Free Tools
Learn
Pricing
Sign in
← All topics / NIS2
🛡️ Cybersecurity

NIS2 Directive ✦ Free Overview

The Network and Information Security Directive 2 significantly expands the scope of EU cybersecurity law. If your organisation operates in one of 18 covered sectors — and most medium and large companies do — you have legal obligations that were not required under the original NIS Directive.

Directive (EU) 2022/2555
Transposition deadline: October 2024
18 covered sectors
Check your NIS2 readiness 20 questions across 5 compliance areas. Free AI-powered gap analysis delivered to your inbox.
NIS2 Readiness Check →
What is it?

The Network and Information Security Directive 2

The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated legal framework for cybersecurity across critical and important sectors. It replaces the original NIS Directive (2016) and entered into force in January 2023, with a transposition deadline of 17 October 2024 for EU member states to bring it into national law. NIS2 represents a significant expansion in scope, obligations, and enforcement compared to its predecessor.

Where the original NIS Directive covered a narrow list of "operators of essential services" and "digital service providers," NIS2 substantially broadens the net. It now covers entities across 18 sectors, introduces a size-based threshold (companies with 50+ employees or €10M+ in turnover operating in covered sectors are automatically in scope), and dramatically strengthens the enforcement regime with fines of up to €10 million or 2% of global turnover for essential entities.

A key shift in NIS2 is the emphasis on management accountability. Senior management — including boards and C-suite executives — can be held personally liable for cybersecurity failures. They are required to approve cybersecurity measures, oversee their implementation, and receive regular training on cyber risk. This elevation of cybersecurity from an IT function to a board-level governance obligation is one of the most consequential changes for organisations in scope.

Who is in scope?

Essential entities and important entities

NIS2 divides in-scope organisations into two tiers — Essential Entities (EE) and Important Entities (IE) — which face the same core obligations but different supervisory and enforcement regimes.

  • Essential Entities include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (IXPs, DNS, TLDs, cloud, data centres), ICT service management, space, and public administration. Large companies (250+ employees or €50M+ turnover) in these sectors are automatically Essential.
  • Important Entities cover postal and courier services, waste management, chemicals, food, manufacturing of critical products (medical devices, computers, vehicles), digital providers (online marketplaces, search engines, social networks), and research organisations. Medium companies (50+ employees or €10M+ turnover) in these sectors qualify.

Some entities are in scope regardless of size — including providers of public electronic communications networks, qualified trust service providers, top-level domain name registries, and entities identified by member states as critical. Member states may also expand scope beyond the minimum EU-level requirements.

Core obligations

What NIS2 requires your organisation to do

Article 21 of NIS2 requires in-scope entities to implement risk-based, proportionate cybersecurity measures covering at least the following areas:

Policies on Risk Analysis

Maintain documented policies for analysing information systems security risks, including asset inventory, threat modelling, and regular risk assessments.

Incident Handling

Maintain documented incident response procedures covering detection, classification, containment, eradication, recovery, and post-incident review.

Business Continuity & Crisis Management

Maintain backup systems, disaster recovery capabilities, and crisis management procedures to ensure operational continuity during and after significant incidents.

Supply Chain Security

Assess and manage cybersecurity risks arising from relationships with direct suppliers and service providers, including security requirements in procurement contracts.

Secure System Acquisition & Development

Apply security-by-design principles in the acquisition, development, and maintenance of network and information systems, including vulnerability disclosure policies.

Access Control & Cryptography

Implement access control policies based on least privilege, multi-factor authentication, and encrypted communications for sensitive systems and data.

Incident reporting

Strict timelines for notifying authorities

NIS2 introduces a three-stage incident notification process for significant incidents — defined as those with a substantial impact on service delivery or that affect other member states. Significant incidents must be reported to the national Computer Security Incident Response Team (CSIRT) or competent authority within the following timeframes:

24 hours
Early warning

Early Warning

An initial early warning must be submitted within 24 hours of becoming aware of a significant incident. This provides a basic notification that an incident has occurred or is suspected, including whether it may be the result of unlawful or malicious action.

72 hours
Incident notification

Incident Notification

A more detailed incident notification must follow within 72 hours, including an initial assessment of the incident's severity, impact, and the indicators of compromise (IoC) identified at that stage.

1 month
Final report

Final Report

A final report is required within one month of the incident notification. It must include a description of the threat, root cause analysis, measures taken, cross-border impact, and any ongoing or residual risks.

Enforcement & penalties

Significant fines and personal liability

NIS2 establishes minimum fine levels that member states must implement. The actual amounts are set by each member state's national law, but must be at least:

  • Essential Entities: up to €10 million or 2% of total worldwide annual turnover — whichever is higher.
  • Important Entities: up to €7 million or 1.4% of total worldwide annual turnover — whichever is higher.
  • Management liability: Member states must ensure that senior management can be held personally liable for cybersecurity failures. Competent authorities may temporarily ban managers from holding leadership roles.

Essential entities are subject to proactive (ex-ante) supervision — authorities can conduct audits and inspections without prior evidence of non-compliance. Important entities are subject to reactive (ex-post) supervision — audits are typically triggered by evidence of non-compliance or incidents.

Primary EU Legislation

NIS2 Directive — (EU) 2022/2555 ↗ Art. 20–21 (security obligations) · Art. 23 (incident reporting) · Art. 24 (ICT registries)

NIS2 was due for transposition into national law by October 2024. Member State implementations may vary in enforcement detail and sector-specific thresholds.