The NIS2 Directive: Complete Guide to Directive (EU) 2022/2555
The NIS2 Directive (EU 2022/2555) is the EU's primary cybersecurity legislation. This guide covers the directive's structure, key articles, national transposition status, competent authorities, and how it differs from other EU cybersecurity laws.
The NIS2 Directive: Complete Guide to Directive (EU) 2022/2555
The NIS2 Directive — formally Directive (EU) 2022/2555 — is the European Union's central cybersecurity legislation. Adopted on 14 December 2022 and published in the Official Journal of the European Union on 27 December 2022 (OJ L 333), it replaced the original NIS Directive and established mandatory cybersecurity obligations across 18 critical and important sectors.
This guide covers the directive as a legal instrument: its structure, key articles, transposition status, and its relationship to other EU cybersecurity legislation.
Official Reference and Legal Basis
| Attribute | Detail |
|---|---|
| Official title | Directive (EU) 2022/2555 of the European Parliament and of the Council |
| Short title | NIS2 Directive |
| Adoption date | 14 December 2022 |
| Publication date | 27 December 2022 |
| OJ reference | OJ L 333, 27.12.2022, p. 80–152 |
| Entry into force | 16 January 2023 |
| Transposition deadline | 17 October 2024 |
| Legal basis | Article 114 TFEU (internal market) |
| EUR-Lex reference | 32022L2555 |
The directive replaces and repeals Directive (EU) 2016/1148 (the original NIS Directive). It is a directive — not a regulation — which means it required transposition into each Member State's national law. This contrasts with the approach taken for DORA (a regulation, directly applicable) and has led to variation in implementation timing and national specifics.
Why the NIS2 Directive Was Created
The original NIS Directive (2016/1148) was the EU's first sector-wide cybersecurity legislation. By 2020, its shortcomings were clear:
- Fragmented implementation: Each Member State transposed it differently, creating 27 different compliance regimes
- Too narrow: Only 7 sectors covered, with significant gaps in critical infrastructure
- Inconsistent enforcement: No minimum penalty thresholds meant nominal fines in some countries
- No supply chain requirements: The SolarWinds and Kaseya incidents exposed the risk of focusing only on direct network security
- No management accountability: Cybersecurity was treated as an IT issue, not a board-level responsibility
The European Commission initiated a review in 2020. The proposed directive was published in December 2020, negotiated through the EU legislative process throughout 2021–2022, and adopted in December 2022.
Structure of the Directive
The NIS2 Directive contains 46 articles across 7 chapters and 2 annexes, preceded by 146 recitals that provide legislative intent and context.
| Chapter | Title | Key Articles |
|---|---|---|
| I | General provisions | 1–6 (subject matter, scope, definitions) |
| II | Cybersecurity risk-management measures and reporting obligations | 20–26 (the core requirements) |
| III | Jurisdiction and registration | 26–27 |
| IV | European cybersecurity crisis management | 15–16, 19 |
| V | Information sharing | 29–30 |
| VI | Supervision and enforcement | 31–36 |
| VII | Final provisions | 37–46 (transposition, entry into force, repeal of NIS1) |
Annex I — Essential Entities (Highly Critical Sectors)
Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space.
Annex II — Important Entities (Other Critical Sectors)
Postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers, research organisations.
Key Articles for Organisations
Article 20 — Governance
Management bodies of essential and important entities must:
- Approve cybersecurity risk management measures
- Oversee their implementation
- Undergo cybersecurity training
- Bear personal liability for infringements
This article makes NIS2 compliance a board-level obligation, not just an IT function.
Article 21 — Cybersecurity Risk-Management Measures
The core operational requirement. Organisations must implement 10 specific measures:
- Risk analysis and information security policies
- Incident handling
- Business continuity and crisis management
- Supply chain security
- Security in network and information systems acquisition, development and maintenance
- Policies to assess effectiveness of cybersecurity risk management measures
- Basic cyber hygiene practices and cybersecurity training
- Cryptography and encryption policies
- Human resources security, access control, and asset management
- Use of multi-factor authentication and continuous authentication solutions
The directive specifies these measures must be proportionate to the risk, taking into account exposure to risks, organisation size, the likelihood and severity of incidents, and the societal and economic impact of potential incidents.
Article 23 — Reporting Obligations
When a significant incident occurs, the affected entity must report to its national CSIRT or competent authority:
| Timeline | Report type | Content |
|---|---|---|
| 24 hours | Early warning | Suspected malicious cause; potential cross-border impact |
| 72 hours | Incident notification | Updated assessment, initial severity/impact, indicators of compromise |
| 1 month | Final report | Detailed description, root cause, mitigation measures, cross-border impact |
A "significant incident" is defined as one that has caused or is capable of causing severe operational disruption or financial loss, or that has affected or could affect other persons by causing considerable damage.
Article 24 — Use of European Cybersecurity Certification Schemes
Member States may require organisations to use specific EU cybersecurity certification schemes (under the EU Cybersecurity Act) to demonstrate compliance with certain aspects of Article 21. This creates a bridge between NIS2 and the EU's cybersecurity certification framework.
Articles 32–36 — Supervision and Enforcement
Essential entities are subject to proactive supervision (regular audits, on-site inspections, security scans). Important entities are subject to reactive supervision (triggered by incidents or evidence of non-compliance).
Penalty thresholds are set in Article 34:
- Essential entities: up to €10 million or 2% of global annual turnover
- Important entities: up to €7 million or 1.4% of global annual turnover
National Transposition Status (March 2026)
The transposition deadline was 17 October 2024. Many Member States missed this deadline. As of March 2026:
| Country | Status | National Act |
|---|---|---|
| Belgium | Transposed | NIS2 Law (2024) |
| Croatia | Transposed | National cybersecurity law (2024) |
| Hungary | Transposed | Cybersecurity Act amendments |
| Latvia | Transposed | Information Technology Security Law amendments |
| Lithuania | Transposed | Law on Cybersecurity |
| Germany | Transposed | NIS2UmsuCG (BSI Act amendment, December 2025) |
| Italy | Transposed | Legislative Decree 138/2024 |
| Netherlands | In process | Wbni amendment under review |
| France | Partial | ANSSI implementing measures ongoing |
| Others | Varying | Ongoing legislative processes |
Germany's late transposition (December 2025) is significant given its industrial sector size. German organisations face a registration deadline with BSI around April 2026 and a first audit deadline of June 2026.
National Competent Authorities
Each Member State designates one or more competent authorities responsible for NIS2 supervision. Key authorities:
| Country | Authority | Role |
|---|---|---|
| Germany | BSI (Bundesamt für Sicherheit in der Informationstechnik) | Supervision + national CSIRT |
| France | ANSSI (Agence nationale de la sécurité des systèmes d'information) | Supervision + national CSIRT |
| Netherlands | NCSC-NL + sector authorities | Supervision; NCSC-NL = national CSIRT |
| Belgium | CCB (Centre for Cybersecurity Belgium) | Supervision + national CSIRT |
| Italy | ACN (Agenzia per la Cybersicurezza Nazionale) | Supervision + national CSIRT |
Organisations must report significant incidents to their national CSIRT and may need to register with their competent authority.
NIS2 Directive vs. Other EU Cybersecurity Legislation
The NIS2 Directive is one piece of the EU's evolving cybersecurity regulatory framework. Understanding how it interacts with other legislation is essential for compliance planning:
| Regulation | Relationship to NIS2 |
|---|---|
| DORA (Digital Operational Resilience Act) | Lex specialis for financial sector. Financial entities subject to DORA are deemed compliant with equivalent NIS2 requirements. DORA is a regulation (directly applicable), not a directive. |
| Cyber Resilience Act (CRA) | Applies to manufacturers of products with digital elements. Complements NIS2 by addressing supply chain risk at the product level. CRA compliance can contribute to NIS2 Article 21 supply chain requirements. |
| GDPR | NIS2 incident reporting (Article 23) and GDPR personal data breach reporting (Article 33 GDPR) may apply simultaneously for the same incident. Different timelines (NIS2: 24/72h; GDPR: 72h to supervisory authority). |
| EU Cybersecurity Act | Provides the certification framework referenced in NIS2 Article 24. EUCC, EU5G, and other schemes may be used to demonstrate NIS2 compliance. |
| eIDAS 2 / EUDIW | Digital identity regulation; overlaps with NIS2 for trust service providers and digital infrastructure operators. |
Key Definitions in the Directive (Article 6)
Article 6 defines 41 terms. The most important for compliance purposes:
- Essential entity: An entity listed in Annex I that meets the size threshold (or is in scope regardless of size)
- Important entity: An entity listed in Annex II that meets the size threshold
- Significant incident: An incident that has caused or is capable of causing severe disruption or financial loss, or that has caused or could cause considerable damage to others
- Network and information system: Electronic communications networks, devices, or software within such systems
- Cybersecurity: Activities to protect network and information systems against risks to their availability, authenticity, integrity, or confidentiality
- Incident: An event compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of services
What the NIS2 Directive Means for Your Organisation
The NIS2 Directive is not a compliance checkbox exercise. Its recitals (especially Recitals 79–93) make clear that the EU legislature intended operational cybersecurity, not just documented policies:
- Recital 79: Risk management measures must be proportionate and reflect actual risk exposure
- Recital 89: Incident reporting timelines are designed to ensure rapid information sharing to contain cross-border threats
- Recital 93: Management bodies must take direct ownership of cybersecurity risk, not delegate it entirely to technical teams
The directive's emphasis on management accountability (Article 20), continuous monitoring requirements, and supply chain security means compliance requires operational infrastructure — not just policy documents.
Organisations that want to demonstrate compliance credibly need:
- A functioning incident detection and reporting workflow capable of meeting 24/72-hour deadlines
- Supply chain monitoring that goes beyond annual questionnaires
- Evidence management that creates an auditable compliance trail
- Management training and governance showing board-level oversight
How Orbiq Helps With NIS2 Directive Compliance
Orbiq is built to address the operational gaps that make NIS2 directive compliance difficult in practice:
- Continuous Monitoring: Automated evidence collection across all 10 Article 21 measures, with real-time dashboards showing your compliance status
- Vendor Assurance: Centralised supplier assessments and continuous third-party monitoring to meet Article 21(2)(d) supply chain requirements
- Trust Center: A public-facing compliance portal that demonstrates your NIS2 posture to customers, regulators, and auditors
- Evidence Management: Automated collection and organisation of compliance evidence, creating the auditable trail that competent authorities expect under Articles 32–36
Unlike US-centric compliance platforms that treat NIS2 as an add-on, Orbiq is designed for European regulations from the ground up — with EU data residency and understanding of how competent authorities across DE, FR, NL, and BE approach NIS2 supervision.
Related NIS2 Articles
- What Is NIS2? Complete Guide to the EU NIS2 Directive
- NIS2 Compliance: How to Achieve and Maintain Compliance
- NIS2 Requirements: Complete Guide to What You Must Do
- NIS2 Compliance Checklist: Complete Article 21 Requirements
- NIS2 Incident Reporting: The 24-Hour Deadline
- NIS2 Supply Chain Security: Why Annual Assessments Aren't Enough
- ISO 27001 Is Not NIS2 Compliance
- NIS2 Audit Readiness: Continuous Evidence
Last updated March 2026. Transposition status is updated as national implementations progress.