What is NIS2?
The NIS2 Directive (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union) is the European Union’s primary cybersecurity legislation, replacing the original NIS Directive from 2016. Adopted in December 2022 and required to be transposed into national law by EU member states by October 17, 2024, NIS2 significantly expands the scope, requirements and enforcement powers of its predecessor.
NIS2 establishes a high common level of cybersecurity across the EU by imposing mandatory security measures and incident reporting obligations on a broad range of essential and important entities. Unlike DORA which targets the financial sector specifically, NIS2 applies across all critical sectors of the economy — from energy and transport to healthcare and digital infrastructure.
NIS1 vs NIS2 — Key Changes
| Area | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Scope | Operators of essential services + digital service providers | Essential entities + important entities — much broader coverage |
| Sectors covered | 7 sectors | 18 sectors |
| Member state discretion | High — significant national variation | Reduced — more harmonised requirements |
| Management accountability | Not addressed | Management bodies personally liable — can be temporarily banned |
| Supply chain | Not addressed | Explicit supply chain security requirements |
| Maximum fines | Member state discretion | Essential: €10M or 2% global turnover · Important: €7M or 1.4% global turnover |
| Incident reporting | Without undue delay | 24 hours early warning · 72 hours incident notification · 1 month final report |
Essential vs Important Entities
NIS2 distinguishes between essential entities (subject to more stringent supervision) and important entities (subject to reactive supervision). The classification is based on sector and size.
| Category | Sectors | Supervision |
|---|---|---|
| Essential entities | Energy · Transport · Banking · Financial market infrastructure · Health · Drinking water · Wastewater · Digital infrastructure · ICT service management · Space · Public administration | Proactive ex-ante supervision — regular audits, inspections, security scans |
| Important entities | Postal services · Waste management · Chemicals · Food production · Manufacturing · Research · Digital providers (search engines, social platforms, online marketplaces) | Reactive ex-post supervision — investigation only after incident or complaint |
The 10 Mandatory Security Measures
Article 21 of NIS2 specifies ten minimum security measures that all covered entities must implement, proportionate to their size, risk profile and the sensitivity of the data they process.
| # | Measure | Requirements |
|---|---|---|
| 1 | Risk analysis and information system security policies | Documented risk analysis · Comprehensive cybersecurity policies · Management body approval |
| 2 | Incident handling | Incident detection · Classification · Response · Reporting procedures · Post-incident review |
| 3 | Business continuity | Backup management · Disaster recovery · Crisis management procedures |
| 4 | Supply chain security | Security in supplier relationships · Product and service security assessment · Contractual requirements |
| 5 | Security in network and information systems acquisition | Secure development practices · Vulnerability handling · Coordinated vulnerability disclosure |
| 6 | Policies and procedures to assess effectiveness | Regular testing · Security audits · Implementation of audit findings |
| 7 | Cybersecurity training | Cyber hygiene practices · Regular training for all staff · Management body training |
| 8 | Cryptography and encryption | Policy on use of cryptography · End-to-end encryption where appropriate |
| 9 | Human resources security and access control | Asset management · Access control policies · Least privilege · Need-to-know basis |
| 10 | Multi-factor authentication | MFA or continuous authentication where appropriate · Secured voice, video and text communications · Secured emergency communication systems |
Incident Reporting Timelines
| Report | Deadline | Content |
|---|---|---|
| Early warning | Within 24 hours of awareness | Basic notification — whether suspected malicious act, cross-border impact |
| Incident notification | Within 72 hours of awareness | Initial assessment — severity, impact, indicators of compromise |
| Intermediate report | On request from CSIRT | Status update on incident handling |
| Final report | Within 1 month of incident notification | Detailed description · Root cause · Cross-border impact · Measures taken |
Management Body Accountability
NIS2 introduces personal liability for management body members — a significant escalation from NIS1. Management bodies must approve cybersecurity risk management measures, oversee their implementation and can be held personally accountable for infringements. Competent authorities can temporarily prohibit natural persons from exercising managerial responsibilities if a significant entity repeatedly fails to comply.
Management body members are also required to undergo regular cybersecurity training to ensure they have sufficient knowledge to identify risks and assess cybersecurity risk management practices.
Securitora Assessment
NIS2 is the most significant expansion of EU cybersecurity obligations since GDPR. Its broad scope — covering 18 sectors and applying to medium and large organisations across the economy — means that the majority of significant European businesses will be in scope. The personal liability of management body members is the most consequential new element — it elevates cybersecurity from an IT issue to a board-level legal obligation in a way that has never previously existed in EU law. Organisations already compliant with ISO 27001 will have a strong foundation but will still need to address NIS2-specific requirements around supply chain security, incident reporting timelines and management training.
| Recommended for | All medium and large organisations operating in the EU across 18 critical sectors |
| Difficulty to implement | Medium to High — broad requirements with management personal liability |
| Best used with | ISO 27001 · NIST CSF 2.0 · DORA (for financial sector) · GDPR |
| Official resource | digital-strategy.ec.europa.eu → |