The NIS2 Directive (Directive 2022/2555) is the most significant overhaul of EU cybersecurity regulation since the original Network and Information Security Directive entered force in 2016. It replaces NIS1 with a substantially broader scope, stricter obligations, and enforcement teeth comparable to GDPR. With an estimated 160,000 or more entities now in scope across the European Union – up from roughly 10,000 under NIS1 – understanding nis2 compliance requirements has become an operational priority for organisations well beyond the traditional critical infrastructure sectors.
This guide covers who is in scope, what the directive demands, what the penalties look like, and how NIS2 interacts with GDPR and DORA.
What Is the NIS2 Directive and Why Does It Exist?
The original NIS Directive (2016/1148) was the EU’s first horizontal cybersecurity legislation. It required member states to adopt national cybersecurity strategies and established cooperation mechanisms through the CSIRTs Network and the NIS Cooperation Group. However, NIS1 suffered from inconsistent transposition across member states, a narrow scope that left critical sectors uncovered, and weak enforcement provisions.
The European Commission’s impact assessment found that NIS1 had produced a fragmented cybersecurity baseline, with significant disparities in how member states identified operators of essential services. NIS2, adopted in December 2022 and published in the Official Journal of the EU, addresses these gaps by expanding sectoral coverage, introducing a uniform size-based scoping mechanism, harmonising security and reporting requirements, and establishing a tiered enforcement regime with substantial administrative fines.
Member states were required to transpose NIS2 into national law by 17 October 2024. As of early 2026, transposition remains incomplete in several member states, though the directive’s requirements apply regardless through national implementing measures that are progressively entering force.
Who Is In Scope? Essential and Important Entities
NIS2 eliminates the NIS1 distinction between operators of essential services and digital service providers. Instead, it introduces two categories – essential entities and important entities – determined by sector and organisation size.
Essential Entities
Essential entities operate in sectors listed in Annex I of the directive. These include energy (electricity, oil, gas, hydrogen, district heating), transport (air, rail, water, road), banking and financial market infrastructure, health (hospitals, laboratories, pharmaceutical manufacturing, medical device manufacturers), drinking water supply and distribution, wastewater management, digital infrastructure (internet exchange points, DNS service providers, TLD registries, cloud computing providers, data centre operators, content delivery networks, trust service providers), ICT service management in B2B contexts, public administration, and space.
As a general rule, medium-sized and large enterprises in these sectors qualify as essential entities, though member states may designate smaller entities where they provide critical functions.
Important Entities
Important entities operate in sectors listed in Annex II: postal and courier services, waste management, chemicals manufacturing and distribution, food production and distribution, manufacturing of medical devices, computers, electronics, machinery, motor vehicles, and other transport equipment, digital providers (online marketplaces, search engines, social networking platforms), and research organisations.
Medium-sized enterprises in Annex II sectors typically fall into the important entity category. ENISA’s NIS2 guidance provides further detail on sector classification and scoping.
The size threshold follows the EU’s standard SME definition: organisations with 50 or more employees or an annual turnover exceeding EUR 10 million. Certain entities – DNS providers, TLD registries, and public administration bodies – are in scope regardless of size.
What Are the Core NIS2 Compliance Requirements?
The directive imposes four categories of obligation: risk management measures, incident reporting, supply chain security, and governance accountability.
Risk Management and Security Measures
Article 21 requires both essential and important entities to implement “appropriate and proportionate” technical, operational, and organisational measures to manage risks to the security of network and information systems. The directive specifies a minimum baseline that includes policies on risk analysis and information system security, incident handling procedures, business continuity and crisis management, supply chain security, security in network and information systems acquisition, development, and maintenance, policies and procedures for assessing the effectiveness of cybersecurity risk management measures, basic cyber hygiene practices and cybersecurity training, policies on the use of cryptography and encryption, human resources security, access control policies, and asset management.
This list is intentionally detailed – a marked departure from NIS1’s open-ended approach. Entities that already maintain a mature GDPR compliance checklist will recognise overlaps, particularly around risk assessment, access control, and incident response. However, NIS2 requires cybersecurity-specific measures that go beyond personal data protection.
Incident Reporting: The Three-Phase Timeline
NIS2 introduces a structured, multi-stage reporting obligation that is more demanding than either NIS1 or GDPR’s 72-hour breach notification.
| Phase | Deadline | Content |
|---|---|---|
| Early warning | 24 hours after becoming aware | Whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact |
| Incident notification | 72 hours after becoming aware | Initial assessment of the incident, its severity and impact, and indicators of compromise where available |
| Final report | 1 month after the incident notification | Detailed description of the incident, root cause analysis, mitigation measures applied, and cross-border impact where applicable |
The 24-hour early warning is a notable addition. Entities must alert their national CSIRT or competent authority within a single day, even if the full scope of the incident is unknown. Organisations accustomed to GDPR’s data breach notification process will need to adapt their response plans to accommodate this tighter initial deadline.
According to the European Commission’s 2025 review of NIS2 implementation, cross-border incidents accounted for approximately 18% of significant incidents reported in the first year, underscoring why early warning of potential cross-border impact is operationally critical.
Supply Chain Security
Article 22 empowers the NIS Cooperation Group to carry out coordinated risk assessments of critical supply chains at the EU level. At the entity level, Article 21(2)(d) requires organisations to address supply chain risks in their cybersecurity measures, including security-related aspects of relationships with direct suppliers and service providers. Entities must consider the vulnerabilities specific to each supplier, the overall quality of products and cybersecurity practices of their suppliers, and the results of coordinated security risk assessments.
For organisations already managing data processing agreements under the GDPR, NIS2 adds a cybersecurity-specific layer to vendor management that extends beyond personal data processing.
Governance and Board Accountability
Article 20 introduces a governance requirement with no precedent in NIS1: the management bodies of essential and important entities must approve cybersecurity risk management measures, oversee their implementation, and can be held liable for infringements. Members of management bodies are also required to undergo cybersecurity training and must ensure equivalent training is offered to employees. According to a 2025 PwC survey, only 38% of boards across EU member states reported having received formal cybersecurity training, indicating a significant compliance gap.
Entities must also register with their national competent authority, providing information including their name, address, contact details, IP ranges, and the member states in which they provide services.
What Are the Penalties for Non-Compliance?
NIS2 aligns its penalty framework more closely with the GDPR model, introducing maximum fines calibrated to entity category:
- Essential entities: administrative fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher.
- Important entities: administrative fines of up to EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher.
Beyond fines, competent authorities can impose binding instructions, orders to implement audit recommendations, orders to bring security measures into compliance, and temporary prohibitions on the exercise of managerial functions for natural persons holding management responsibility in essential entities. This last measure – personal disqualification – is a significant escalation beyond what most EU regulatory frameworks provide.
How Does NIS2 Relate to GDPR?
NIS2 and the GDPR operate on parallel but overlapping tracks. Both require security risk management measures, incident notification to competent authorities, and documentation of security practices. The key differences are in scope and focus: GDPR protects personal data specifically, while NIS2 protects the security of network and information systems broadly.
Where a cybersecurity incident under NIS2 also constitutes a personal data breach under GDPR, both reporting obligations apply independently. Article 35 of NIS2 explicitly addresses this overlap, requiring competent authorities under NIS2 to inform supervisory authorities under GDPR when they become aware that a significant incident involves a personal data breach. Organisations should design their incident response processes to satisfy both timelines simultaneously – the 24-hour NIS2 early warning and the 72-hour GDPR notification deadline.
The GDPR’s requirements around technical and organisational security measures (Article 32) and NIS2’s Article 21 obligations will frequently be implemented through the same controls. A unified risk management framework avoids duplication while ensuring both regulatory requirements are met.
How Does NIS2 Relate to DORA?
The Digital Operational Resilience Act (DORA, Regulation 2022/2554) applies specifically to the financial sector – banks, insurance companies, investment firms, payment institutions, crypto-asset service providers, and their critical ICT third-party providers. DORA entered into application on 17 January 2025.
NIS2 Recital 28 and Article 4 establish that DORA functions as lex specialis in relation to NIS2 for financial entities. Where DORA provisions are equivalent to or stricter than NIS2 provisions, DORA takes precedence. This means financial entities subject to DORA do not face duplicate NIS2 reporting obligations for the same incident types, but must still comply with any NIS2 requirements that DORA does not address. A comprehensive DORA compliance guide is essential for organisations in the financial sector navigating this intersection.
National Transposition: Where Do Member States Stand?
Despite the 17 October 2024 deadline, transposition of NIS2 has proceeded unevenly. By mid-2025, the European Commission had initiated infringement proceedings against multiple member states for failure to transpose. As of March 2026, approximately two-thirds of member states have completed transposition, with the remainder in advanced legislative stages. Belgium, Croatia, and Hungary were among the early completers; Germany, France, and several others finalised their implementing legislation in 2025.
The practical consequence for organisations operating across multiple member states is regulatory fragmentation during the transition period. Entities should identify which national implementations apply to their operations and monitor developments through the ENISA NIS Directive portal and national competent authority communications.
Legiscope’s regulatory monitoring tracks NIS2 transposition status across member states, flagging changes relevant to each entity’s operational footprint.
How Should Organisations Prepare for NIS2 Compliance?
Preparation starts with scoping: determine whether your organisation qualifies as an essential or important entity under the directive’s sector and size criteria. From there, the compliance path involves conducting a gap analysis against Article 21’s minimum security measures, establishing or updating incident response plans to meet the 24-hour, 72-hour, and 30-day reporting phases, mapping supply chain cybersecurity risks and integrating security requirements into supplier contracts, ensuring management body members have received documented cybersecurity training, completing entity registration with the relevant national competent authority, and aligning NIS2 measures with existing GDPR security obligations to avoid redundant controls.
Organisations that have already invested in GDPR compliance infrastructure – legitimate interest assessments, data protection impact assessments, and breach notification procedures – have a structural advantage, as many of the process disciplines transfer directly to NIS2’s requirements.
Frequently Asked Questions
Does NIS2 apply to SMEs? NIS2 generally applies to medium-sized and large enterprises. However, certain entity types – DNS service providers, TLD name registries, trust service providers, and public administration entities – are in scope regardless of size. Member states may also designate smaller entities where disruption would have significant impact.
When did NIS2 become enforceable? The transposition deadline was 17 October 2024. Enforcement timelines depend on each member state’s implementing legislation, but entities in member states that have completed transposition are already subject to NIS2 obligations.
What is the difference between NIS2 and NIS1? NIS2 expands scope from approximately 10,000 entities to over 160,000, introduces harmonised security baselines, adds a structured three-phase incident reporting timeline, establishes management body accountability, and introduces administrative fines up to EUR 10 million or 2% of global turnover.
Can a single incident trigger both NIS2 and GDPR reporting? Yes. If a cybersecurity incident also involves a personal data breach, both NIS2 and GDPR notification obligations apply independently. Organisations must satisfy the 24-hour NIS2 early warning, the 72-hour NIS2 notification and GDPR authority notification, and the 30-day NIS2 final report.
Does DORA replace NIS2 for financial entities? DORA acts as lex specialis for financial sector entities. Where DORA requirements are equivalent to or stricter than NIS2, DORA takes precedence. Financial entities should comply with DORA first and address any residual NIS2 obligations that DORA does not cover.
What happens if my member state has not transposed NIS2 yet? EU directives require national transposition to take direct effect. Until transposition is complete, enforcement mechanisms may be limited, but organisations should prepare for compliance now, as retroactive enforcement upon transposition is possible and several member states have indicated they will apply obligations from the date of transposition without transition periods.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope