NIS2 Directive: Essential Requirements for Operators

The NIS2 Directive (Directive 2022/2555) replaced the original NIS Directive in October 2024, significantly expanding both the scope of EU cybersecurity obligations and the consequences of non-compliance. Where the original NIS Directive applied to a limited set of operators of essential services, NIS2 covers a much wider range of sectors, introduces direct management liability, and harmonises incident reporting requirements across the EU.

If your organisation operates in one of the 18 covered sectors, this guide explains what you are required to implement, when incidents must be reported, and what management liability means in practice.

Scope: Essential vs Important Entities

NIS2 creates two tiers of regulated entity with different oversight regimes:

Essential entities face ex ante (proactive) supervision. National competent authorities can conduct inspections and audits without waiting for an incident. Penalties for essential entities can reach €10 million or 2% of global annual turnover, whichever is higher.

Important entities face ex post supervision — authorities can investigate following evidence of non-compliance or an incident. Penalties are lower: up to €7 million or 1.4% of global annual turnover.

The 18 covered sectors span: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (including DNS providers, TLD registries, data centres, cloud providers, CDN operators), ICT service management (B2B managed service providers), public administration, space, postal and courier services, waste management, chemicals, food, manufacturing (medical devices, computers, machinery, vehicles), digital providers (online marketplaces, search engines, social networks), and research organisations.

Classification as essential or important depends on sector and size. Most medium and large organisations in the listed sectors are automatically in scope. Competent authorities can also designate smaller entities as essential or important if they are critical for their sector.

The 10 Minimum Security Measures (Article 21)

Article 21 of NIS2 requires all in-scope entities to implement "appropriate and proportionate technical, operational and organisational measures" addressing at least these 10 areas:

1. Risk analysis and information security policies — documented policies covering risk analysis and information system security, with defined roles and responsibilities.

2. Incident handling — established processes and procedures for detecting, responding to, and recovering from security incidents, including clear roles, communication plans, and evidence preservation.

3. Business continuity — backup management, disaster recovery, and crisis management procedures that ensure operations can be restored following a significant disruption.

4. Supply chain security — assessment of the security practices of direct suppliers and service providers, and contractual security requirements flowing down the supply chain.

5. Security in network and information systems acquisition, development, and maintenance — including vulnerability handling and disclosure policies covering the systems you operate.

6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures — regular testing, auditing, and review of security controls.

7. Basic cyber hygiene practices and cybersecurity training — regular training for all staff, and documented policies for fundamental hygiene: patching schedules, access management, multi-factor authentication, secure configuration.

8. Policies and procedures regarding the use of cryptography — and where appropriate, encryption, including key management.

9. Human resources security, access control policies, and asset management — personnel security procedures, privilege management, and a maintained asset inventory.

10. Use of multi-factor authentication, continuous authentication solutions, secured voice/video/text communications, and secured emergency communication systems — where appropriate within the organisation.

The measures must be proportionate to the risk, the size of the entity, and the potential societal and economic impact of an incident. This does not mean small organisations can ignore the requirements — it means they are applied in proportion to the threat landscape.

Incident Reporting: Three-Stage Timeline

Article 23 of NIS2 introduces a harmonised three-stage reporting process for significant incidents. A significant incident is one that has caused or is capable of causing severe operational disruption or financial loss, or that has affected or is capable of affecting other natural or legal persons.

Stage 1 — Early warning (within 24 hours): Notify the national CSIRT or competent authority that a significant incident has occurred or is suspected. At this stage you do not need a full assessment — the purpose is to give authorities early awareness.

Stage 2 — Incident notification (within 72 hours): Provide an incident notification including an initial assessment of the incident's severity and impact, any indicators of compromise, and whether the incident is suspected to involve criminal or malicious activity.

Stage 3 — Final report (within one month): Submit a detailed final report covering a description of the incident including its severity and impact, the type of threat or root cause, applied and ongoing mitigation measures, and where the incident has cross-border impact, information required by other affected member states.

Missing these deadlines — particularly the 24-hour and 72-hour windows — is a direct compliance failure and grounds for supervisory action.

Management Body Liability (Article 20)

One of the most significant changes introduced by NIS2 is the direct personal liability of management bodies. Article 20 requires member states to ensure that management bodies of essential and important entities approve and oversee the entity's cybersecurity risk-management measures and that members of management bodies can be held personally liable for infringements.

In practice this means: boards and senior management must be trained in cybersecurity fundamentals, must formally approve the organisation's security policies and incident response procedures, and must receive regular reporting on the security posture of the organisation. Management liability is not delegatable — designating a CISO does not remove board responsibility.

Transition from NIS1

If your organisation was subject to the original NIS Directive, you are not starting from scratch — but significant gaps are likely. NIS2 adds stricter supply chain security requirements, a formal management approval requirement that did not exist under NIS1, more specific training obligations, and a more prescriptive 10-measure framework. The October 2024 transposition deadline has passed, and national competent authorities are actively supervising compliance.

Organisations new to NIS2 should begin with a gap analysis against the 10 Article 21 measures, map their incident detection and reporting capabilities against the three-stage timeline, and ensure management has formally approved security policies and received appropriate training.

---

Last updated: May 2026. For informational purposes only — not legal advice.

Frequently Asked Questions

How do we determine whether our organisation is an essential or important entity under NIS2?

Classification depends on your sector and the size thresholds defined in national transposition legislation. The NIS2 Directive itself uses the EU definition of medium and large enterprises (50+ employees or €10M+ annual turnover). Organisations in the listed sectors meeting these thresholds should assume they are in scope and assess whether they are essential or important based on their specific sector category. Competent authorities in each member state publish sector-specific guidance and may directly notify organisations of their classification. If you are in doubt, the safest approach is to treat your organisation as an important entity and implement Article 21 measures accordingly while awaiting formal classification.

Does NIS2 apply to subsidiaries of non-EU companies operating in the EU?

Yes. The territorial scope of NIS2 covers entities that provide services or carry out activities within the EU, regardless of where the parent company is headquartered. A subsidiary or branch operating in an EU member state and meeting the sector and size thresholds is subject to NIS2 in that member state. If the entity operates across multiple member states, it is typically supervised by the member state where it has its main establishment, with coordination between national competent authorities for cross-border incidents.

What is the relationship between NIS2 and GDPR for incident reporting?

NIS2 and GDPR both impose incident reporting obligations, but they operate on different triggers and different timelines. GDPR Article 33 requires notification of personal data breaches to the supervisory authority within 72 hours of becoming aware — a standard that applies to personal data breaches. NIS2 Article 23 requires reporting of significant incidents affecting network and information systems, which may or may not involve personal data. An incident can trigger both obligations simultaneously. In that case, reports should be made to both the CSIRT or NIS2 competent authority and the data protection supervisory authority, with the respective timelines running in parallel.

Sources

• EUR-Lex, Directive (EU) 2022/2555 (NIS2 Directive): https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555
• European Union Agency for Cybersecurity (ENISA), NIS2 implementation guidance: https://www.enisa.europa.eu/topics/cybersecurity-policy/nis-directive-new
• European Commission, NIS2 transposition and national competent authorities: https://digital-strategy.ec.europa.eu/en/policies/nis2-directive
• ENISA, Good practices for security of IoT and related technologies: https://www.enisa.europa.eu/publications/good-practices-for-security-of-iot