NIS2 is the EU's cybersecurity directive that raises the minimum requirements for security and incident reporting across organisations that deliver critical services or operate in sectors relevant to the European Union. It introduces stronger accountability, broader sector reporting timelines, and enforcement — and it replaces the original NIS Directive with significantly higher standards.
If your organisation operates in a covered sector and meets the relevant size threshold, NIS2 obligations are not optional. National authorities across the EU are responsible for supervision and enforcement.
- EU-wide cybersecurity mandate for large and medium organisations in critical sectors
- Risk management measures — prevent, detect, respond and recover from incidents
- Incident reporting — mandatory reporting within 24 hrs / 72 hrs / 1 month
- Supply chain security — due diligence on third-party and supplier risk
- Board accountability — management bodies are personally responsible
- Meaningful fines — up to €10M or 2% of global turnover for non-compliance
What Is NIS2?
NIS2 is an EU cybersecurity directive that sets mandatory security and incident reporting requirements for organisations operating across critical and important sectors throughout the European Union. It stands for the Network and Information Security Directive 2, and it represents a major update to the EU's original cybersecurity legislation introduced in 2016.
The directive sets a common baseline for cybersecurity across the EU — covering how organisations manage risk, how they report incidents, how they govern cybersecurity at leadership level, and how they protect their supply chains. Unlike the original NIS Directive, NIS2 is broader in scope, clearer in its obligations, and backed by substantially stronger enforcement powers.
Key point: NIS2 is binding EU law. For organisations in scope, compliance is a legal obligation — not an optional best practice.
Why NIS2 Exists
The original NIS Directive, introduced in 2016, was the EU's first attempt at a unified cybersecurity framework. It was a meaningful step forward, but the cyber threat landscape evolved faster than the legislation. By the early 2020s, several critical weaknesses had become clear:
- Implementation was inconsistent across Member States — the same sector could face very different requirements depending on the country.
- The scope was too narrow, leaving out large portions of the digital economy and critical supply chains.
- Incident reporting timelines were vague and applied unevenly.
- Management accountability was weak — there was no direct obligation on leadership to own cybersecurity governance.
- Enforcement penalties were low and inconsistently applied, reducing the incentive for compliance.
NIS2 was designed to fix all of this. It broadens the scope significantly, tightens the requirements, puts leadership personally on the hook, and standardises enforcement thresholds across the EU.
Who Needs to Comply With NIS2?
NIS2 applies to medium and large organisations operating in sectors the EU considers essential or important to the functioning of society and the economy. The directive separates these into two tiers.
Higher criticality
Organisations in the most critical sectors: energy, transport, banking, financial markets, health, water, digital infrastructure, ICT management, public administration, and space. Subject to proactive supervision.
Other critical sectors
Organisations in postal services, waste management, chemicals, food, manufacturing, digital providers, and research. Subject to reactive supervision — but the same obligations apply.
Size thresholds
In most cases, NIS2 applies to organisations with 50 or more employees or an annual turnover above €10 million. Smaller organisations can still be captured if a Member State identifies them as critical regardless of size. Organisations outside the EU that provide services into the EU market may also fall in scope.
Who is impacted even if not in scope?
Even if your organisation is not directly in scope, you may be affected. In-scope organisations must assess and manage the cybersecurity posture of their suppliers — which means if you are a vendor or service provider to an in-scope entity, you are likely to face new contractual and security requirements from your customers.
Not sure if you are in scope? Use our NIS2 Eligibility Checker — a structured set of questions that maps your sector, size, and role to determine whether and how NIS2 applies to your organisation.
Which Sectors Are Covered?
NIS2 uses two annexes to define coverage. Annex 1 covers sectors of high criticality; Annex 2 covers other critical sectors.
Annex 1 — Sectors of high criticality (examples)
Annex 2 — Other critical sectors (examples)
Exact definitions can vary slightly by country and transposition. Your national NIS2 authority may have added sector-specific rules. Always verify against your local implementing legislation.
Is NIS2 Mandatory?
Yes. Once Member States have transposed NIS2 into national law, in-scope organisations are legally required to comply. This is not voluntary guidance. NIS2 obligations are legally binding, and national authorities have the power to supervise, investigate, issue fines, and in serious cases impose personal sanctions on management.
The directive also introduced a significant change: management bodies are now personally accountable for cybersecurity governance. Senior leadership cannot simply delegate compliance to the IT team and walk away from it.
What Does NIS2 Require?
NIS2 compliance requires organisations to implement a set of proportionate cybersecurity risk management measures. The key obligation areas are:
- Cybersecurity risk management measures — the security controls you implement to protect your systems.
- Incident reporting obligations — you must report significant incidents to your national authority within strict deadlines.
- Business continuity planning — you must be able to sustain operations and recover from a serious incident.
- Supply chain security — you must actively manage the cybersecurity risks introduced by your suppliers.
- Governance and accountability — your management body must approve, oversee, and be accountable for your cybersecurity posture.
Important: It is worth noting that NIS2 requires you to apply to it 24/7 — not just at your yearly audit. NIS2 obligations include reporting obligations within hours and ongoing monitoring requirements.
Pillars of Compliance
Think about NIS2 compliance across six structured pillars. Each one maps to a core area of the directive's requirements and gives you a framework to organise your programme in a way that is practical and defensible.
Governance & Accountability
- Clear ownership and decision-making
- Defined cybersecurity roles
- Documented approvals, training, and oversight
Risk Management Measures
- Formal risk assessment process
- Preventive and detective controls
- Incident handling processes and procedures
Incident Reporting Readiness
- Detection and triage that triggers reporting
- Reporting pipelines to national CSIRT or authority
- Clear roles and escalation plans
Operational Resilience & Recovery
- Tested backup and recovery tools
- Continuity for critical and operational services
- Crisis management plans and simulation exercises
Supply Chain & Third-Party Risk
- Vendor assessment proportionate to risk
- Due diligence requirements in contracts
- Ongoing monitoring of key suppliers
Evidence & Continuous Improvement
- Policies, procedures, and records
- Regular reviews and improvement cycles
- KPIs and improvement plans
Incident Reporting — How It Works
NIS2 introduces some of the most demanding incident reporting requirements of any EU regulation to date. If your organisation experiences a significant incident — one that causes or could cause serious operational disruption — you are required to follow a three-stage reporting process.
Early Warning
Initial notification to your national authority within 24 hours of becoming aware of the incident.
Full Notification
A detailed incident notification including impact assessment and initial indicators, within 72 hours.
Final Report
A comprehensive final report covering root cause, response taken, and lessons learned, within one month.
What you need operationally
- Clear criteria for what constitutes a "significant incident" requiring reporting
- An internal escalation process that reaches the right people quickly
- A designated contact point with your national CSIRT or competent authority
- Templates and records to support each reporting stage
Penalties for Non-Compliance
NIS2 sets minimum thresholds for administrative fines that national authorities must be able to impose. These are not upper limits in most Member States — national legislation may go higher.
Up to €10 million
Or at least 2% of total global annual turnover — whichever is higher.
Up to €7 million
Or at least 1.4% of total global annual turnover — whichever is higher.
Beyond financial penalties, national authorities have powers to issue binding instructions, require public disclosure of non-compliance, and in serious cases impose temporary bans on individuals from serving in management roles. The intent is to make non-compliance genuinely costly.
Total penalties across essential and important entities can include both financial sanctions and service disruption — national authorities can require suspension of certain services until compliance is demonstrated.
Where to Start — Practical Checklist
If your organisation is new to NIS2, the following steps give you a practical starting point. This is not a complete compliance roadmap, but it covers the actions that matter most in the early stages.
- Confirm your sector & size — check which annex applies and whether you meet the thresholds for essential or important entity status in your country.
- Check your national implementation — find out how NIS2 has been transposed in each country where you operate, and identify your competent authority.
- Run a NIS2 gap assessment — map your current security posture against the six pillars of compliance and identify your highest-priority gaps.
- Define your incident reporting workflow — build and test the process for detecting, escalating, and reporting significant incidents within the required timeframes.
- Engage your leadership team — brief your board or management body on their direct accountability under NIS2, and get formal sign-off on your risk management approach.
- Review supplier security — assess your critical vendors' security posture and update contracts to include NIS2-aligned requirements where needed.
- Build your compliance roadmap — turn your gap assessment into a prioritised action plan with owners, timelines, and review points.
Frequently Asked Questions
NIS2 is the Network and Information Security Directive 2 — an EU law that sets mandatory cybersecurity and incident reporting requirements for organisations in essential and important sectors across the European Union. It entered into force in January 2023 and Member States were required to transpose it into national law by October 2024.
Medium and large organisations operating in one of the 18 covered sectors. The general threshold is 50 or more employees or annual turnover above €10 million. Some smaller organisations may still be in scope if deemed inherently critical by their national authority. Organisations outside the EU that provide services into EU markets may also be in scope.
Generally no — NIS2 targets medium and large organisations. Small enterprises below the 50-employee or €10M turnover threshold are typically out of scope. Exceptions exist for organisations considered critical regardless of size, and small businesses that supply in-scope entities may face indirect requirements through supply chain clauses in contracts.
Yes. NIS2 is binding EU law for organisations that fall within scope. Compliance is a legal obligation, not optional guidance. National authorities have been given powers to supervise, audit, fine, and sanction non-compliant organisations.
For significant incidents, NIS2 requires a three-stage process: an early warning to your national authority within 24 hours, a full incident notification within 72 hours, and a comprehensive final report within one month of the incident. These timelines are strict and non-negotiable once a significant incident is declared.
Start with a scope assessment. Determine whether your organisation's sector and size puts you in scope for NIS2. If it does, run a gap assessment against the six compliance pillars to understand where you stand. If you are unsure, our eligibility checker can walk you through the key questions in a few minutes.