices of direct suppliers and service providers
  • Security in network and information systems acquisition, development, and maintenance
  • Policies for assessing the effectiveness of cybersecurity measures
  • Cybersecurity hygiene practices and awareness training
  • Use of cryptography and encryption where appropriate
  • Human resources security, access control policies, and asset management
  • Multi-factor authentication and continuous authentication solutions

Incident Reporting Obligations

NIS2 introduces a tiered reporting timeline for significant incidents:

  1. Early warning: Within 24 hours of becoming aware of a significant incident.
  2. Incident notification: Within 72 hours, including an initial assessment of severity and impact.
  3. Intermediate report: Upon request by the national authority.
  4. Final report: Within one month of the incident notification, providing a full description, root cause analysis, and mitigation measures taken.

Management Accountability

One of NIS2's most notable provisions is the explicit accountability placed on senior management. Directors and executives can be held personally liable for serious infringements, and they are required to approve cybersecurity measures, oversee their implementation, and undergo cybersecurity training.

Penalties for Non-Compliance

The enforcement regime under NIS2 is considerably stronger than NIS1:

  • Essential entities: Maximum fines of €10 million or 2% of global annual turnover, whichever is higher.
  • Important entities: Maximum fines of €7 million or 1.4% of global annual turnover, whichever is higher.

Practical Steps Toward NIS2 Compliance

  1. Determine applicability: Assess whether your organization falls within a covered sector and meets the size thresholds.
  2. Gap assessment: Compare your current cybersecurity posture against NIS2's specific requirements to identify deficiencies.
  3. Supply chain review: Map your critical suppliers and assess their security practices — NIS2 explicitly requires this.
  4. Update incident response procedures: Ensure your IR plan can support the 24- and 72-hour reporting timelines.
  5. Engage leadership: Brief board members and senior executives on their personal obligations under the directive.
  6. Monitor national transposition: Requirements may vary slightly by member state — track how your country has implemented NIS2 locally.

NIS2 compliance is not a one-time exercise. Organizations should treat it as an ongoing program of risk management, continuously reviewing and improving their cybersecurity measures as the threat landscape and regulatory guidance evolve.