EuroComply
Zarejestruj się
Back to blog
NIS2 9 min read

What Is NIS2? A Complete Guide for Businesses

What Is NIS2? A Complete Guide for Businesses?

NIS2 (Directive 2022/2555) replaced NIS1 in October 2024. This guide covers essential vs important entities, Article 21 security measures, incident reporting timelines, management liability, and fines.

Source: EuroComply Editorial (2026-04-14)Reviewed:
EuroComply Team
EU regulatory specialistsContent reviewed against official EUR-Lex texts
EuroComply Editorial Team
0 views

The NIS2 Directive (Directive 2022/2555) is the European Union's cybersecurity law for critical and important sectors. It replaced the original NIS1 Directive (2016/1148) and had a transposition deadline of 17 October 2024 — meaning EU Member States were required to convert its requirements into national law by that date.

NIS2 significantly expands the scope of mandatory cybersecurity obligations, introduces direct management liability, standardises incident reporting, and increases maximum fines. This guide covers everything organisations in scope need to understand.

What Is NIS2?

NIS2 establishes minimum cybersecurity standards for operators in critical and important sectors across the EU. Where NIS1 covered a narrow list of operators of essential services and digital service providers, NIS2 applies to a much broader set of sectors and entity sizes.

The core shift in NIS2 is from self-identification (NIS1 relied on Member States to designate entities) to a size-based threshold rule: most entities in covered sectors that meet the medium enterprise threshold are automatically in scope.

NIS2 is a directive, not a regulation — it required transposition into national law. As of early 2026, most EU Member States have completed or substantially completed transposition, though implementation quality and supervisory capacity vary.

Who Does NIS2 Apply To?

Sector Scope

NIS2 divides covered sectors into Annex I (Essential Entities) and Annex II (Important Entities):

| Classification | Sectors | |---------------|---------| | Essential Entities (Annex I) | Energy (electricity, oil, gas, district heating/cooling, hydrogen), Transport (air, rail, water, road), Banking, Financial market infrastructures, Health, Drinking water, Wastewater, Digital infrastructure (IXPs, DNS, TLD registries, cloud computing, data centres, CDNs, trust services, electronic communications networks), ICT service management (MSPs, MSSPs), Public administration (central government), Space | | Important Entities (Annex II) | Postal and courier services, Waste management, Manufacture and distribution of chemicals, Food production and distribution, Manufacturing (medical devices, computers/electronics, machinery, motor vehicles, other transport equipment), Digital providers (online marketplaces, online search engines, social networking platforms), Research organisations |

Size Thresholds

The default rule is that entities in covered sectors must meet at least the medium enterprise threshold to be in scope:

  • Medium enterprise: 50+ employees or €10M+ annual turnover/balance sheet
  • Large enterprise: 250+ employees or €50M+ annual turnover or €43M+ balance sheet

Entities below the medium threshold are generally out of scope, unless they are specifically identified by Member States as critical regardless of size (Art. 2(2)) — for example, the sole provider of an essential service in a Member State, or an entity whose disruption would significantly impact public safety.

Essential entities are typically large enterprises in Annex I sectors. Important entities are typically medium enterprises in either annex. The distinction matters for supervision intensity and maximum fines.

Article 21 Security Measures

Article 21 is the operational heart of NIS2. It requires essential and important entities to take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to their network and information systems. Measures must be based on an all-hazards approach and must address at least the following ten areas:

| Obligation | Description | |-----------|-------------| | 1. Risk management policies | Written policies on risk analysis and information system security | | 2. Incident handling | Procedures for detection, classification, response, and recovery | | 3. Business continuity | BCM plans covering backup management, disaster recovery, and crisis management | | 4. Supply chain security | Security in procurement relationships — assessing supplier security practices and vulnerability disclosure practices | | 5. Procurement, development and maintenance security | Security in acquisition, development and maintenance of network and information systems, including vulnerability handling and disclosure | | 6. Vulnerability disclosure | Policies and procedures for assessing the effectiveness of cybersecurity measures, including coordinated vulnerability disclosure | | 7. Cyber hygiene and training | Basic cyber hygiene practices and cybersecurity training for staff and management | | 8. Cryptography and encryption | Policies on the use of cryptography and, where appropriate, encryption | | 9. Human resources security and access control | Asset management, HR security policies, and access control measures | | 10. Multi-factor authentication (MFA) | Use of MFA or continuous authentication solutions, and secure voice/video/text communications and secured emergency communications where appropriate |

The measures must be proportionate to the risk — a large financial market infrastructure faces different obligations than a medium-sized food manufacturer, even though both are in scope.

Entities must also address security in supply chains. Article 21(3) explicitly requires that entities take into account the vulnerabilities specific to each direct supplier and service provider, and the overall quality of products and cybersecurity practices of their suppliers.

Incident Reporting (Article 23)

NIS2 introduces a structured, three-stage reporting obligation for significant incidents — incidents that have or could have a significant impact on the provision of services. An incident is significant if it causes severe operational disruption, financial loss, or material or non-material damage to others.

| Stage | Deadline | Content | |-------|----------|---------| | Early warning | Within 24 hours of becoming aware | Indication of whether the incident is suspected to be malicious or cross-border; brief characterisation | | Incident notification | Within 72 hours of becoming aware | Updated assessment of incident, including initial severity and impact; indicators of compromise where available | | Final report | Within 1 month of incident notification | Full description, type of threat or root cause, applied and ongoing mitigation measures, cross-border impact |

For ongoing incidents at the 1-month mark, a progress report is submitted instead, with the final report due one month after the incident is handled.

Significant incidents must be reported to the national CSIRT (Computer Security Incident Response Team) and, where relevant, the competent national authority. Entities may also notify affected service recipients without undue delay where the incident is likely to affect them.

Management Liability (Article 20)

NIS2 introduces a direct accountability requirement at the governance level. Article 20 requires that:

  • Management bodies of essential and important entities must approve the cybersecurity risk management measures taken under Article 21
  • Management bodies must oversee the implementation of those measures
  • Management body members can be held personally liable for infringements of NIS2 obligations

Article 20(4) goes further: competent authorities can temporarily prohibit a natural person exercising managerial responsibilities at CEO or legal representative level from performing management functions if that entity has demonstrated repeated infringements.

This is a significant departure from the typical regulatory model where fines are levied on the organisation. NIS2 creates individual accountability that flows through to the C-suite and board.

The practical implication is that cybersecurity is no longer a purely technical function — it must be treated as a governance matter. Boards and management teams need sufficient understanding of cybersecurity risk to meaningfully approve and oversee measures.

Supervision and Enforcement

NIS2 distinguishes between supervision regimes:

  • Essential entities are subject to ex-ante supervision — proactive, ongoing supervisory oversight including on-site inspections, off-site supervision, targeted security audits, and security scans.
  • Important entities are subject to ex-post supervision — supervisory action triggered by evidence of non-compliance, complaints, or incidents.

Competent authorities can require entities to provide information, implement security measures, notify affected recipients, and appoint an independent security auditor.

Fines (Article 34)

NIS2 sets minimum maximum fine levels that Member States must implement. As with GDPR, fines are assessed at whichever is higher — the absolute figure or the percentage of global annual turnover.

| Entity Type | Maximum Fine | |-------------|-------------| | Essential entities | €10,000,000 or 2% of total worldwide annual turnover | | Important entities | €7,000,000 or 1.4% of total worldwide annual turnover |

Member States may set higher maxima in national implementing legislation. Fines are imposed at the national level by the competent supervisory authority.

In addition to fines, competent authorities can issue binding instructions, compliance orders, and temporary prohibitions on service provision for repeated or serious infringements.

Relationship with Other EU Regulations

NIS2 operates alongside, not instead of, other EU cybersecurity and data protection instruments:

  • GDPR — A personal data breach may simultaneously trigger GDPR breach notification (72h, Art. 33 GDPR) and NIS2 incident reporting. The two notification obligations run in parallel.
  • DORA (Digital Operational Resilience Act, Reg. 2022/2554) — Applies to financial entities (banks, insurers, investment firms, crypto asset providers, payment institutions). Where DORA applies, it takes precedence over NIS2 for those entities (lex specialis).
  • CRA (Cyber Resilience Act) — Applies to manufacturers of products with digital elements. Addresses product security rather than operational security.
  • Sectoral regulations — Entities in healthcare, energy, and transport face additional sector-specific requirements that overlay NIS2.

Implementation Steps for SMEs and Mid-Market

For organisations newly in scope under NIS2 (many of which were not covered by NIS1), implementation typically spans three phases:

Phase 1 — Scoping and Gap Assessment (Months 1–2)

Confirm whether your organisation is in scope: check sector (Annex I or II) and size threshold. Identify which Member State competent authority supervises you (generally the state where you are established, or where you provide the service). Register with the competent authority if required — several Member States require self-registration for entities in scope. Conduct a gap assessment against the ten Article 21 obligations.

Phase 2 — Foundation Controls (Months 3–6)

Implement or formalise the highest-priority measures: incident handling procedures, BCM/DR plans, access control and MFA, supply chain assessment, vulnerability management, and staff training. Document everything — NIS2 supervision relies heavily on written evidence.

Phase 3 — Governance and Ongoing Assurance (Months 6+)

Integrate cybersecurity into board/management governance. Establish management approval and oversight processes (Art. 20). Implement continuous monitoring for incident detection. Test BCM and incident response procedures at least annually. Develop a supply chain security assessment programme for critical suppliers.

Key questions to ask suppliers: Do they have a documented information security management system (ISO 27001 or equivalent)? How do they handle vulnerability disclosure? What are their incident notification obligations to you? What are their BCM capabilities?

Summary

NIS2 represents a step-change in EU cybersecurity regulation. It is broader in scope than NIS1, more prescriptive in its security obligations, faster in its incident reporting requirements, and more direct in its management accountability provisions. For organisations newly in scope, the practical priority is: confirm scope, register where required, conduct a gap assessment against Article 21, and build the governance infrastructure that Art. 20 demands. The management liability provisions mean that cybersecurity compliance is no longer a delegatable IT function — it requires active engagement from senior leadership.

Last updated: April 2026. For informational purposes only — not legal advice.

EC

EuroComply Editorial Team

EU regulatory compliance specialists covering the AI Act, GDPR, NIS2, and related legislation. Content reviewed against official EU regulation texts and enforcement guidance.

For informational purposes only. Consult qualified legal counsel.

Share:

Ready to check compliance?

Start auditing your AI systems and tech stack today.

Related Posts

NIS2

NIS2 vs GDPR for Tech Companies: Key Differences and Where They Overlap

14 Apr

NIS2

NIS2 Incident Response: What to Do in the First 24 Hours

14 Apr

← Back to blog