NIS2 Directive (EU 2022/2555): Requirements & Deadlines

The NIS2 Directive: Complete Guide to Directive (EU) 2022/2555

The NIS2 Directive — formally Directive (EU) 2022/2555 — is the European Union's central cybersecurity legislation. Adopted on 14 December 2022 and published in the Official Journal of the European Union on 27 December 2022 (OJ L 333), it replaced the original NIS Directive and established mandatory cybersecurity obligations across 18 critical and important sectors.

This guide covers the directive as a legal instrument: its structure, key articles, transposition status, and its relationship to other EU cybersecurity legislation.

Quick Answers

Question	Short answer
What is the legal text?	Directive (EU) 2022/2555, CELEX 32022L2555
When did it enter into force?	16 January 2023
What was the transposition deadline?	17 October 2024
What changed after the deadline?	The Commission started infringement action because many Member States had not fully transposed NIS2
What should companies do now?	Confirm scope, identify the national authority, build Article 21 controls, and prepare Article 23 reporting workflows

---

Official Reference and Legal Basis

Attribute	Detail
Official title	Directive (EU) 2022/2555 of the European Parliament and of the Council
Short title	NIS2 Directive
Adoption date	14 December 2022
Publication date	27 December 2022
OJ reference	OJ L 333, 27.12.2022, p. 80–152
Entry into force	16 January 2023
Transposition deadline	17 October 2024
Legal basis	Article 114 TFEU (internal market)
EUR-Lex reference	32022L2555

The directive replaces and repeals Directive (EU) 2016/1148 (the original NIS Directive). It is a directive — not a regulation — which means it required transposition into each Member State's national law. This contrasts with the approach taken for DORA (a regulation, directly applicable) and has led to variation in implementation timing and national specifics.

---

Why the NIS2 Directive Was Created

The original NIS Directive (2016/1148) was the EU's first sector-wide cybersecurity legislation. By 2020, its shortcomings were clear:

• Fragmented implementation: Each Member State transposed it differently, creating 27 different compliance regimes
• Too narrow: Only 7 sectors covered, with significant gaps in critical infrastructure
• Inconsistent enforcement: No minimum penalty thresholds meant nominal fines in some countries
• No supply chain requirements: The SolarWinds and Kaseya incidents exposed the risk of focusing only on direct network security
• No management accountability: Cybersecurity was treated as an IT issue, not a board-level responsibility

The European Commission initiated a review in 2020. The proposed directive was published in December 2020, negotiated through the EU legislative process throughout 2021–2022, and adopted in December 2022.

---

Structure of the Directive

The NIS2 Directive contains 46 articles across 7 chapters and 2 annexes, preceded by 144 recitals that provide legislative intent and context.

Chapter	Title	Key Articles
I	General provisions	1–6 (subject matter, scope, definitions)
II	Cybersecurity risk-management measures and reporting obligations	20–26 (the core requirements)
III	Jurisdiction and registration	26–27
IV	European cybersecurity crisis management	15–16, 19
V	Information sharing	29–30
VI	Supervision and enforcement	31–36
VII	Final provisions	37–46 (transposition, entry into force, repeal of NIS1)

The annexes define sectors by description, not by statistical code. In practice, national transposition laws and ENISA guidance map each sector to NACE Rev. 2 economic-activity codes so organisations can confirm scope. The tables below pair each NIS2 sector with its indicative NACE reference.

Annex I — Sectors of High Criticality (Essential Entities)

Sector	Sub-sectors (illustrative)	Indicative NACE Rev. 2
Energy	Electricity, district heating/cooling, oil, gas, hydrogen	D35; C19; B06
Transport	Air, rail, water, road	H49–H51
Banking	Credit institutions	K64.19
Financial market infrastructures	Trading venues, central counterparties	K64.99; K66
Health	Healthcare providers, EU reference labs, medicine manufacturing	Q86; C21
Drinking water	Suppliers and distributors of water for human consumption	E36
Wastewater	Collection, disposal, treatment of urban/industrial wastewater	E37
Digital infrastructure	IXPs, DNS, TLD registries, cloud, data centres, CDNs, trust service providers, electronic communications	J61–J63
ICT service management (B2B)	Managed service providers, managed security service providers	J62
Public administration	Central and (where designated) regional government	O84
Space	Operators of ground-based infrastructure supporting space services	H51; M71

Annex II — Other Critical Sectors (Important Entities)

Sector	Sub-sectors (illustrative)	Indicative NACE Rev. 2
Postal and courier services	Postal service providers, courier/parcel delivery	H53
Waste management	Collection, treatment, disposal of waste	E38
Chemicals	Manufacture, production, distribution	C20; G46.75
Food	Production, processing, distribution	C10; G46.3
Manufacturing	Medical devices, computer/electronic/optical products, electrical equipment, machinery, motor vehicles, other transport equipment	C26; C27; C28; C29; C30; C32.5
Digital providers	Online marketplaces, search engines, social networking platforms	J63
Research	Research organisations	M72

NACE references are indicative. The legally binding scope is the sector description in Annexes I and II read together with the Article 2 scope rules and your national transposition law — not the NACE code alone.

---

Key Articles for Organisations

Article 20 — Governance

Management bodies of essential and important entities must:

• Approve cybersecurity risk management measures
• Oversee their implementation
• Undergo cybersecurity training
• Bear personal liability for infringements

This article makes NIS2 compliance a board-level obligation, not just an IT function.

Article 21 — Cybersecurity Risk-Management Measures

The core operational requirement. Organisations must implement 10 specific measures:

1. Risk analysis and information security policies
2. Incident handling
3. Business continuity and crisis management
4. Supply chain security
5. Security in network and information systems acquisition, development and maintenance
6. Policies to assess effectiveness of cybersecurity risk management measures
7. Basic cyber hygiene practices and cybersecurity training
8. Cryptography and encryption policies
9. Human resources security, access control, and asset management
10. Use of multi-factor authentication and continuous authentication solutions

The directive specifies these measures must be proportionate to the risk, taking into account exposure to risks, organisation size, the likelihood and severity of incidents, and the societal and economic impact of potential incidents. Measure 1 effectively requires a documented risk management framework; ISO/IEC 27005, aligned with ENISA's interoperable EU framework, is the most common way to satisfy it.

Mapping Article 21 measures to ISO 27001:2022 Annex A

Most organisations already running an ISO 27001 ISMS can evidence the bulk of Article 21 against existing Annex A controls. ISO 27001 is a strong foundation but not automatically NIS2 compliance — NIS2 adds governance liability (Article 20), statutory reporting (Article 23), and supervisory registration that sit outside the standard (see ISO 27001 Is Not NIS2 Compliance). The mapping below shows the most relevant Annex A (ISO/IEC 27002:2022) controls for each measure.

Article 21(2) measure	Most relevant ISO/IEC 27001:2022 Annex A controls
(a) Risk analysis & information security policies	A.5.1, A.5.9, A.5.12, A.5.35 (clauses 6.1.2–6.1.3)
(b) Incident handling	A.5.24–A.5.28, A.6.8, A.8.15, A.8.16
(c) Business continuity, backup & crisis management	A.5.29, A.5.30, A.8.13, A.8.14
(d) Supply chain security	A.5.19, A.5.20, A.5.21, A.5.22, A.5.23
(e) Security in acquisition, development & maintenance	A.8.8, A.8.9, A.8.19, A.8.25, A.8.28
(f) Effectiveness assessment	A.5.35, A.5.36 (clauses 9.1, 9.2, 9.3)
(g) Cyber hygiene & training	A.5.15, A.6.3, A.8.7, A.8.8 (clause 7.3)
(h) Cryptography & encryption	A.8.24
(i) HR security, access control & asset management	A.6.1–A.6.6, A.5.15–A.5.18, A.5.9–A.5.11
(j) MFA & secured communications	A.5.16, A.5.17, A.8.5, A.5.14

MFA (measure j) is not named explicitly in ISO 27001 but is the standard risk-based implementation of A.8.5 (secure authentication). The gap that ISO 27001 does not close — and that supervisory authorities will check — is the statutory and governance layer: Article 20 management training and liability, Article 23 reporting workflows, and national registration.

Article 23 — Reporting Obligations

When a significant incident occurs, the affected entity must report to its national CSIRT or competent authority:

Timeline	Report type	Content
24 hours	Early warning	Suspected malicious cause; potential cross-border impact
72 hours	Incident notification	Updated assessment, initial severity/impact, indicators of compromise
1 month	Final report	Detailed description, root cause, mitigation measures, cross-border impact

A "significant incident" is defined as one that has caused or is capable of causing severe operational disruption or financial loss, or that has affected or could affect other persons by causing considerable damage.

Article 24 — Use of European Cybersecurity Certification Schemes

Member States may require organisations to use specific EU cybersecurity certification schemes (under the EU Cybersecurity Act) to demonstrate compliance with certain aspects of Article 21. This creates a bridge between NIS2 and the EU's cybersecurity certification framework.

Articles 32–36 — Supervision and Enforcement

Essential entities are subject to proactive supervision (regular audits, on-site inspections, security scans). Important entities are subject to reactive supervision (triggered by incidents or evidence of non-compliance).

Penalty thresholds are set in Article 34:

• Essential entities: up to €10 million or 2% of global annual turnover
• Important entities: up to €7 million or 1.4% of global annual turnover

---

National Transposition Status and 2026 Enforcement Reality

The transposition deadline was 17 October 2024. Only four Member States met it; most missed it. The most important update is not a single country table that goes stale. It is the enforcement pattern, which by mid-2026 has reached the Court of Justice:

• 28 November 2024: the European Commission opened infringement procedures (letters of formal notice) against 23 Member States for failing to fully transpose NIS2.
• 7 May 2025: the Commission sent reasoned opinions to 19 Member States that had still not notified full transposition.
• 2026: the Commission has escalated the slowest cases toward the Court of Justice of the EU (CJEU) — the final infringement stage, and the only one that can impose lump-sum and daily financial penalties on a Member State. France and Spain have been reported among those referred for non-transposition.
• State of play by mid-2026: roughly 20 Member States have national NIS2 laws adopted or in force, with a minority still pending. Luxembourg, for example, transposed NIS2 with its law of 5 May 2026 (in force 10 May 2026; covered entities must self-register by 10 July 2026) — a useful illustration that "the deadline" is increasingly a national go-live date, not the 2024 EU date.
• No concluded fines yet: as of mid-2026, no national authority (BSI, CCB, ANSSI, ACN and peers) has published a finalised NIS2 administrative fine. Legal commentators describe 2026 as the year the first enforcement actions begin, now that supervisory regimes are live.
• Operating reality: multi-country organisations need a country-by-country view of scope, registration, incident reporting channels, supervisory authority, and sector-specific guidance.

For planning, separate the EU-level directive from the national implementation layer:

Country or market	What to verify locally
Germany	BSI supervision, KRITIS and covered entity thresholds, registration process, and German-language evidence expectations
France	ANSSI guidance, sector allocation, national reporting process, and implementation timeline
Netherlands	NCSC-NL and sector authority responsibilities, registration and incident notification process
Belgium	Centre for Cybersecurity Belgium (CCB) guidance, scope confirmation, and reporting process
Italy	ACN and CSIRT Italy reporting process, registration obligations, and sector guidance
Cross-border groups	Which legal entity is in scope, which authority receives reports, and how evidence is shared between entities

The official European Commission transposition page should be treated as the starting point, not the only source. Your actual obligations depend on the national law and guidance applicable to the legal entity and sector.

---

National Competent Authorities

Each Member State designates one or more competent authorities responsible for NIS2 supervision. Key authorities:

Country	Authority	Role
Germany	BSI (Bundesamt für Sicherheit in der Informationstechnik)	Supervision + national CSIRT
France	ANSSI (Agence nationale de la sécurité des systèmes d'information)	Supervision + national CSIRT
Netherlands	NCSC-NL + sector authorities	Supervision; NCSC-NL = national CSIRT
Belgium	CCB (Centre for Cybersecurity Belgium)	Supervision + national CSIRT
Italy	ACN (Agenzia per la Cybersicurezza Nazionale)	Supervision + national CSIRT

Organisations must report significant incidents to their national CSIRT and may need to register with their competent authority.

---

NIS2 Beyond the EU-27: the UK and Norway/EEA

NIS2 is an EU directive, but Europe's cybersecurity perimeter is wider than the EU-27. Pan-European groups operating in the UK and the EEA face parallel — and in places stricter — regimes that any NIS2 programme should be designed against.

United Kingdom — Cyber Security and Resilience Bill

The UK did not adopt NIS2; it is replacing its own NIS Regulations 2018 with the Cyber Security and Resilience (Network and Information Systems) Bill. The Bill was announced in the July 2024 King's Speech, introduced to Parliament on 12 November 2025, and had its Second Reading on 6 January 2026. Royal Assent is expected during 2026, with much of the substance arriving later through secondary legislation and codes of practice — full operational effect is not anticipated until around 2028.

Practical differences from NIS2 for cross-border operators:

• Scope: the UK Bill expands NIS1 to cover data centres, managed service providers (MSPs), and designated "critical suppliers", but is narrower and more flexible than NIS2's enumerated 18 sectors — sectors can be added later by ministerial designation.
• Reporting: broadly aligned — a 24-hour initial notification and 72-hour full report to the regulator and the NCSC (the UK CSIRT).
• Penalties: in some respects harsher than NIS2's minimums — up to £17 million or 4% of worldwide turnover for serious breaches, £10 million or 2% for less serious ones, plus daily penalties.

A company in scope of both regimes cannot assume NIS2 evidence satisfies UK obligations — the duties overlap but the triggers, designations, and codes of practice differ.

Norway and the EEA

Norway is not in the EU but is in the European Economic Area (EEA), so NIS2 reaches it through the EEA Agreement rather than directly. Two tracks run in parallel:

• Digital Security Act (digitalsikkerhetsloven) — an extended implementation of the original NIS1, in force since 1 October 2025. It designates Nasjonal sikkerhetsmyndighet (NSM) as the national single point of contact and already allows penalties of up to 4% of turnover (capped around NOK 50 million).
• NIS2 alignment — planned mainly through amendments to the Security Act (sikkerhetsloven) once NIS2 is incorporated into the EEA Agreement's Annex XI. The Norwegian implementation plan targets the law entering into force around 1 July 2026, a registration deadline of 1 October 2026, and first NSM/sector-regulator audits from mid-2027, expanding scope from roughly 600 to about 5,000 organisations. NSM acts as national CSIRT, with the same 24-hour / 72-hour / 30-day reporting ladder.

For a multi-entity European group, the practical takeaway is that the operational controls (Article 21-style measures) are broadly portable across EU, UK, and Norway, but the reporting channels, registration, and supervisory authorities are jurisdiction-specific — which is exactly the layer a single evidence system has to manage.

---

NIS2 Directive vs. Other EU Cybersecurity Legislation

The NIS2 Directive is one piece of the EU's evolving cybersecurity regulatory framework. Understanding how it interacts with other legislation is essential for compliance planning:

Regulation	Relationship to NIS2
DORA vs NIS2 (Digital Operational Resilience Act)	Lex specialis for financial sector. Financial entities subject to DORA are deemed compliant with equivalent NIS2 requirements. DORA is a regulation (directly applicable), not a directive.
Cyber Resilience Act (CRA)	Applies to manufacturers of products with digital elements. Complements NIS2 by addressing supply chain risk at the product level. CRA compliance can contribute to NIS2 Article 21 supply chain requirements. The CRA's September 2026 vulnerability reporting deadline is the first hard enforcement date for product manufacturers.
GDPR	NIS2 incident reporting (Article 23) and GDPR personal data breach reporting (Article 33 GDPR) may apply simultaneously for the same incident. Different timelines (NIS2: 24/72h; GDPR: 72h to supervisory authority).
EU Cybersecurity Act	Provides the certification framework referenced in NIS2 Article 24. EUCC, EU5G, and other schemes may be used to demonstrate NIS2 compliance.
eIDAS 2 / EUDIW	Digital identity regulation; overlaps with NIS2 for trust service providers and digital infrastructure operators.

---

Key Definitions in the Directive (Article 6)

Article 6 defines 41 terms. The most important for compliance purposes:

• Essential entity: An entity listed in Annex I that meets the size threshold (or is in scope regardless of size)
• Important entity: An entity listed in Annex II that meets the size threshold
• Significant incident: An incident that has caused or is capable of causing severe disruption or financial loss, or that has caused or could cause considerable damage to others
• Network and information system: Electronic communications networks, devices, or software within such systems
• Cybersecurity: Activities to protect network and information systems against risks to their availability, authenticity, integrity, or confidentiality
• Incident: An event compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of services

---

What the NIS2 Directive Means for Your Organisation

The NIS2 Directive is not a compliance checkbox exercise. Its recitals (especially Recitals 79–93) make clear that the EU legislature intended operational cybersecurity, not just documented policies:

• Recital 79: Risk management measures must be proportionate and reflect actual risk exposure
• Recital 89: Incident reporting timelines are designed to ensure rapid information sharing to contain cross-border threats
• Recital 93: Management bodies must take direct ownership of cybersecurity risk, not delegate it entirely to technical teams

The directive's emphasis on management accountability (Article 20), continuous monitoring requirements, and supply chain security means compliance requires operational infrastructure — not just policy documents.

Organisations that want to demonstrate compliance credibly need:

1. A functioning incident detection and reporting workflow capable of meeting 24/72-hour deadlines
2. Supply chain monitoring that goes beyond annual questionnaires
3. Evidence management that creates an auditable compliance trail
4. Management training and governance showing board-level oversight

If you are deciding which tooling stack can support that operational layer, start with our NIS2 software comparison, compliance automation software comparison, compliance management software guide, and best ISMS software comparison, which separate EU-native operational workflows from generic framework mapping.

---

How Orbiq Helps With NIS2 Directive Compliance

Orbiq is built to address the operational gaps that make NIS2 directive compliance difficult in practice:

• Continuous Monitoring: Automated evidence collection across all 10 Article 21 measures, with real-time dashboards showing your compliance status
• Vendor Assurance: Centralised supplier assessments and continuous third-party monitoring to meet Article 21(2)(d) supply chain requirements
• Trust Center: A public-facing compliance portal that demonstrates your NIS2 posture to customers, regulators, and auditors
• Evidence Management: Automated collection and organisation of compliance evidence, creating the auditable trail that competent authorities expect under Articles 32–36

Unlike US-centric compliance platforms that treat NIS2 as an add-on, Orbiq is designed for European regulations from the ground up — with EU data residency and understanding of how competent authorities across DE, FR, NL, and BE approach NIS2 supervision.

---

Related NIS2 Articles

• What Is NIS2? Complete Guide to the EU NIS2 Directive
• NIS2 Compliance: How to Achieve and Maintain Compliance
• NIS2 Requirements: Complete Guide to What You Must Do
• NIS2 Compliance Checklist: Complete Article 21 Requirements
• NIS2 Incident Reporting: The 24-Hour Deadline
• NIS2 Supply Chain Security: Why Annual Assessments Aren't Enough
• ISO 27001 Is Not NIS2 Compliance
• NIS2 Audit Readiness: Continuous Evidence
• Compliance Management Software for European Companies
• Best ISMS Software for ISO 27001 and NIS2

---

Sources

1. EUR-Lex — Directive (EU) 2022/2555 — official NIS2 legal text.
2. European Commission — NIS2 Directive policy page — state-of-play, transposition, and enforcement.
3. European Commission — 23 Member States called to fully transpose NIS2, 28 November 2024 — letters of formal notice.
4. European Commission — 19 Member States sent reasoned opinions, 7 May 2025 — reasoned opinions.
5. ENISA — NIS2 Directive resources — implementation guidance and technical measures.
6. ISO/IEC 27001:2022 — information security management system standard referenced in the Annex A mapping.
7. UK Parliament — Cyber Security and Resilience Bill — UK NIS reform, introduced 12 November 2025.
8. Nasjonal sikkerhetsmyndighet (NSM) — Norwegian national security authority and CSIRT for NIS implementation via the EEA.

Last updated 10 June 2026. Transposition status changes through national laws and Commission notifications; verify country-specific details before relying on deadlines.