Network and Information Systems Directive NIS2 Badge
The Ultimate Guide to

NIS2 Compliance: A Detailed and Practical Guide to the NIS2 Directive

The Network and Information Security Directive (NIS2) is the EU’s latest cybersecurity legislation aimed at improving the resilience of critical infrastructure and essential services across member states. If your organization is classified as an essential or important entity under NIS2 and operates within EU member states, understanding NIS2 is essential.

What is NIS2?

NIS2 (Directive (EU) 2022/2555) is the updated version of the EU’s original Network and Information Security Directive (NIS), which was introduced in 2016. Officially adopted on January 16, 2023, with a transposition deadline of October 17, 2024, for member states to implement the directive into national law, NIS2 establishes a higher common level of cybersecurity across the EU. Its primary goal is to ensure that essential and important entities take appropriate security measures and report significant incidents to national authorities.

NIS2 enhances the EU’s cybersecurity baseline by:

  1. Expanding the scope to more sectors and entities
  2. Imposing stricter risk management and incident reporting requirements
  3. Introducing stronger enforcement, including substantial fines and leadership accountability

Who does NIS2 apply to?

NIS2 applies to a wide range of organizations operating within the EU, including non-EU companies offering services in the EU. The directive distinguishes between essential entities (higher regulatory scrutiny) and important entities (subject to ex post supervision where audits and inspections occur only when there is reasonable suspicion of violations, but still required to comply with the directive’s requirements).

Sectors covered under NIS2:

Essential entities (Annex I)

These entities are held to the highest level of scrutiny under NIS2.

  • Energy (electricity, oil, gas, district heating and cooling, hydrogen)
  • Transport (air, rail, water, road)
  • Banking
  • Financial market infrastructures
  • Healthcare (hospitals, healthcare providers, EU reference laboratories, pharmaceutical manufacturers, medical device manufacturers)
  • Drinking water and wastewater
  • Digital infrastructure (DNS, cloud computing, data centers, trust services, telecoms, and other digital service providers)
  • Public administration (central government)
  • Space (ground infrastructure)

Important entities (Annex II)

These sectors are also considered significant, but with slightly lower risk exposure. They must meet all NIS2 obligations, but are subject to ex post supervision that is triggered only when there is evidence of potential violations.

  • Postal and courier services
  • Waste management
  • Manufacture, production and distribution of chemicals
  • Food production and processing
  • Manufacturing of critical products (including medical devices, computer/electronic/optical products, electrical equipment, and machinery)
  • Digital providers (e.g., online marketplaces, search engines, social platforms)
  • Research organizations
Size cap rule

In general, NIS2 applies to medium and large organizations (50+ employees or €10M+ turnover). However, some smaller organizations may also fall under the directive if they are deemed critical to society or the economy.

What are the key differences between NIS1 and NIS2?

The NIS2 Directive represents a significant evolution from the original NIS Directive (NIS1), addressing its shortcomings and adapting to today’s more complex threat landscape. While NIS1 laid the foundation for EU-wide cybersecurity regulation, NIS2 broadens the scope, deepens enforcement mechanisms, and harmonizes implementation across member states.

Here’s a breakdown of the most important and specific differences between NIS1 (2016) and NIS2 (2023):

Scope and sector coverage

NIS2 dramatically expands who is covered and removes ambiguity by standardizing thresholds and sector definitions.

NIS1

NIS1 is applied only to a narrow set of Operators of Essential Services (OES) (e.g., energy, transport, healthcare) and Digital Service Providers (DSPs) (e.g., cloud services, search engines). Each member state defined who qualified as an “essential” operator, leading to inconsistencies across the EU.

NIS2

NIS 2 applies to a much broader range of entities across critical and important sectors defined in Annexes I and II.  It introduces a two-tier classification:

  • Essential Entities (EE): higher risk, more scrutiny (e.g., energy, banking, healthcare, digital infrastructure)
  • Important Entities (IE): moderate risk, subject to reactive oversight (e.g., manufacturing, food, waste management, research)

NIS2 also uses size-cap rules (250+ employees or €50M+ revenue for essential entities, with medium and large-sized companies in selected sectors included in scope) to determine applicability, improving consistency across the EU. The framework includes public administration bodies, space infrastructure, and wider digital services that were not covered under NIS1.

Security risk management requirements

NIS2 provides concrete expectations for cyber hygiene, making compliance more measurable and enforceable.

NIS1

Introduces detailed cybersecurity risk management obligations in Article 21, including:

  • Required entities to take “appropriate and proportionate” technical and organizational measures.
  • Did not define these measures with specificity, leaving wide discretion to national authorities and organizations.
NIS2

NIS2 provides concrete expectations for cyber hygiene, making compliance more measurable and enforceable.

  • Supply chain security
  • Business continuity and crisis management
  • Vulnerability handling and disclosure
  • Multi-factor authentication and encryption
  • Governance and board-level responsibility

Entities must establish policies and procedures to assess the effectiveness of cybersecurity risk-management measures.

Incident reporting obligations

NIS2 standardizes incident reporting and introduces real-time operational accountability.

NIS1
  • Required incident notifications “without undue delay” are often interpreted inconsistently.
  • No specific reporting timelines or clear escalation procedures.
NIS2
  • Introduces strict reporting timelines:
  • 24 hours – Early warning to CSIRT or National Competent Authority (NCA)
  • 72 hours – Incident notification with initial assessment
  • 1 month – Final report with full root cause analysis and mitigation measures
  • Expands what qualifies as a “significant incident,” including incidents that cause severe operational disruption or financial loss to the entity, or that affect other parties by causing considerable material or non-material damage.

Governance and accountability

Cybersecurity is no longer just IT’s responsibility, and executives are now personally accountable.

NIS1
  • Vague requirements for management involvement in cybersecurity.
  • No mention of personal liability or executive-level oversight.
NIS2
  • Assigns executive accountability for compliance:
  • Boards and C-level leaders must approve and oversee cybersecurity risk management measures.
  • Management body members can be held liable for infringements of cybersecurity requirements by their entities, creating direct personal accountability for C-level leaders.
  • Encourages integration of cybersecurity into corporate governance practices.

Enforcement penalties

NIS2 introduces true enforcement penalties. Failure to comply now carries significant business and legal consequences.

NIS1
  • Lacked strong, harmonized enforcement mechanisms.
  • Member states had significant discretion in applying sanctions, leading to weak or inconsistent penalties.
NIS2
  • Introduces mandatory and harmonized enforcement across the EU.
  • National authorities are empowered to:
  • Conduct unannounced audits and inspections
  • Order corrective actions and data disclosures
  • Temporarily suspend non-compliant operations
  • Fines for noncompliance:
  • Up to €10 million or 2% of global annual revenue (whichever is higher) for essential entities
  • Up to €7 million or 1.4% of turnover for important entities

Cross-border coordination and harmonization

NIS2 aims to unify cybersecurity posture across all EU member states, enabling faster and more coherent responses to threats.

NIS1
  • Implementation varied significantly across member states, leading to fragmented practices.
  • No centralized vulnerability database or EU-wide crisis management system.
NIS2
  • Emphasizes EU-wide coordination and harmonization, including:
  • Standardized supervisory procedures across member states
  • EU-CyCLONe (European Cyber Crises Liaison Organisation Network) for cross-border cyber crisis management
  • ENISA-led vulnerability database for coordinated disclosure and threat visibility

Supply chain and third-party risk

NIS2 treats third-party risk as a core cybersecurity issue, not an optional add-on.

NIS1
  • Did not explicitly require organizations to address third-party or supply chain cybersecurity.
NIS2
  • Requires entities to assess and manage cybersecurity risks in their entire supply chain, including:
  • Service providers
  • IT vendors
  • Hosting and cloud partners
  • Calls for contractual obligations, monitoring procedures, and vendor accountability mechanisms.

NIS2 cybersecurity requirements

You can read the official full text of the NIS2 Directive here:

NIS2 Directive (Directive (EU) 2022/2555) – EUR-Lex Official Source

The directive is available in all official EU languages and includes all articles and annexes that specify requirements, definitions, and enforcement mechanisms.

Under Article 21 of the NIS2 directive, all covered entities must implement technical, operational, and organizational cybersecurity risk management measures, including:

  1. Risk analysis and policies for information system security
  2. Incident handling and response procedures
  3. Business continuity and crisis management plans
  4. Supply chain security, including third-party risk assessments
  5. Security in network and information systems acquisition, development, and maintenance
  6. Vulnerability handling and disclosure procedures
  7. Policies and procedures for evaluating the effectiveness of cybersecurity measures
  8. Use of multi-factor authentication or continuous authentication solutions and policies and procedures regarding the use of cryptography and, where appropriate, encryption
  9. Training and awareness programs for employees
  10. Governance structures with clear roles and responsibilities

Entities must also maintain incident reporting capabilities, with specific timeframes:

  • 24 hours for early warning
  • 72 hours for incident notification
  • One month for final report (including root cause analysis and mitigation)

What is the structure of the NIS2 framework?

The NIS2 Directive is structured into six chapters and two annexes. Each section outlines specific obligations for entities, responsibilities for EU member states, and mechanisms for cross-border coordination. Here’s a breakdown of what each section includes:

Chapter I: General Provisions (Articles 1–6)

This chapter is critical for understanding how the law defines responsibilities and actors, including whether your organization falls under the directive’s jurisdiction.

What it covers:

  • Sets the scope, subject matter, and definitions used throughout the directive.
  • Establishes national cybersecurity strategies and designated authorities.
  • Clarifies who the directive applies to (essential and important entities based on multiple criteria including size,sector, service criticality, and public impact).
  • Establishes baseline terminology (e.g., cybersecurity, incident, risk management, essential service).
  • Defines cybersecurity risk-management measures and reporting obligations.
  • Lays the legal foundation for applying the directive consistently across all EU member states.
  • The directive excludes entities operating in national security, public security, defense, or law enforcement areas, with specific exemptions for certain trust service providers.

Chapter II: Cybersecurity Risk Management and Reporting Obligations (Articles 7–23)

Chapter II is the most operationally significant section for companies, as it defines what organizations must do to comply with NIS2.

What it covers:

  • Outlines the core cybersecurity governance requirements (Article 20) and risk management measures entities must implement (Article 21).
  • Establishes incident reporting timelines and procedures (Articles 23–24).
  • Introduces supply chain risk requirements and business continuity planning expectations.
  • Requires designated contacts within organizations and accountability at the executive level.

Chapter III: Jurisdiction and Supervision of Essential and Important Entities (Articles 24–36)

Chapter III outlines how essential and important entities are assigned to national competent authorities (NCAs), introduces risk-based approaches to supervision and outlines cooperation among national authorities.

What it covers:

  • Defines how entities are assigned to an NCA, especially if they operate across multiple EU countries
  • Establishes the mechanisms for registration and supervision of entities
  • Differentiates supervisory regimes for essential vs. important entities:
  • Essential entities are subject to both proactive supervision (e.g., audits, inspections, security scans) and reactive measures
  • Important entities are subject to reactive supervision (e.g., oversight initiated after an incident or evidence of noncompliance)

Chapter IV: Coordinated Vulnerability Disclosure and Database (Articles 27–29)

Chapter IV supports transparency and EU-wide situational awareness on emerging threats.

What it covers:

  • Establishes requirements for organizations and security researchers to responsibly report and coordinate on newly discovered vulnerabilities
  • Mandates the creation of a European vulnerability database, managed by ENISA, to track reported vulnerabilities
  • Encourages collaboration between public and private stakeholders to reduce exploitation risks

Chapter V: Cyber Crisis Management Framework (Articles 30–36)

Chapter V ensures structured and rapid responses to widespread cyberattacks that threaten public order or economic stability.

What it covers:

  • Chapter V sets up an EU-level crisis response framework, including:
  • National crisis management authorities
  • Cybersecurity incident response plans
  • The EU-CyCLONe network, responsible for handling large-scale cyber incidents that impact multiple member states
  • Defines how national and EU-level coordination should occur during major cybersecurity emergencies

Chapter VI: Final Provisions (Articles 37–45)

This chapter provides the legal and procedural context for the directive’s implementation and future updates.

What it covers:

  • Outlines the deadlines for member states to transpose the directive into national law (by October 17, 2024)
  • Details repeal of the original NIS Directive (Directive (EU) 2016/1148)
  • Describes the review and evaluation process for NIS2, with the first review due in 2027
  • Clarifies how NIS2 interacts with other EU legislation, such as the GDPR, DORA, and sector-specific regulations
How to prepare for NIS2

To comply with NIS2, organizations need to adopt a proactive approach to cybersecurity. Entities are expected to take all the technical, operational, and organizational measures to manage the network and IT risks. For a detailed outline of how to prepare, check out our blog.

How to Prepare for the EU’s NIS2 Directive

NIS2 Directive frequently asked questions

NIS2 may apply to your non-EU company only if you are a specific type of entity listed in the directive (such as cloud computing, DNS, online marketplace, or social networking platform providers) and if you offer services within the EU. If both conditions apply, you must designate a representative in an EU Member State where you provide services. Simply having users in the EU or operating a digital platform that impacts EU users is not sufficient – you must be offering specific covered services within the Union and fall into one of the designated entity categories.

These two regulations, while having significant overlaps, have several distinctions. For an in-depth guide on their specifics, check out our guide, Understanding the Relationship Between NIS2 and the EU Cyber Resilience Act.

Fines vary based on entity classification: Essential entities face fines up to €10 million or 2% of global annual revenue (whichever is higher), while Important entities face fines up to €7 million or 1.4% of global annual revenue (whichever is higher). Authorities may also impose corrective actions, suspend activities, or hold executives personally liable.

While each member state is responsible for national enforcement, NIS2 introduces stronger coordination through EU-wide cooperation groups, mandatory incident reporting, and harmonized supervisory practices.

Not exactly. NIS2 uses a size-cap rule where medium-sized enterprises and larger entities generally fall within scope. However, small enterprises and microenterprises may still be included if they: are the sole provider of an essential service in a Member State, have service disruptions that could significantly impact public safety/security/health, could cause significant systemic risk with cross-border impact, have specific national/regional importance for particular sectors, or provide certain critical services (like public electronic communications networks or trust services) regardless of size.

NIS2 includes supply chain security requirements, meaning your third-party vendors must also meet appropriate security standards. Vendor risk management is no longer optional.

While there is no single universal certification, NIS2 does include certification requirements. Member States may require entities to use ICT products, services, and processes certified under European cybersecurity certification schemes, and the Commission can mandate specific certifications where cybersecurity levels are insufficient. Compliance is demonstrated through mandatory security audits (regular audits for essential entities, targeted audits for important entities), documented risk management practices, and adherence to incident response protocols.

How Hyperproof helps with NIS2 compliance

With real-time risk monitoring, incident response tracking, and automated workflows, Hyperproof simplifies meeting NIS2 obligations, reducing the burden of compliance and enhancing overall cybersecurity resilience.

Network and Information Systems Directive NIS2 Badge

Get an out-of-the-box NIS2 framework template

Jumpstart your NIS2 compliance journey with a pre-built framework template, including optional ISO 27001 and 27002 illustrative controls.

Gather and monitor all your risks in one place

Collect, manage, and monitor your risks and ensure risk mitigation work is prioritized and completed based on customizable inherent impact and tolerance.

Map controls across multiple frameworks

Crosswalk controls between programs to speed up NIS2 implementation. Avoid duplicative work and adhere to other frameworks, like the EU CRA, NIST CSF, GDPR, DORA, ISO 27001, and more.

Understand your NIS2 compliance posture at a glance

Get clear insights into your team’s progress on assessment requests with our dashboards and reports, designed for easy sharing with key stakeholders.

Ensure tasks are completed to meet your NIS2 timeline

Automatically assign tasks to meet NIS2 directive requirements and streamline workflows to boost efficiency, ensuring you never face delays.

Automatically gather evidence to meet NIS2 requirements

Leverage Hyperproof’s powerful integrations, including AWS, Azure, Github, Jira, and more to automate evidence collection and reuse that evidence across multiple controls.

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader