Skip to main content
NIS2Certify
Back to overview

What Is NIS2? Everything You Need to Know About the EU Cybersecurity Directive

By NIS2Certify
nis2compliancecybersecurityeu-directivearticle-21

NIS2 (Directive 2022/2555) is the European Union's updated cybersecurity directive. It replaces the original NIS Directive from 2016 and applies to organisations across 18 critical sectors in every EU member state.

In this article, we explain what NIS2 is, who it applies to, what you need to do, and what happens if you don't comply.

Why does NIS2 exist?

Cyber attacks on hospitals, energy providers, and government systems have shown that digital threats can disrupt entire societies. A single ransomware attack on one supplier can cascade across borders, shutting down services that millions of people depend on.

The EU concluded that cybersecurity can no longer be left to individual organisations or member states. NIS2 sets a minimum level of cybersecurity that all member states must enforce — eliminating weak links so that a vulnerability in one country doesn't compromise the entire Union.

What changed compared to the original NIS Directive?

  • Wider scope — from a handful of sectors to 18
  • More specific requirements — 10 concrete measure categories instead of vague guidelines
  • Stronger enforcement — fines up to €10 million and personal board liability
  • Stricter incident reporting — mandatory reporting within 24 hours

Who does NIS2 apply to?

NIS2 uses a size cap as its primary criterion. The directive applies to your organisation if you meet both of these conditions:

  • 50 or more employees, or annual turnover / balance sheet total exceeding €10 million
  • You operate in one of the 18 designated sectors

Highly critical sectors (Annex I)

  • Energy (electricity, oil, gas, hydrogen, district heating)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Healthcare
  • Drinking water and wastewater
  • Digital infrastructure (DNS, TLD registries, cloud, data centres, CDNs)
  • ICT service management (B2B — managed services, managed security)
  • Government
  • Space

Other critical sectors (Annex II)

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food production and distribution
  • Manufacturing (medical devices, electronics, machinery, motor vehicles)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research institutions

Note: Some organisations fall under NIS2 regardless of size — including qualified trust service providers, top-level domain registries, and DNS service providers.

Essential vs. important entities

NIS2 distinguishes between two categories:

  • Essential entities — larger organisations in highly critical sectors. Subject to proactive supervision: authorities can audit and inspect at any time.
  • Important entities — subject to reactive supervision: authorities act only after an incident or signal of non-compliance.

Both categories must implement the same security measures. The difference lies in the supervision model and the maximum fines.

What does NIS2 require? The 3 core obligations

1. Duty of care — the 10 measures of Article 21

Organisations must take appropriate technical, operational, and organisational measures to manage cybersecurity risks. Article 21 lists ten specific measure categories you must implement at minimum.

Here is a visual overview of how the 10 measures are organised:

Article 21 — 10 NIS2 Cybersecurity Measures
Article 21
10 Cybersecurity Measures
Governance & Strategy
1Risk analysis & information security policies
6Effectiveness assessment of security measures
Incident & Continuity
2Incident handling & notification
3Business continuity & disaster recovery
Supply Chain & Systems
4Supply chain security
5Security in network & information systems development
Technical Controls
8Cryptography & encryption
10Multi-factor authentication & secure communications
People & Assets
7Cyber hygiene & training
9HR security & access control

Each measure in detail:

  1. Risk analysis and information security policies — documented risk assessments and security policies for your information systems
  2. Incident handling — processes for detecting, responding to, and recovering from security incidents
  3. Business continuity and crisis management — backup strategies, disaster recovery, and crisis management procedures
  4. Supply chain security — security requirements for your suppliers and service providers, including contractual arrangements
  5. Secure acquisition, development, and maintenance — security in the lifecycle of your network and information systems, including vulnerability handling and disclosure
  6. Effectiveness assessment — policies and procedures to evaluate whether your cybersecurity measures actually work
  7. Cyber hygiene and training — basic cybersecurity practices for all staff, plus targeted training programmes
  8. Cryptography and encryption — policies on when and how to use cryptographic controls and encryption
  9. HR security, access control, and asset management — personnel vetting, role-based access controls, and an up-to-date inventory of your assets
  10. Multi-factor authentication and secure communications — MFA for critical systems, encrypted internal communications, and secured emergency communication channels

2. Incident reporting obligation (Article 23)

When a significant incident occurs, you must report it in three stages:

DeadlineWhat you must submit
Within 24 hoursInitial notification to the supervisory authority and national CSIRT — was it malicious? Could it have cross-border impact?
Within 72 hoursFollow-up report with an initial assessment of severity, impact, and indicators of compromise
Within 1 monthFinal report with a detailed description, root cause analysis, and applied mitigation measures

3. Registration obligation

Organisations that fall under NIS2 must register with their national supervisory authority. Deadlines and registration portals vary by country.

What happens if you don't comply?

The consequences are significant — both for the organisation and for individual board members.

Financial penalties

  • Essential entities: fines up to €10 million or 2% of global annual turnover (whichever is higher)
  • Important entities: fines up to €7 million or 1.4% of global annual turnover

Personal board liability

This is where NIS2 goes further than most regulations. Article 20 places cybersecurity responsibility explicitly with the management body:

  • Board members must approve risk management measures
  • Board members must supervise their implementation
  • Board members can be held personally liable for failures
  • Board members are required to undergo cybersecurity training

This isn't just about signing off on a policy document. NIS2 expects the board to actively understand the organisation's risk landscape and make informed decisions.

NIS2 implementation timeline across the EU

NIS2 entered into force at EU level in January 2023. Member states had until 17 October 2024 to transpose it into national law. However, timelines vary significantly:

CountryStatus
BelgiumFully in force since October 2024 — one of the first to implement
GermanyNIS2UmsuCG passed November 2025; BSI registration required by April 2026
NetherlandsCyberbeveiligingswet submitted to parliament June 2025; expected Q2 2026
FranceTransposition in progress; national law expected 2026
ItalyLegislative decree adopted; implementation underway
SpainTransposition in progress
PolandDraft legislation in parliamentary review

Key takeaway: Regardless of your country's specific timeline, the direction is clear. Organisations that start preparing now have a significant advantage over those that wait for enforcement to begin.

How to get started with NIS2 compliance

Preparing for NIS2 doesn't have to be overwhelming. Follow these five steps:

  1. Determine whether NIS2 applies to you — check the size cap (50+ employees or €10M+ turnover) and verify your sector
  2. Assess your current state — map your existing measures against the 10 Article 21 categories and identify gaps
  3. Prioritise and implement — tackle the highest-risk gaps first; don't try to do everything at once
  4. Document everything — NIS2 requires demonstrable compliance. If you can't prove it, it doesn't count
  5. Involve your board — make sure management understands their personal liability and approves the risk management approach

Start with a free NIS2 quickscan

Not sure where your organisation stands? Our free NIS2 quickscan gives you an initial assessment of your readiness in just a few minutes.

The scan covers all 10 Article 21 measure categories and shows you exactly where you need to take action — no commitment required.

Read also

Take the free quickscan →

    What Is NIS2? Everything You Need to Know About the EU Cybersecurity Directive — NIS2Certify