NIS 2 Directive
6 min read

NIS 2 Directive Compliance Guide: Everything You Need to Know

The NIS 2 Directive (Directive (EU) 2022/2555) is the European Union's updated cybersecurity legislation, replacing the original NIS Directive from 2016. It significantly expands the scope of organizations covered, strengthens cybersecurity requirements, introduces stricter incident reporting obligations, and increases penalties for non-compliance. Member states were required to transpose NIS 2 into national law by October 17, 2024. This guide covers everything organizations need to know to achieve and maintain compliance.

Table of Contents

What Is the NIS 2 Directive?

NIS 2 (Network and Information Security Directive 2) is a European Union directive that establishes a high common level of cybersecurity across member states. It replaces the original NIS Directive (2016/1148) which was deemed insufficient due to inconsistent implementation across member states, limited scope that excluded many critical sectors, and weak enforcement mechanisms. NIS 2 addresses these shortcomings by expanding coverage to 18 sectors (up from 7), introducing a size-based applicability threshold, harmonizing cybersecurity requirements across member states, establishing a tiered incident reporting framework, and introducing personal liability for management bodies. The directive applies to medium and large organizations (50+ employees or 10M+ euro turnover) operating in covered sectors, though member states can extend requirements to smaller organizations deemed critical. Organizations must implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks.
  • NIS 2 replaces the original 2016 NIS Directive with significantly expanded scope
  • Coverage extends to 18 sectors including digital infrastructure, ICT services, and manufacturing
  • Size-based threshold applies to organizations with 50+ employees or 10M+ euro turnover
  • Member states were required to transpose into national law by October 17, 2024
  • Personal liability for management bodies is a new enforcement mechanism

Sectors and Entities Covered by NIS 2

NIS 2 classifies covered sectors into two categories. Sectors of High Criticality (Annex I) include energy (electricity, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure (DNS, TLD registries, cloud computing, data centers, CDNs, trust services), ICT service management (MSPs and MSSPs), public administration, and space. Other Critical Sectors (Annex II) include postal and courier services, waste management, chemicals manufacturing, food production and distribution, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networking), and research organizations. Within these sectors, organizations are classified as either Essential Entities or Important Entities based on their size and sector, which determines the supervision regime and penalty levels they face.
  • Annex I covers 11 Sectors of High Criticality including energy, transport, and digital infrastructure
  • Annex II covers 7 Other Critical Sectors including manufacturing, food, and digital providers
  • MSPs and MSSPs are explicitly included under ICT service management
  • Cloud computing providers, data centers, and CDNs fall under digital infrastructure
  • Classification as Essential or Important determines supervision and penalty levels

Cybersecurity Risk Management Measures (Article 21)

Article 21 of NIS 2 requires covered entities to implement appropriate and proportionate technical, operational, and organizational measures to manage risks to the security of network and information systems. The directive specifies a minimum set of measures that must be addressed: policies on risk analysis and information system security, incident handling procedures, business continuity and crisis management including backup management and disaster recovery, supply chain security including security-related aspects of relationships with suppliers and service providers, security in network and information systems acquisition, development, and maintenance including vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic cyber hygiene practices and cybersecurity training, policies and procedures regarding the use of cryptography and encryption, human resources security including access control policies and asset management, and use of multi-factor authentication or continuous authentication solutions. These measures must be proportionate to the risks faced and must take into account the state of the art and applicable standards.
  • Article 21 mandates 10 minimum cybersecurity risk management measures
  • Supply chain security is explicitly required, covering supplier and service provider relationships
  • Multi-factor authentication or continuous authentication is specifically mandated
  • Measures must be proportionate to risk and consider the state of the art
  • Basic cyber hygiene and cybersecurity training are mandatory for all personnel

Management Body Accountability

NIS 2 introduces a significant new requirement: management bodies of Essential and Important Entities must approve the cybersecurity risk management measures and oversee their implementation. Critically, management bodies can be held personally liable for infringements. Article 20 requires that members of management bodies undergo cybersecurity training and encourages similar training for all employees. This means board members, C-suite executives, and senior management must have sufficient cybersecurity knowledge to evaluate risk management measures and make informed decisions. The personal liability provision is a major shift from previous cybersecurity regulation where liability typically rested with the organization rather than individuals. Management bodies cannot delegate this responsibility entirely — they must actively approve measures and maintain oversight. Organizations should establish regular cybersecurity briefings for management, ensure management review of cybersecurity reports and incidents, document management approval of risk management measures, and maintain records of management cybersecurity training.
  • Management bodies must approve cybersecurity measures and oversee their implementation
  • Personal liability can attach to management body members for infringements
  • Management body members must undergo cybersecurity training
  • This responsibility cannot be fully delegated — active oversight is required
  • Organizations must document management approval and training for compliance evidence

Penalties and Enforcement

NIS 2 significantly increases penalties compared to the original directive. Essential Entities face administrative fines of up to 10 million euros or 2% of total annual worldwide turnover, whichever is higher. Important Entities face fines of up to 7 million euros or 1.4% of total annual worldwide turnover, whichever is higher. Beyond financial penalties, competent authorities can issue binding instructions, order compliance audits, issue warnings and public statements, temporarily suspend certifications or authorizations, and temporarily prohibit individuals from exercising management functions. The enforcement approach differs between entity types: Essential Entities are subject to proactive supervision (authorities can conduct audits and inspections without cause), while Important Entities face reactive supervision (investigations triggered by evidence of non-compliance). Member states designate national competent authorities for enforcement, and ENISA provides coordination and guidance at the EU level.
  • Essential Entities face fines up to 10 million euros or 2% of global turnover
  • Important Entities face fines up to 7 million euros or 1.4% of global turnover
  • Authorities can suspend certifications and temporarily ban individuals from management roles
  • Essential Entities face proactive supervision; Important Entities face reactive supervision
  • Member states designate national competent authorities for NIS 2 enforcement

Implementation Roadmap

Organizations should follow a structured implementation approach. Phase 1 (months 1-2): Determine applicability by assessing whether your organization falls within covered sectors and meets size thresholds, and classify as Essential or Important Entity. Phase 2 (months 2-4): Conduct a gap analysis comparing current cybersecurity measures against Article 21 requirements. Leverage existing ISO 27001 or NIST CSF implementations where applicable. Phase 3 (months 4-8): Implement required measures starting with the highest-risk gaps. Prioritize supply chain security, incident response procedures, and management body training. Phase 4 (months 8-10): Establish incident reporting capabilities aligned with the 24-hour, 72-hour, and one-month reporting timeline. Phase 5 (months 10-12): Conduct internal assessment to verify compliance, document evidence, and prepare for potential supervisory activities. Ongoing: Monitor member state transposition for country-specific requirements, maintain continuous compliance through regular risk assessments, and ensure management body oversight continues.
  • Start with applicability assessment and entity classification
  • Leverage existing ISO 27001 or NIST CSF implementations to address gaps
  • Prioritize supply chain security, incident response, and management body training
  • Establish incident reporting capabilities aligned with NIS 2 timelines
  • Monitor member state transposition for country-specific requirements

Key Takeaways

  • NIS 2 dramatically expands the scope of EU cybersecurity regulation to 18 sectors
  • Management bodies face personal liability for cybersecurity risk management failures
  • Article 21 mandates 10 specific cybersecurity measures including supply chain security and MFA
  • Incident reporting follows a tiered timeline: 24 hours, 72 hours, and one month
  • Penalties reach 10 million euros or 2% of global turnover for Essential Entities
  • Organizations with existing ISO 27001 or NIST CSF programs have a significant head start

Related Resources

nis2 cybersecurity policynis2 incident responsenis2 supply chain securitynis 2 directiveessential entity nis2incident responserisk assessment

Other Compliance Guides

NIS 2 Directive

NIS 2 Incident Reporting Requirements

NIS 2 Directive

NIS 2 Essential vs Important Entities

HIPAA

HIPAA Violation Examples

HIPAA

HIPAA Business Associate Agreement (BAA) Guide

Frequently Asked Questions

Does NIS 2 apply to my organization?

NIS 2 applies to medium and large organizations (50+ employees or 10M+ euro annual turnover) operating in one of 18 covered sectors including energy, transport, health, digital infrastructure, ICT services, manufacturing, and digital providers. Some smaller organizations may also be covered if designated by member states as critical. If your organization provides services within the EU in a covered sector, you should assess applicability.

What is the difference between Essential and Important Entities under NIS 2?

Essential Entities are large organizations in Sectors of High Criticality (Annex I) and face proactive supervision and higher fines (up to 10M euros or 2% of turnover). Important Entities are medium organizations in Annex I sectors or organizations in Other Critical Sectors (Annex II) and face reactive supervision and lower fines (up to 7M euros or 1.4% of turnover). Both must comply with the same Article 21 cybersecurity measures.

How does NIS 2 relate to ISO 27001?

ISO 27001 provides an excellent foundation for NIS 2 compliance. Many Article 21 requirements align with ISO 27001 controls. However, NIS 2 adds specific requirements beyond ISO 27001 including mandatory incident reporting timelines, management body accountability and training, supply chain security obligations, and sector-specific requirements. Organizations certified to ISO 27001 will have a significant head start but should conduct a gap analysis.

What happens if my member state has not transposed NIS 2 yet?

While the transposition deadline was October 17, 2024, some member states may be delayed. However, organizations should prepare now because the directive's requirements are clear and national laws will be retroactive to the directive's requirements. Starting compliance efforts early avoids a rush when national legislation is enacted and demonstrates good faith.

Can management body members really face personal liability?

Yes. Article 20 explicitly states that management bodies must approve cybersecurity risk management measures and oversee their implementation, and can be held liable for infringements. Member states determine the specific liability mechanisms in national law, but the directive's intent is clear: cybersecurity is a board-level responsibility with personal consequences for negligence.

Does NIS 2 apply to non-EU companies?

NIS 2 applies to entities providing services within the EU, regardless of where they are established. Non-EU organizations providing services in covered sectors to EU customers must comply and are required to designate a representative in one of the member states where they provide services. This extraterritorial reach mirrors GDPR's approach.

What are the NIS 2 incident reporting deadlines?

NIS 2 establishes a three-phase reporting timeline: an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with an initial assessment of severity and impact, and a final report within one month with a detailed description, root cause analysis, and mitigation measures applied.

NIS 2 Directive OverviewRequirements GuidesCompliance GlossaryCompare Frameworks

Generate NIS 2 Directive policies automatically

PoliWriter creates all the policies you need for NIS 2 Directive compliance, customized to your organization. AI-powered, audit-ready, hours not months.

Get Started Free