The Network and Information Security Directive 2 (NIS2, Directive EU 2022/2555) replaced the original NIS Directive with a markedly broader scope, heavier governance requirements, and a three-stage incident notification regime. The directive's transposition deadline passed, but implementation across the twenty-seven member states has been uneven: some countries have enacted comprehensive national legislation, others are still working through drafts, and a handful are facing infringement pressure from the Commission. For in-scope organisations, this patchwork creates a practical dilemma — obligations are legally live, enforcement timelines differ by jurisdiction, and regulators are beginning to use the powers they have been given.

Who is actually covered — and are you sure you know?

NIS2 draws a sharper distinction between two entity tiers than its predecessor did. Essential entities are large operators in the high-criticality sectors listed in Annex I of the directive: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities are medium-sized operators in those same sectors plus the additional sectors listed in Annex II: postal and courier services, waste management, manufacture of certain critical products (chemicals, food, medical devices, electronics), digital providers, and research.

The size thresholds matter. National transpositions generally define essential entities by reference to large-enterprise thresholds and important entities by reference to medium-enterprise thresholds, drawing on the EU SME recommendation the directive relies on. Certain entity types — qualified trust service providers, top-level domain name registries, and DNS service providers — fall under the essential category regardless of size.

Two points that catch organisations off-guard: group structures are generally assessed per-entity on the relevant business activity rather than group-wide, and public-sector bodies are treated as in-scope under most transpositions. If you have not revisited your scoping assessment since the old NIS rules, now is the time.

What does NIS2 actually require you to do?

The directive prescribes a baseline set of risk-management measures that both essential and important entities must implement, proportionate to the organisation's risk exposure, size, and the probability and severity of incidents — but proportionality is not a licence to do nothing.

The mandatory controls span the directive's risk-management categories:

  1. Risk analysis and information security policies.
  2. Incident handling.
  3. Business continuity — backup management, disaster recovery, crisis management.
  4. Supply-chain security, including security in supplier and service-provider relationships.
  5. Security in acquisition, development, and maintenance, including vulnerability handling and disclosure.
  6. Policies to assess the effectiveness of risk-management measures.
  7. Basic cyber-hygiene practices and security training.
  8. Cryptography and, where appropriate, encryption.
  9. Human-resources security, access-control policies, and asset management.
  10. Multi-factor authentication and secured communications.

All measures must reflect the state of the art and be documented. Documentation is not optional — it is explicitly required and enforceable.

What is the incident reporting timeline?

NIS2 replaces the single-notification model of the original directive with a three-stage cascade, and the deadlines are tight.

  • Within 24 hours of becoming aware of a significant incident: an early warning indicating whether the incident appears to be caused by unlawful or malicious acts or may have cross-border impact.
  • Within 72 hours: a full incident notification updating the early warning, with an initial assessment of severity and impact and, where available, indicators of compromise.
  • Within one month: a final report describing the incident, the nature of the threat and its root cause, the mitigation measures applied, and any cross-border effects. Where the incident is still ongoing at the one-month mark, a progress report is submitted and the final report follows on closure.

Regulators in several member states are making clear that the 24-hour window runs from the moment the organisation gains awareness — not from the moment it completes its internal investigation. Compliance leads should test their detection-to-escalation pathways now, before the first live incident triggers the clock.

What must management bodies do personally?

This is the provision that has attracted the most attention from boards. NIS2 imposes direct duties on the management body — not just the CISO or the IT function. Management is required to approve the cybersecurity risk-management measures, to oversee their implementation, and can be held accountable for failures to discharge those duties. Several transpositions implement personal liability for management bodies that negligently breach their oversight obligation.

The training obligation is equally concrete. Management must undertake regular training to acquire sufficient knowledge to identify and assess risks and to evaluate the impact of risk-management practices on the services the organisation provides. This is a recurring obligation that will need to be documented.

What are the penalties?

Fines under NIS2 are calibrated to the entity tier. For essential entities, penalties can reach €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, the ceiling is €7 million or 1.4% of total worldwide annual turnover. Operating on a percentage-of-turnover basis puts NIS2 sanctions on a scale comparable to GDPR enforcement.

Supervisory authorities are also empowered to order audits and inspections, to require remediation, and — in serious cases of non-compliance by essential entities — to seek suspension of authorisations or temporary bans on management from exercising managerial functions until compliance is restored.

FAQ

Our sector is listed in NIS2 but our national law isn't enacted yet — are we exposed? Treat the obligations as live. Supervisory bodies in several jurisdictions have signalled they will not wait for a fully enacted domestic framework before beginning engagement, and the directive's requirements are the baseline national law must meet.

We had NIS1 compliance in place. Does that carry over? Partially. Scope, the security baseline, governance obligations, and incident-reporting timelines are all materially more demanding under NIS2. A gap assessment against the new requirements — particularly supply-chain security, MFA, management training, and the three-stage notification process — is essential.

Does NIS2 interact with DORA for financial entities? Yes. DORA applies as a more specific regime to financial entities, displacing certain NIS2 provisions for those organisations. In-scope financial entities should confirm which regime governs each obligation rather than assuming complete coverage by one.

The compliance agenda, shortened

NIS2 is a present obligation, not a future one. The uneven transposition landscape makes it tempting to wait for a cleaner national framework, but enforcement timelines are shortening and regulators are building capacity. The near-term agenda is clear: confirm your entity classification and sector, complete a gap assessment against the mandatory measure categories, build and test your three-stage incident-notification workflow, brief and formally train your management body, and document everything.

Aigis GRC tracks NIS2 obligations — and each member-state transposition as it is enacted — so your compliance posture stays current without manual monitoring. See how we keep your obligation register in sync at agrc.ai.