# NIS2 — Directive (EU) 2022/2555 **Primary source:** EUR-Lex — https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32022L2555 **Official citation:** Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2 Directive). **In force:** January 16, 2023. Member States required to transpose by October 17, 2024. Applicable to entities in scope from that date. --- ## Scope NIS2 applies to entities in two categories: ### Essential Entities (Annex I) Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (cloud, CDN, data centres, DNS, TLD registries, IXPs), ICT service management, public administration, and space. ### Important Entities (Annex II) Postal and courier services, waste management, chemicals, food production, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks). **Size thresholds:** Medium enterprises (50–249 employees, or €10M–€50M turnover) and large enterprises (250+ employees, or >€50M turnover) in scope sectors must comply. Some entities are "essential" regardless of size (e.g. critical infrastructure operators, TLD registries). --- ## Key Obligations (Articles 21–23) ### Cybersecurity Risk Management (Article 21) Entities must implement measures covering: - Risk analysis and information system security policies - Incident handling - Business continuity and disaster recovery - Supply chain security - Network and information system acquisition, development and maintenance security - Policies and procedures to assess effectiveness of cybersecurity risk-management measures - Basic cyber hygiene practices and cybersecurity training - Policies on use of cryptography and encryption - Human resources security, access control policies and asset management - Use of multi-factor authentication or continuous authentication ### Incident Reporting (Article 23) - **24 hours** — early warning to national CSIRT/competent authority - **72 hours** — incident notification with initial assessment - **1 month** — final report including full impact, root cause and remediation ### Management Accountability (Article 20) Management bodies are personally responsible for approving and overseeing cybersecurity measures. Management body members may be held liable for infringements. ### Supply Chain Security (Article 21(2)(d)) Entities must address security in supplier and service provider relationships. The NIS2 Cooperation Group may issue guidance on ICT product and service security. --- ## Maximum Penalties (Articles 34–36) | Entity type | Maximum fine | |-------------|-------------| | Essential entities | €10,000,000 or 2% of global annual turnover | | Important entities | €7,000,000 or 1.4% of global annual turnover | National supervisory authorities may also impose non-monetary measures: temporary prohibition on performing management functions. --- ## Supervisory Authorities Each Member State designates one or more competent authorities. ENISA coordinates at EU level: https://www.enisa.europa.eu --- ## Canonical Pages (EuroComply) - Full guide: https://eurocomply.app/regulations/nis2 - SME compliance guide: https://eurocomply.app/nis2-compliance-sme - Scope checker tool: https://eurocomply.app/tools/regulation-checker --- Last updated: 2026-05-12