What is NIS 2 Directive?

NIS 2 replaces the original NIS Directive from 2016, which was deemed insufficient due to inconsistent implementation, limited scope, and weak enforcement. The updated directive expands coverage from 7 to 18 sectors organized into Sectors of High Criticality (Annex I) and Other Critical Sectors (Annex II). It applies to medium and large organizations (50+ employees or 10M+ euro turnover) operating in covered sectors, with member states able to designate smaller critical entities. NIS 2 introduces a two-tier classification: Essential Entities (large organizations in Annex I sectors) face proactive supervision and fines up to 10 million euros or 2% of global turnover, while Important Entities face reactive supervision and fines up to 7 million euros or 1.4% of turnover. Article 20 requires management bodies to approve and oversee cybersecurity measures with personal liability for infringements. Article 21 mandates 10 specific cybersecurity risk management measures including supply chain security, multi-factor authentication, and incident handling. Article 23 establishes a three-phase incident reporting timeline: early warning within 24 hours, incident notification within 72 hours, and final report within one month. Member states were required to transpose NIS 2 into national law by October 17, 2024. Organizations with existing ISO 27001 certifications have a strong foundation for NIS 2 compliance but must address additional requirements around incident reporting, management accountability, and supply chain security.