Insights

NIS vs NIS2

Blog Single

NIS vs NIS2 Explained

This page is a direct comparison of the original NIS Directive and its replacement, NIS2. The focus here is on what changed between the two frameworks, why those changes were made, and what they mean in practice for organisations assessing their compliance position.

If your organisation was previously familiar with NIS, or if you are trying to determine whether NIS2 introduces new obligations for you, this page walks you through the key differences side by side.

Request a Consultation Check Your Eligibility Assess Your Readiness
Quick Answer: NIS vs NIS2
  • NIS2 formally replaces the original NIS Directive — it is not optional alongside it
  • Scope expanded from 7 to 18+ sectors with size-based thresholds replacing designation
  • Security obligations are now explicit and defined at EU level, not left to member states
  • Incident reporting has a structured 3-stage timeline: 24 hrs / 72 hrs / 30 days
  • Management accountability is direct — boards face personal liability
  • Supply chain security is a new standalone obligation not present in NIS
  • Penalties harmonised at EU level — up to €10M or 2% of global turnover

What Was the Original NIS Directive?

The NIS Directive (Directive on Security of Network and Information Systems) came into force in 2016 and represented the EU's first piece of EU-wide cybersecurity legislation. Its goal was to raise the baseline level of cybersecurity resilience across member states by requiring certain organisations to implement appropriate security measures and report significant incidents.

Under NIS, member states identified Operators of Essential Services (OES) in sectors such as energy, transport, banking, healthcare, and digital infrastructure. A separate category of Digital Service Providers (DSPs) was also covered. Member states had considerable flexibility in deciding which organisations qualified, which created significant variation in how the directive was applied across the EU.

This section gives enough background to make the comparison meaningful. For a full introduction to NIS2, see our What is NIS2? guide.

Why Was NIS Updated to NIS2?

The European Commission's review of NIS found that while it moved things in the right direction, it fell short in several critical areas:

  • Inconsistent implementation — Member states had wide discretion, resulting in very different requirements across the EU and an uneven playing field that weakened collective resilience.
  • Too narrow in scope — The original directive covered a limited set of sectors and left many industries outside its reach, even as they became increasingly dependent on digital systems.
  • Weak enforcement — Supervisory powers and penalties varied widely. Some member states had strong enforcement; others did not. The result was patchy compliance across the bloc.
  • Supply chains unaddressed — NIS said almost nothing about how organisations should manage risks from suppliers and service providers — a critical gap given how interconnected modern digital environments had become.

Combined with a dramatically changed threat landscape — where supply chain attacks, ransomware targeting critical infrastructure, and state-sponsored intrusions had become routine — the case for a stronger, broader framework was clear. NIS2 came into force in January 2023, with a member state transposition deadline of October 2024.

NIS vs NIS2: Side-by-Side Comparison

The table below covers the core areas where the two frameworks differ. The sections that follow explain each area in more depth.

Area NIS (2016) NIS2 (2023)
Overall purpose Common minimum baseline for cybersecurity across defined essential services Higher, more consistent resilience across a wider range of sectors with stronger enforcement
Sectors covered 7 sectors: energy, transport, banking, financial markets, health, drinking water, digital infrastructure 18+ sectors, adding wastewater, public administration, space, postal services, waste, food production, manufacturing, and more
Scope of entities Member states designated Operators of Essential Services individually; varied widely by country Size-based thresholds: medium enterprises (50+ employees or €10M+ turnover) in covered sectors are generally in scope automatically
Entity categories Operators of Essential Services (OES) + Digital Service Providers (DSPs) Essential Entities + Important Entities — same obligations, different supervision models
Security requirements "Appropriate and proportionate" measures; specifics largely left to member states Explicit minimum measures defined at EU level: risk analysis, access control, MFA, encryption, incident handling, business continuity, and more
Incident reporting Notify "significant impact" incidents; timelines and formats set by member states Structured 3-stage process: 24-hour early warning, 72-hour notification, 30-day final report
Supply chain security Not explicitly required Explicitly required: organisations must assess and manage risks in supply chains and from third-party providers
Management accountability Organisational responsibility; limited personal liability for leadership Management bodies directly responsible; individuals can face personal liability and temporary bans from management roles
Supervision Reactive; supervisory intensity set by member states, highly variable Essential Entities face proactive supervision; Important Entities face reactive; minimum requirements set at EU level
Penalties Set by individual member states; varied significantly across the EU EU-level minimums: up to €10M or 2% of global turnover (Essential); up to €7M or 1.4% (Important)

Scope: From Designation to Thresholds

One of the most consequential structural changes is how organisations come into scope. Under NIS, a national authority had to formally designate an organisation as an Operator of Essential Services. Under NIS2, any organisation in a covered sector that meets the size threshold is generally in scope by default, without waiting for a designation.

This removes a layer of ambiguity and significantly expands the number of organisations that need to take action. If your organisation operates in a covered sector and meets the medium-enterprise threshold, you are likely in scope regardless of whether you were previously identified under NIS.

7 → 18+
Sectors covered under NIS2
24 hrs
Early warning window for incidents
€10M
Max fine for Essential Entity violations

Essential Entities vs Important Entities

NIS2 replaces the OES and DSP categories with two new classifications. Both face the same security and reporting obligations, but they are supervised differently.

Essential Entities

Proactive supervision

Regulators can check compliance at any time, without waiting for an incident. Highest criticality sectors including energy, transport, health, digital infrastructure, and public administration.

Important Entities

Reactive supervision

Oversight is typically triggered by a reported incident or complaint. Sectors include postal services, food, manufacturing, chemicals, and digital providers. Same obligations as Essential Entities.

The Incident Reporting Timeline

Under NIS, incident reporting expectations were set by member states and lacked a consistent EU-wide standard. Under NIS2, a structured three-stage process applies to all covered entities.

24h

Early Warning

Initial notification to the competent authority within 24 hours of becoming aware of a significant incident.

72h

Incident Notification

A more detailed report with initial assessment, severity indicators, and indicators of compromise.

30d

Final Report

A comprehensive incident report including root cause analysis, impacts, and remediation actions.

The 24-hour early warning cannot be met without a real-time detection and escalation capability. If your organisation cannot currently detect and triage a significant incident within hours, that is a priority gap.

Key Changes Introduced by NIS2

Several changes in NIS2 stand out as particularly significant for organisations assessing their compliance position against the original framework.

Change 1

Wider, More Objective Scope

  • More sectors added to coverage
  • Size-based thresholds replace designation
  • Many previously out-of-scope organisations now covered
  • Some entities in scope regardless of size
Change 2

Management Accountability

  • Boards directly responsible for approving cybersecurity measures
  • Personal liability for compliance failures
  • Temporary management bans possible in serious cases
  • Cybersecurity can no longer be treated as an IT concern alone
Change 3

Explicit Minimum Security Measures

  • Risk analysis and documented security policies required
  • MFA and access control mandated
  • Business continuity and crisis management plans required
  • Cryptography, encryption, and HR security addressed
Change 4

Supply Chain Security

  • New standalone obligation not present in NIS
  • Must assess direct suppliers and third-party providers
  • Requires contractual and process changes for many organisations
Change 5

Structured Incident Reporting

  • 24-hour early warning is a hard requirement
  • 72-hour detailed notification follows
  • 30-day final report with root cause analysis
Change 6

Stronger Enforcement and Penalties

  • EU-level minimum penalties introduced for the first time
  • Up to €10M or 2% of global annual turnover for Essential Entities
  • Up to €7M or 1.4% for Important Entities
  • Comparable to the GDPR enforcement scale

Does NIS2 Replace NIS?

Yes. NIS2 formally repeals and replaces the original NIS Directive. Member states were required to transpose NIS2 into national law by 17 October 2024. From that point, NIS2 became the applicable framework and the original NIS Directive ceased to apply across the EU.

Important: Organisations that were previously compliant with NIS should not assume that compliance carries over automatically. NIS2 introduces requirements that go beyond NIS, and a fresh assessment against the new framework is necessary.

The sectors covered under the original NIS Directive remain covered under NIS2, but with higher obligations. Any organisation that believed it was meeting its NIS obligations should treat the October 2024 transposition deadline as the point at which its compliance baseline needed to be re-evaluated.

What Do the Changes Mean for Organisations?

More organisations are now in scope

The move from designation-based to size-based scope means many organisations that had no prior NIS obligations may now have significant ones. If your organisation operates in a covered sector and meets the medium-enterprise threshold, you are likely in scope regardless of whether you were previously identified under NIS.

The security bar is higher

The explicit minimum measures in NIS2 mean that vague or informal approaches to cybersecurity governance will not be sufficient. Organisations need documented policies, implemented controls, and evidence that their security measures reflect the actual risk environment.

Governance needs to be formalised

With management bodies directly accountable under NIS2, organisations need clear ownership of cybersecurity at senior level. Delegation to a technical team without board-level engagement is not adequate under the new framework.

Supply chain risk requires new processes

For many organisations, NIS2's supply chain requirements will mean new supplier assessments, contractual frameworks, and ongoing monitoring processes that did not previously exist. This is one of the areas where compliance work is most likely to require significant new effort.

Which Is Stricter: NIS or NIS2?

NIS2 is unambiguously stricter than the original NIS Directive across almost every dimension. It covers more organisations and more sectors. It sets higher and more specific security obligations. It requires faster and more structured incident reporting. It introduces personal accountability for senior leaders. It specifies stronger enforcement powers and significantly higher penalties. And it requires organisations to address supply chain risk in a way that NIS did not.

The original NIS Directive was a starting point. NIS2 is a substantially more demanding framework, and organisations should approach it accordingly rather than assuming continuity from their existing posture.

How Should Organisations Respond to the Move From NIS to NIS2?

The following steps provide a practical starting framework for organisations assessing their position against NIS2.

  1. Determine whether you are now in scope Review the NIS2 sector list and size thresholds against your organisation's profile. Some organisations that were not covered under NIS will be covered now. Some entities are in scope regardless of size due to criticality.
  2. Review your current security controls The explicit minimum measures in NIS2 provide a useful checklist. Assess where your current controls align and where gaps exist. Documented policies and implemented controls are both required.
  3. Assess your incident response readiness Can your organisation realistically meet a 24-hour early warning timeline? If not, that is a priority gap. Your incident response plan needs to reflect the NIS2 reporting structure.
  4. Engage management and the board Given the personal accountability provisions in NIS2, senior leadership needs to understand what the directive requires — not just receive a compliance update after the fact.
  5. Map supply chain and third-party risk Identify which suppliers and service providers your organisation depends on for critical functions. Assess their security posture and put in place the contractual frameworks NIS2 requires.
  6. Build a compliance roadmap Prioritise the gaps identified above, assign ownership, and set realistic timelines for remediation. Document progress so you can demonstrate it to your competent authority if required.

Not Sure Where You Stand Against NIS2?

Use our eligibility checker to confirm your scope, or speak with one of our NIS2 specialists to assess your gap against the new framework.

Request a Consultation Check Your Eligibility Assess Your Readiness

Frequently Asked Questions

NIS was the EU's original cybersecurity directive, focused on a narrow set of essential service sectors with relatively flexible requirements set largely by individual member states. NIS2 replaces it with a broader framework that covers more sectors and organisations, introduces explicit minimum security measures, requires faster incident reporting, places accountability directly on management, and enforces significantly higher penalties. The fundamental approach is similar, but NIS2 is considerably more demanding in both scope and obligation.

Yes. NIS2 formally repeals the original NIS Directive. Member states were required to transpose NIS2 into national law by October 2024, at which point NIS ceased to apply. Organisations previously subject to NIS must assess their compliance against NIS2 specifically, as the requirements are not identical and NIS2 introduces obligations that did not exist under the original framework.

The EU updated NIS to NIS2 primarily because the original directive had been implemented inconsistently across member states, covered too few sectors, lacked sufficiently specific requirements, and did not keep pace with the evolving threat landscape. NIS2 was designed to produce a more harmonised, broader, and more enforceable standard of cybersecurity resilience across the EU — and to address the supply chain risks that the original directive largely ignored.

Yes. NIS2 is stricter than NIS in every significant area. It covers more organisations, sets higher and more specific security obligations, requires faster and more structured incident reporting, introduces personal liability for senior management, and specifies higher minimum penalties enforced at EU level. Organisations that were compliant with NIS cannot assume they are compliant with NIS2 without conducting a fresh assessment.

Organisations across a much wider range of sectors are now potentially affected, including those in manufacturing, food production, public administration, waste management, postal services, and space, in addition to the sectors originally covered by NIS. Organisations that meet the size thresholds — generally medium-sized enterprises and above — and operate in covered sectors should assess whether they are now in scope, even if they had no prior NIS obligations.

The most significant changes are the expansion of scope (more sectors, more organisations covered automatically by size thresholds), the introduction of explicit minimum security requirements, the personal accountability of management bodies, the structured three-stage incident reporting timeline starting with a 24-hour early warning, the new supply chain security obligations, and the introduction of EU-level minimum penalties. Together, these changes transform NIS2 from a broad framework directive into a much more specific and enforceable compliance standard.