NIS2 Compliance: The Complete Guide for European Businesses
Everything you need to know about NIS2 compliance — who is affected, what's required, deadlines, penalties, and how to become compliant. The definitive guide for EU organisations.
NIS2 Compliance: The Complete Guide for European Businesses
The NIS2 Directive (Directive 2022/2555) is the EU's most significant cybersecurity legislation. It replaces the original NIS Directive with dramatically expanded scope, stricter requirements, and real enforcement teeth. If your organisation operates in the EU, there's a strong chance NIS2 applies to you.
This guide covers everything: who is affected, what you need to do, the timelines, the penalties, and how to build a compliance programme that actually works operationally — not just on paper.
What Is NIS2?
NIS2 — the Network and Information Security Directive 2 — is an EU directive that establishes cybersecurity obligations for organisations operating across critical and important sectors. Adopted on 14 December 2022 and published as Directive 2022/2555, it aims to achieve a high common level of cybersecurity across the European Union.
The directive responds to the rapidly evolving threat landscape and the shortcomings of its predecessor. The original NIS Directive (2016) left too much discretion to Member States, resulting in fragmented implementation and inconsistent enforcement. NIS2 fixes this with:
- Broader scope: 18 sectors instead of 7
- Clearer obligations: Specific risk management measures in Article 21
- Strict incident reporting: 24-hour early warning, 72-hour full notification
- Supply chain focus: Explicit requirements for third-party risk management
- Management accountability: Personal liability for executives
- Harmonised penalties: Minimum thresholds across Member States
Who Needs to Comply With NIS2?
NIS2 divides in-scope organisations into two categories based on criticality:
Essential Entities (Annex I)
These are sectors where disruption would have severe consequences:
| Sector | Examples |
|---|---|
| Energy | Electricity, oil, gas, hydrogen, district heating |
| Transport | Air, rail, water, road |
| Banking | Credit institutions |
| Financial market infrastructure | Trading venues, central counterparties |
| Health | Healthcare providers, EU reference laboratories, pharma, medical devices |
| Drinking water | Supply and distribution |
| Wastewater | Collection, disposal, treatment |
| Digital infrastructure | IXPs, DNS, TLD registries, cloud, data centres, CDNs, trust services |
| ICT service management (B2B) | Managed service providers, managed security service providers |
| Public administration | Central government entities |
| Space | Operators of ground-based infrastructure |
Important Entities (Annex II)
| Sector | Examples |
|---|---|
| Postal and courier services | Licensed providers |
| Waste management | Collection, treatment, disposal |
| Chemicals | Manufacturing, production, distribution |
| Food | Production, processing, distribution |
| Manufacturing | Medical devices, electronics, machinery, motor vehicles |
| Digital providers | Online marketplaces, search engines, social networking |
| Research | Research organisations |
Size Thresholds
Generally, NIS2 applies to organisations in the above sectors that are:
- Medium-sized or larger: 50+ employees or €10M+ annual turnover
- Regardless of size for certain critical entities (qualified trust service providers, TLD registries, DNS service providers, telecom providers)
Member States may also designate additional entities based on national risk assessments.
The Ten NIS2 Risk Management Measures
Article 21(2) lists ten specific measures that organisations must implement. These are the core of NIS2 compliance:
1. Risk Analysis and Information System Security Policies
Establish and maintain policies for risk analysis covering your information systems. This includes regular risk assessments, risk treatment plans, and documented security policies.
What this means operationally: You need a living risk register, not a document that sits in a drawer. Regular reviews, updated threat assessments, and clear ownership of risks.
2. Incident Handling
Implement procedures for detecting, managing, and responding to security incidents.
What this means operationally: You need an incident response plan that people actually know how to execute. NIS2's reporting timelines (24-hour early warning, 72-hour full notification) mean your detection and escalation must be fast.
3. Business Continuity and Crisis Management
Ensure business continuity through backup management, disaster recovery, and crisis management procedures.
What this means operationally: Tested backup and recovery procedures. Not just documented — tested. BCP exercises that prove you can actually restore operations.
4. Supply Chain Security
Address security risks in relationships with direct suppliers and service providers, including contractual requirements and monitoring.
What this means operationally: This is where most organisations have the biggest gap. Annual vendor questionnaires are not enough. NIS2 expects continuous assessment of your supply chain's cybersecurity posture.
5. Security in Network and Information Systems
Ensure security in the acquisition, development, and maintenance of your systems, including vulnerability handling and disclosure.
What this means operationally: Vulnerability management programmes with defined SLAs. Coordinated vulnerability disclosure processes. Security-by-design in procurement.
6. Policies to Assess Effectiveness
Implement policies and procedures to assess the effectiveness of your cybersecurity risk management measures.
What this means operationally: Regular audits, penetration testing, security metrics, and management reviews that actually drive improvement.
7. Cybersecurity Hygiene and Training
Establish basic cyber hygiene practices and cybersecurity training for all staff.
What this means operationally: Security awareness programmes, phishing simulations, role-based training for technical staff, and management-level cybersecurity training (NIS2 explicitly requires this for management bodies).
8. Cryptography and Encryption
Implement policies on the use of cryptography and, where appropriate, encryption.
What this means operationally: Defined standards for data encryption at rest and in transit, key management procedures, and regular review of cryptographic implementations.
9. Human Resources Security and Access Control
Address human resources security, access control policies, and asset management.
What this means operationally: Background checks, onboarding/offboarding procedures, least-privilege access, regular access reviews, and asset inventory management.
10. Multi-Factor Authentication
Use multi-factor authentication, continuous authentication solutions, and secured communications where appropriate.
What this means operationally: MFA deployed across critical systems, not just email. Secured voice, video, and text communications. Consideration of zero-trust architecture principles.
NIS2 Incident Reporting Requirements
One of the most significant changes from the original NIS Directive is the tightened incident reporting timeline:
| Timeline | Requirement | What to Include |
|---|---|---|
| 24 hours | Early warning to CSIRT/competent authority | Whether the incident is suspected to be caused by unlawful or malicious acts; whether it could have cross-border impact |
| 72 hours | Incident notification | Updated assessment, severity and impact, indicators of compromise, initial assessment of the incident |
| 1 month | Final report | Detailed description of the incident, root cause analysis, mitigation measures applied, cross-border impact if applicable |
A "significant incident" that triggers reporting is one that:
- Has caused or is capable of causing severe operational disruption or financial loss
- Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage
NIS2 Penalties and Enforcement
NIS2 introduces harmonised penalty thresholds across Member States:
For Essential Entities
- Administrative fines up to €10 million or 2% of total worldwide annual turnover, whichever is higher
- Competent authorities can impose temporary bans on management functions
- Possible suspension of certifications or authorisations
For Important Entities
- Administrative fines up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher
Management Liability
Article 20 explicitly requires management bodies to:
- Approve cybersecurity risk management measures
- Oversee their implementation
- Be held liable for infringements
- Undergo cybersecurity training
This personal liability provision is new and significant. Executives can no longer delegate cybersecurity responsibility without accountability.
NIS2 Implementation Timeline
| Date | Milestone |
|---|---|
| 16 January 2023 | NIS2 entered into force |
| 17 October 2024 | Deadline for Member State transposition into national law |
| 17 April 2025 | Deadline for Member States to establish a list of essential and important entities |
| Ongoing | National implementations with varying timelines (Germany's NIS2UmsuCG expected 2025) |
Many Member States missed the October 2024 transposition deadline. As of early 2026, implementation status varies:
- Transposed and enforcing: Belgium, Croatia, Hungary, Latvia, Lithuania
- Transposed, enforcement ramping up: Several others
- Still in legislative process: Germany, some others
Regardless of national transposition status, the directive's requirements represent the regulatory direction for all EU Member States.
How to Achieve NIS2 Compliance: A Practical Roadmap
Step 1: Determine If You're In Scope
Check whether your organisation falls within the 18 sectors and meets the size thresholds. Consider:
- Your primary NACE codes (the directive references economic activity classifications)
- Whether you're a medium or large enterprise
- Whether you're in a sector category that applies regardless of size
Step 2: Classify Your Entity Type
Determine whether you're an essential or important entity. This affects:
- Which supervisory regime applies (proactive vs. reactive)
- The maximum penalty thresholds
- Registration and notification requirements
Step 3: Conduct a Gap Analysis
Map your current security posture against the ten Article 21 measures. If you have an ISO 27001 ISMS, you likely cover 60-70% at the documentation level. Key gaps typically include:
- Incident reporting capability (24/72-hour timelines)
- Supply chain security (continuous monitoring)
- Evidence management (demonstrable compliance)
- Management training and accountability
Step 4: Build Your Compliance Programme
Focus on the operational gaps. NIS2 is not just about having policies — it's about demonstrating that your measures work:
- Implement or upgrade your incident detection and reporting workflows
- Establish supply chain risk management with continuous monitoring
- Deploy tools for evidence collection and compliance tracking
- Train management on their obligations and liabilities
Step 5: Establish Continuous Compliance
NIS2 compliance is not a one-time project. Build systems that maintain compliance continuously:
- Automated evidence collection
- Real-time compliance dashboards
- Regular testing and assessment cycles
- Vendor monitoring and re-assessment
NIS2 vs ISO 27001: Understanding the Relationship
Many organisations ask whether ISO 27001 certification equals NIS2 compliance. The short answer: no, but it's a strong foundation.
| Aspect | ISO 27001 | NIS2 |
|---|---|---|
| Nature | Voluntary international standard | Mandatory EU regulation |
| Scope | Information security management | Cybersecurity risk management + incident reporting |
| Incident reporting | Internal procedures | 24/72-hour reporting to authorities |
| Supply chain | Risk assessment | Continuous monitoring + contractual requirements |
| Penalties | Loss of certification | Fines up to €10M / 2% turnover + personal liability |
| Evidence | Audit-based (annual) | Continuous demonstration capability |
| Management | Management commitment | Personal liability for management bodies |
NIS2 Article 25 explicitly encourages the use of European and international standards, including ISO 27001, as a means to demonstrate compliance. But the operational execution requirements — particularly around incident reporting timelines, supply chain monitoring, and evidence management — go beyond what a standard ISMS delivers.
How Orbiq Helps With NIS2 Compliance
Orbiq is built for European compliance from the ground up. As a Trust Center platform, it addresses the operational gaps that matter most for NIS2:
- Supply chain security: Centralise vendor assessments, automate questionnaire distribution, monitor third-party compliance posture continuously
- Evidence management: Collect and organise compliance evidence automatically, creating an auditable trail that survives regulatory scrutiny
- Incident readiness: Documented response procedures with clear escalation paths and notification workflows
- Compliance visibility: Real-time dashboards showing your compliance status across all ten Article 21 measures
- Trust Center: A public-facing portal that demonstrates your compliance posture to customers, auditors, and regulators
Unlike US-centric platforms that retrofit European regulations as an afterthought, Orbiq is designed for GDPR, NIS2, and DORA from day one — with EU data residency and European-first thinking.
Further Reading
Explore our detailed NIS2 guides:
- NIS2 Compliance Checklist: Article 21 Measures — Detailed assessment of each measure against a typical ISMS
- NIS2 Incident Reporting: The 24-Hour Deadline — What to report, when, and how
- NIS2 Supply Chain Security — Managing third-party risk under NIS2
- ISO 27001 Is Not NIS2 Compliance — Why certification alone isn't enough
- NIS2: Affected but Operationally Unprepared — Common gaps between ISMS and NIS2
This guide is maintained by the Orbiq team and updated as national implementations progress. Last updated: March 2026.