Europe faces a cybersecurity crisis that grows worse by the day. Ransomware attacks hit healthcare providers. Power grids get targeted by sophisticated threat actors. Financial institutions deal with constant attempts at unauthorized access.
The original Network and Information Security Directive (NIS1) tried to address these challenges when it came into force in 2016. But digital threats evolved faster than the legislation could keep pace with. Supply chains became more complex. Remote work expanded attack surfaces. Critical infrastructure grew increasingly interconnected (and vulnerable).
NIS2 represents the European Union's response to this escalating threat landscape. This updated directive doesn't just patch a few holes in the old framework. It completely overhauls how Member States approach cybersecurity for organizations that keep society running.
Table of contents
- Understanding the NIS2 Directive
- Why NIS2 replaced NIS1
- Who must comply with NIS2
- Essential vs important entities
- Cybersecurity requirements under NIS2
- Risk management measures
- Incident reporting obligations
- Supply chain security requirements
- Penalties for non-compliance
- National implementation and enforcement
- Cooperation mechanisms and networks
- NIS2 and other regulations
- Recent amendments and future changes
- Preparing for NIS2 compliance
Understanding the NIS2 Directive
The NIS2 Directive (Directive (EU) 2022/2555) establishes harmonized cybersecurity rules across all EU Member States. It targets organizations operating in 18 critical sectors, requiring them to implement appropriate security measures and report significant cyber incidents.
This legislation affects network and information systems that organizations depend on for daily operations. Those systems include everything from customer databases to industrial control systems to cloud infrastructure.
NIS2 entered into force on January 16, 2023. Member States had until October 17, 2024 to transpose the directive into national law. After that deadline, the new rules became applicable across the EU.
The directive aims to create what regulators call "a high common level of cybersecurity" throughout the European Union. Translation: countries can't have wildly different standards anymore. A hospital in Portugal needs to meet similar security baselines as a hospital in Finland.
Why NIS2 replaced NIS1
NIS1 had good intentions but serious limitations. The original directive covered only seven sectors and gave Member States too much discretion in implementation. This created a patchwork of inconsistent requirements across Europe.
Several factors drove the need for an updated framework:
Threat evolution: Cybercriminals developed more sophisticated attack methods. Zero-day exploits became commonplace. Phishing techniques grew harder to detect. Ransomware groups started targeting entire supply chains instead of individual organizations.
Digital transformation: Organizations migrated critical systems to cloud environments. Remote work exploded. IoT devices proliferated. Each change expanded potential vulnerabilities.
Pandemic disruption: COVID-19 accelerated digitalization while creating new security gaps. Attackers exploited confusion and rushed remote work implementations.
Cross-border attacks: Cyber incidents in one Member State increasingly affected others. A coordinated response became necessary.
Enforcement gaps: NIS1 lacked teeth. Penalties varied wildly between countries. Some organizations ignored requirements without facing real consequences.
NIS2 addresses these weaknesses through expanded scope, stricter requirements, and standardized enforcement mechanisms. The new directive covers 11 additional sectors and applies to medium and large organizations by default.
Who must comply with NIS2
NIS2 casts a wide net. Any medium or large organization operating in covered sectors within the EU falls under the directive's scope. Size thresholds follow standard EU definitions: companies with 50 or more employees or annual turnover/balance sheet exceeding €10 million.
Small and micro enterprises can still be subject to NIS2 if they provide critical services or if a cyber incident would have significant societal or economic impact. Member States maintain discretion to include smaller entities when the risk justifies it.
The directive's territorial scope extends beyond EU-based companies. Organizations headquartered outside Europe must comply if they provide services within the EU. This extraterritorial reach mirrors GDPR's approach to jurisdiction.
Public sector entities face particular attention. Central government administration and regional authorities (excluding local level) must comply regardless of size. This recognizes that government systems often lack adequate security despite their importance.
Essential vs important entities
NIS2 creates a two-tier system that categorizes organizations based on their criticality to society and the economy.
Essential entities operate in sectors where disruption would cause severe impacts. These include:
- Energy (electricity, district heating and cooling, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructures
- Health sector (healthcare providers, EU reference laboratories, entities manufacturing basic pharmaceutical products)
- Drinking water supply and distribution
- Digital infrastructure (internet exchange points, DNS service providers, TLD name registries, cloud computing services, data center services, content delivery networks, trust service providers, public electronic communications networks and services)
- ICT service management (managed service providers, managed security service providers)
- Public administration (central level, regional level in Member States)
- Space (operators of ground-based infrastructure)
Important entities provide services that, while significant, would cause less severe disruption if compromised:
- Postal and courier services
- Waste management
- Chemical production, processing and distribution
- Food production, processing and distribution
- Manufacturing (medical devices, computer and electronic products, electrical equipment, machinery and equipment, motor vehicles and transport equipment)
- Digital providers (online marketplaces, search engines, social networking platforms)
- Research organizations
The distinction matters. Essential entities face more stringent supervision, stricter enforcement, and must comply with ex-ante supervision (proactive oversight rather than reactive inspection).
Cybersecurity requirements under NIS2
Article 21 of NIS2 outlines security measures that covered entities must implement. The directive takes a risk-based approach, requiring "appropriate and proportionate technical and organizational measures."
But what does "appropriate and proportionate" actually mean? Regulators expect organizations to tailor measures to their specific risk profile. A regional hospital won't need the same security infrastructure as a national power grid operator.
The following table shows the core security domains that NIS2 addresses:
| Security domain | Key requirements |
|---|---|
| Risk analysis | Regular assessment of information security risks, documented policies |
| Incident handling | Procedures for detecting, responding to, and recovering from incidents |
| Business continuity | Crisis management plans, disaster recovery, backup management |
| Supply chain security | Security measures for direct suppliers, evaluation of supplier cybersecurity practices |
| Network security | Firewalls, network segmentation, intrusion detection systems |
| Access control | Multi-factor authentication, least privilege principles, identity management |
| Vulnerability management | Regular security testing, patch management, coordinated vulnerability disclosure |
| Cryptography | Encryption for data at rest and in transit where appropriate |
| Security monitoring | Continuous monitoring and logging of systems and networks |
| Policies and procedures | Documentation of security measures and their effectiveness |
Organizations must also ensure that management bodies approve cybersecurity strategies and oversee their implementation. This provision brings security to the boardroom level. No more delegating it entirely to IT departments.
Risk management measures
Risk analysis forms the foundation of NIS2 compliance. Organizations need to identify what assets they have, what threats those assets face, and what vulnerabilities could be exploited.
This goes beyond generic threat assessments. Companies must consider their specific operational context. A food distributor faces different risks than a social media platform, even if both fall under NIS2.
Security policies need regular review and updates. The threat landscape changes constantly. A policy written two years ago probably doesn't account for current attack vectors.
Business continuity planning takes on new importance under NIS2. Organizations must demonstrate they can maintain operations (or quickly restore them) after a significant incident. This means tested backup systems, documented recovery procedures, and regular crisis management exercises.
Supply chain security deserves special attention. Many breaches start with a compromised vendor or service provider. NIS2 requires organizations to assess the cybersecurity practices of their direct suppliers and implement measures to address supply chain risks.
Incident reporting obligations
NIS2 establishes strict timelines for reporting cybersecurity incidents. Organizations must notify relevant authorities "without undue delay" following specific schedules:
Early warning (within 24 hours): Organizations must send an initial notification within 24 hours of becoming aware of a significant incident. This early warning helps authorities understand the scope of potential cross-border impacts.
Incident notification (within 72 hours): A more detailed assessment must be provided within 72 hours. This report should include information about the incident's nature, severity, and potential impact.
Final report (within one month): Organizations have one month to submit a comprehensive final report that details the incident, its impact, and response measures taken.
The reporting requirements apply even when there's no indication of personal data exposure. This distinguishes NIS2 from GDPR breach notification rules, which focus specifically on personal data compromises.
Member States must establish Computer Security Incident Response Teams (CSIRTs) to receive and handle these reports. CSIRTs provide technical support and coordinate responses to incidents.
What constitutes a "significant incident" that triggers reporting obligations? The directive defines these as incidents that cause or are capable of causing severe operational disruption or financial loss. Member States provide more specific thresholds in their national implementing legislation.
Supply chain security requirements
Modern organizations rarely operate in isolation. They rely on cloud providers, software vendors, managed service providers, and countless other third parties. Each connection represents a potential entry point for attackers.
NIS2 recognizes this reality by imposing explicit supply chain security requirements. Organizations must take measures to address cybersecurity risks stemming from relationships with direct suppliers of IT and information systems.
This includes evaluating the overall quality of cybersecurity practices of suppliers. Companies need to ask hard questions: Does this vendor have adequate security controls? Have they experienced breaches? Do they have their own supply chain security program?
The directive particularly focuses on suppliers of critical products and services. Organizations should pay special attention to relationships involving:
- Core infrastructure components
- Security tools and services
- Software with broad system access
- Vendors handling sensitive data
Smart companies document their supply chain risk assessments and the security requirements they impose on vendors. This documentation proves compliance during audits and helps organizations make informed decisions about vendor relationships.
Penalties for non-compliance
NIS2 brings significant financial penalties that mirror GDPR's enforcement approach. Member States must ensure administrative fines reach levels that are "effective, proportionate and dissuasive."
The directive sets minimum fine thresholds based on entity classification:
Essential entities: Fines of at least €10 million or 2% of total worldwide annual turnover (whichever is higher).
Important entities: Fines of at least €7 million or 1.4% of total worldwide annual turnover (whichever is higher).
These represent floor amounts. National regulators can impose higher penalties when circumstances warrant.
But financial penalties aren't the only concern. NIS2 introduces personal accountability for management. Company leadership can be held responsible for failures to comply with cybersecurity risk management measures.
Some Member States have implemented additional sanctions in their national laws, including temporary bans on management holding similar positions. The message is clear: cybersecurity is now a board-level concern with personal consequences for executives.
National implementation and enforcement
Each Member State designates one or more competent authorities to supervise NIS2 implementation. These authorities handle registration of entities, monitor compliance, and conduct inspections.
Member States must also identify a single point of contact to coordinate cross-border cooperation. This streamlines communication when incidents affect multiple countries.
Competent authorities have broad powers under NIS2:
- Conducting on-site inspections
- Requiring organizations to provide information
- Accessing data and documentation
- Issuing binding instructions
- Ordering audits
For essential entities, supervision includes ex-ante oversight. Authorities don't wait for problems to emerge. They proactively assess whether organizations maintain adequate security measures.
The directive requires Member States to publish (and regularly update) lists of entities subject to NIS2. This transparency helps organizations understand their obligations and allows stakeholders to verify which entities face regulatory oversight.
National implementation varies somewhat across Member States. While NIS2 harmonizes core requirements, countries retain flexibility in certain areas like sector-specific rules and organizational details of their supervisory frameworks.
Cooperation mechanisms and networks
Cybersecurity threats don't respect borders. An attack on energy infrastructure in one country can cascade across interconnected European grids. NIS2 establishes several mechanisms to facilitate cross-border cooperation.
The NIS Cooperation Group serves as the primary platform for strategic cooperation among Member States. This group includes representatives from each country plus the European Commission and ENISA (the EU Agency for Cybersecurity).
The Cooperation Group develops guidelines and best practices for implementing the directive. These non-binding recommendations help ensure consistent interpretation across Member States.
CSIRTs Network connects the computer security incident response teams from all Member States. This network enables rapid information sharing about emerging threats and coordinated responses to cross-border incidents.
When a major cybersecurity crisis hits, the European Cyber Crisis Liaison Organisation Network (EU-CyCLONe) activates to coordinate the response. This network includes representatives from Member States and relevant EU institutions.
These cooperation mechanisms reflect a fundamental reality: effective cybersecurity requires collaboration. No single organization or country can defend against sophisticated threat actors alone.
NIS2 and other regulations
NIS2 doesn't exist in a vacuum. Organizations often need to comply with multiple overlapping regulations.
GDPR and NIS2: Both directives address data security, but from different angles. GDPR focuses on protecting personal data and individual rights. NIS2 targets the security of network and information systems that underpin critical services.
Organizations subject to both regulations need integrated compliance programs. Many NIS2 security measures (encryption, access controls, incident response) also support GDPR compliance.
DORA (Digital Operational Resilience Act): Financial entities face specific requirements under DORA that complement and sometimes overlap with NIS2. DORA provides more detailed provisions for the financial sector while building on NIS2's foundation.
Cyber Resilience Act: This upcoming regulation will establish cybersecurity requirements for products with digital elements. Manufacturers and distributors of such products will need to consider both NIS2 (if they operate in covered sectors) and the Cyber Resilience Act.
AI Act: The EU's artificial intelligence regulation intersects with NIS2 where AI systems support critical infrastructure or essential services. Organizations deploying AI in these contexts face requirements under both frameworks.
ePrivacy Directive: This directive addresses confidentiality of electronic communications. Organizations providing electronic communications services need to comply with both ePrivacy requirements and NIS2.
The European Commission has proposed measures to simplify and better align these various cybersecurity rules. Reducing compliance burden while maintaining strong security remains an ongoing challenge.
Recent amendments and future changes
On January 20, 2026, the European Commission proposed targeted amendments to NIS2 as part of a broader cybersecurity package. These amendments aim to increase legal clarity and simplify compliance.
The proposed changes would:
- Clarify definitions and scope to reduce legal uncertainty
- Simplify risk management requirements for smaller entities
- Better align NIS2 with other EU cybersecurity legislation
- Ease compliance burdens for approximately 28,700 companies (including 6,200 micro and small enterprises)
These amendments reflect feedback from the initial implementation period. Organizations and regulators identified areas where the directive's language created confusion or imposed disproportionate burdens on certain entity types.
The legislative process for these amendments will take time. Member States and the European Parliament must review and approve changes before they enter into force.
But the amendment proposal signals that NIS2 will continue evolving. Cybersecurity regulations must adapt to changing technology and threat landscapes. Organizations should expect periodic updates and refinements to the framework.
Preparing for NIS2 compliance
Organizations subject to NIS2 face substantial work to achieve and maintain compliance. A structured approach helps manage the effort.
Step 1: Determine applicability
Start by confirming whether NIS2 applies to your organization. Check if you operate in a covered sector and meet the size thresholds. Classify yourself as an essential or important entity.
Member State lists of registered entities provide useful reference points, but organizations should conduct their own analysis rather than relying solely on official registrations.
Step 2: Conduct gap analysis
Compare current cybersecurity practices against NIS2 requirements. Identify areas where your program falls short. Document existing controls that already align with the directive.
This gap analysis forms the roadmap for compliance efforts. Prioritize gaps based on risk and regulatory importance.
Step 3: Implement technical controls
Deploy the security measures that NIS2 mandates. This typically includes:
- Multi-factor authentication across systems
- Encryption for sensitive data
- Network segmentation
- Intrusion detection and prevention systems
- Endpoint protection
- Security information and event management (SIEM) tools
- Vulnerability scanning and patch management systems
Technical controls should reflect the organization's specific risk profile and operational needs.
Step 4: Develop policies and procedures
Document cybersecurity policies that address all NIS2 domains. Create incident response plans with clear roles and escalation procedures. Establish change management processes that consider security implications.
Policies need regular review and updates. Set a schedule for periodic assessment and revision.
Step 5: Address supply chain security
Inventory critical suppliers and service providers. Assess their cybersecurity practices. Implement contractual requirements that address security expectations.
Consider requiring vendors to demonstrate their own NIS2 compliance (where applicable) or adherence to recognized security standards like ISO 27001.
Step 6: Establish incident reporting capabilities
Set up systems and processes for detecting, assessing, and reporting cybersecurity incidents. Ensure teams understand reporting timelines and requirements.
Test incident response procedures through tabletop exercises and simulations. Practice makes the difference when real incidents occur.
Step 7: Engage leadership
Brief management on their responsibilities under NIS2. Obtain board-level approval of cybersecurity strategies. Establish regular reporting on security posture to executive leadership.
Personal accountability provisions mean executives need genuine involvement, not just pro forma sign-offs.
Step 8: Maintain ongoing compliance
NIS2 compliance isn't a one-time project. Organizations must continuously monitor their security posture, adapt to new threats, and update controls as technology and operations evolve.
Regular internal audits help verify that security measures remain effective and compliant with requirements.
Compliance platforms like ComplyDog help organizations manage the complexity of meeting NIS2 requirements alongside other regulations like GDPR. These tools centralize compliance activities, automate documentation, track vendor assessments, and maintain audit trails that demonstrate regulatory adherence. For organizations juggling multiple compliance frameworks, integrated platforms reduce administrative burden while strengthening overall security and data protection capabilities.
