What is NIS2?

NIS2 is the successor to the original NIS Directive from 2016. NIS1 set a shared direction but left implementation to each member state. The result was exactly what you'd expect: inconsistent requirements, inconsistent enforcement, and fines without teeth. NIS2 fixes this with specific obligations, defined supervisory structures and penalties that actually mean something.

The directive (EU 2022/2555) was adopted in December 2022 with a transposition deadline of 17 October 2024. Each EU member state was required to pass national legislation implementing it by that date. The UK, having left the EU, has its own regime (NIS Regulations 2018, currently under review), but many UK organisations supplying EU customers will find themselves in scope indirectly through supply chain requirements.

Under NIS1 a relatively small number of organisations were covered. Under NIS2, potentially hundreds of thousands across the EU are in scope.

Who is covered?

The directive uses two tiers: essential entities and important entities. The distinction primarily affects supervision intensity and fine levels, not the security measures required. Those are the same for both.

Sectors with essential entities

Sectors with important entities

Size thresholds

The general rule: 50 or more employees OR €10 million or more in annual turnover or balance sheet total. However, critical sectors have exceptions: certain organisations are in scope regardless of size, including digital infrastructure providers, TLD registries and government bodies.

📝 Not sure if you are in scope? The relevant national competent authority for your sector is the right contact for clarification. Do not assume you are out of scope without checking.

What does NIS2 require?

Article 21 of the directive specifies ten categories of security measures that covered entities must implement. These are legal requirements, not guidelines.

  1. Risk analysis and information security policies: systematic risk assessments and documented policies
  2. Incident handling: procedures for detecting, managing and reporting security incidents
  3. Business continuity and crisis management: backup procedures, disaster recovery, business continuity plans
  4. Supply chain security: security requirements for suppliers and service providers
  5. Security in network and information systems acquisition, development and maintenance
  6. Policies and procedures to assess effectiveness of cybersecurity measures: testing and auditing
  7. Basic cyber hygiene practices and cybersecurity training: staff awareness
  8. Policies on the use of cryptography and encryption
  9. Human resources security, access control policies and asset management
  10. Multi-factor authentication and secure communications

Incident reporting timelines

NIS2 introduced tight reporting deadlines. If you discover a significant incident:

The 72-hour window matches the GDPR Article 33 deadline for personal data breaches, but NIS2 applies regardless of whether personal data is involved.

Management liability

NIS2 makes senior management personally liable. You can't hand it to whoever manages IT and call it done. The named responsible person must approve the security measures, actively oversee their implementation, and can be personally fined for non-compliance.

Supervision and fines

The penalty levels are:

Supervisory authorities vary by member state and sector. Most EU countries designate a national cybersecurity agency that coordinates oversight, with sector regulators covering energy, finance, health and the rest. Find your national authority via the ENISA NIS2 page.

What should you do now?

If you are not sure whether you are in scope, the first step is to find out. Not to wait.

  1. Determine if you are in scope: check your sector against Annexes I and II of the directive, and verify whether you meet the size threshold or fall under a sector-specific exception.
  2. Run a gap analysis against Article 21: document what you already have in place and what is missing. Written documentation matters for demonstrating due diligence.
  3. Appoint a responsible person: NIS2 requires management involvement. Designate who owns the compliance work, and make sure whoever sits at the top is in the loop.
  4. Register with the relevant authority: many sectors require active registration with the national competent authority.
  5. Implement the missing measures: prioritise by risk reduction. An incident response plan, tested backup procedures, and MFA on critical systems give you the most coverage fastest.
💡 Tip: ENISA has published the full NIS2 directive text and guidance at enisa.europa.eu/topics/cybersecurity-policy/nis2-directive. It is the authoritative source.

Frequently asked questions

"I'm too small"

The 50-employee threshold sounds clear, but there are exceptions. Certain types of infrastructure (TLD registrants, sole providers of a critical service, public administrations) are in scope regardless of size. Even if you are not directly covered, your customers may impose NIS2 requirements on you as a supplier.

"I'm not a technology company"

This is the most common misunderstanding. Manufacturers of medical devices, computers, electronics and vehicles are explicitly listed under important entities in Annex II. Food producers, chemical manufacturers and waste management companies are also in scope. The directive is not limited to IT.

"What about our subcontractors?"

Supply chain security (measure 4 in Article 21) requires you to assess your suppliers' security posture and reflect this in contracts. If your customers are NIS2-obligated, they will likely require security documentation from you. And you, in turn, must impose equivalent requirements on your own suppliers. NIS2 propagates through the supply chain by design.

Sources