The NIS2 Directive: Complete Guide to Directive (EU) 2022/2555
The NIS2 Directive (EU 2022/2555) is the EU's primary cybersecurity legislation. This guide covers the directive's structure, key articles, national transposition status, competent authorities, and how it differs from other EU cybersecurity laws.
The NIS2 Directive: Complete Guide to Directive (EU) 2022/2555
The NIS2 Directive — formally Directive (EU) 2022/2555 — is the European Union's central cybersecurity legislation. Adopted on 14 December 2022 and published in the Official Journal of the European Union on 27 December 2022 (OJ L 333), it replaced the original NIS Directive and established mandatory cybersecurity obligations across 18 critical and important sectors.
This guide covers the directive as a legal instrument: its structure, key articles, transposition status, and its relationship to other EU cybersecurity legislation.
Quick Answers
| Question | Short answer |
|---|---|
| What is the legal text? | Directive (EU) 2022/2555, CELEX 32022L2555 |
| When did it enter into force? | 16 January 2023 |
| What was the transposition deadline? | 17 October 2024 |
| What changed after the deadline? | The Commission started infringement action because many Member States had not fully transposed NIS2 |
| What should companies do now? | Confirm scope, identify the national authority, build Article 21 controls, and prepare Article 23 reporting workflows |
Official Reference and Legal Basis
| Attribute | Detail |
|---|---|
| Official title | Directive (EU) 2022/2555 of the European Parliament and of the Council |
| Short title | NIS2 Directive |
| Adoption date | 14 December 2022 |
| Publication date | 27 December 2022 |
| OJ reference | OJ L 333, 27.12.2022, p. 80–152 |
| Entry into force | 16 January 2023 |
| Transposition deadline | 17 October 2024 |
| Legal basis | Article 114 TFEU (internal market) |
| EUR-Lex reference | 32022L2555 |
The directive replaces and repeals Directive (EU) 2016/1148 (the original NIS Directive). It is a directive — not a regulation — which means it required transposition into each Member State's national law. This contrasts with the approach taken for DORA (a regulation, directly applicable) and has led to variation in implementation timing and national specifics.
Why the NIS2 Directive Was Created
The original NIS Directive (2016/1148) was the EU's first sector-wide cybersecurity legislation. By 2020, its shortcomings were clear:
- Fragmented implementation: Each Member State transposed it differently, creating 27 different compliance regimes
- Too narrow: Only 7 sectors covered, with significant gaps in critical infrastructure
- Inconsistent enforcement: No minimum penalty thresholds meant nominal fines in some countries
- No supply chain requirements: The SolarWinds and Kaseya incidents exposed the risk of focusing only on direct network security
- No management accountability: Cybersecurity was treated as an IT issue, not a board-level responsibility
The European Commission initiated a review in 2020. The proposed directive was published in December 2020, negotiated through the EU legislative process throughout 2021–2022, and adopted in December 2022.
Structure of the Directive
The NIS2 Directive contains 46 articles across 7 chapters and 2 annexes, preceded by 144 recitals that provide legislative intent and context.
| Chapter | Title | Key Articles |
|---|---|---|
| I | General provisions | 1–6 (subject matter, scope, definitions) |
| II | Cybersecurity risk-management measures and reporting obligations | 20–26 (the core requirements) |
| III | Jurisdiction and registration | 26–27 |
| IV | European cybersecurity crisis management | 15–16, 19 |
| V | Information sharing | 29–30 |
| VI | Supervision and enforcement | 31–36 |
| VII | Final provisions | 37–46 (transposition, entry into force, repeal of NIS1) |
Annex I — Essential Entities (Highly Critical Sectors)
Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space.
Annex II — Important Entities (Other Critical Sectors)
Postal and courier services, waste management, manufacture, production and distribution of chemicals, production, processing and distribution of food, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers, research organisations.
Key Articles for Organisations
Article 20 — Governance
Management bodies of essential and important entities must:
- Approve cybersecurity risk management measures
- Oversee their implementation
- Undergo cybersecurity training
- Bear personal liability for infringements
This article makes NIS2 compliance a board-level obligation, not just an IT function.
Article 21 — Cybersecurity Risk-Management Measures
The core operational requirement. Organisations must implement 10 specific measures:
- Risk analysis and information security policies
- Incident handling
- Business continuity and crisis management
- Supply chain security
- Security in network and information systems acquisition, development and maintenance
- Policies to assess effectiveness of cybersecurity risk management measures
- Basic cyber hygiene practices and cybersecurity training
- Cryptography and encryption policies
- Human resources security, access control, and asset management
- Use of multi-factor authentication and continuous authentication solutions
The directive specifies these measures must be proportionate to the risk, taking into account exposure to risks, organisation size, the likelihood and severity of incidents, and the societal and economic impact of potential incidents.
Article 23 — Reporting Obligations
When a significant incident occurs, the affected entity must report to its national CSIRT or competent authority:
| Timeline | Report type | Content |
|---|---|---|
| 24 hours | Early warning | Suspected malicious cause; potential cross-border impact |
| 72 hours | Incident notification | Updated assessment, initial severity/impact, indicators of compromise |
| 1 month | Final report | Detailed description, root cause, mitigation measures, cross-border impact |
A "significant incident" is defined as one that has caused or is capable of causing severe operational disruption or financial loss, or that has affected or could affect other persons by causing considerable damage.
Article 24 — Use of European Cybersecurity Certification Schemes
Member States may require organisations to use specific EU cybersecurity certification schemes (under the EU Cybersecurity Act) to demonstrate compliance with certain aspects of Article 21. This creates a bridge between NIS2 and the EU's cybersecurity certification framework.
Articles 32–36 — Supervision and Enforcement
Essential entities are subject to proactive supervision (regular audits, on-site inspections, security scans). Important entities are subject to reactive supervision (triggered by incidents or evidence of non-compliance).
Penalty thresholds are set in Article 34:
- Essential entities: up to €10 million or 2% of global annual turnover
- Important entities: up to €7 million or 1.4% of global annual turnover
National Transposition Status and 2026 Enforcement Reality
The transposition deadline was 17 October 2024. Many Member States missed this deadline. The most important update is not a single country table that goes stale. It is the enforcement pattern:
- 28 November 2024: the European Commission opened infringement procedures against 23 Member States for failing to fully transpose NIS2.
- 7 May 2025: the Commission sent reasoned opinions to 19 Member States that had still not notified full transposition.
- 2026 operating reality: multi-country organisations need a country-by-country view of scope, registration, incident reporting channels, supervisory authority, and sector-specific guidance.
For planning, separate the EU-level directive from the national implementation layer:
| Country or market | What to verify locally |
|---|---|
| Germany | BSI supervision, KRITIS and covered entity thresholds, registration process, and German-language evidence expectations |
| France | ANSSI guidance, sector allocation, national reporting process, and implementation timeline |
| Netherlands | NCSC-NL and sector authority responsibilities, registration and incident notification process |
| Belgium | Centre for Cybersecurity Belgium (CCB) guidance, scope confirmation, and reporting process |
| Italy | ACN and CSIRT Italy reporting process, registration obligations, and sector guidance |
| Cross-border groups | Which legal entity is in scope, which authority receives reports, and how evidence is shared between entities |
The official European Commission transposition page should be treated as the starting point, not the only source. Your actual obligations depend on the national law and guidance applicable to the legal entity and sector.
National Competent Authorities
Each Member State designates one or more competent authorities responsible for NIS2 supervision. Key authorities:
| Country | Authority | Role |
|---|---|---|
| Germany | BSI (Bundesamt für Sicherheit in der Informationstechnik) | Supervision + national CSIRT |
| France | ANSSI (Agence nationale de la sécurité des systèmes d'information) | Supervision + national CSIRT |
| Netherlands | NCSC-NL + sector authorities | Supervision; NCSC-NL = national CSIRT |
| Belgium | CCB (Centre for Cybersecurity Belgium) | Supervision + national CSIRT |
| Italy | ACN (Agenzia per la Cybersicurezza Nazionale) | Supervision + national CSIRT |
Organisations must report significant incidents to their national CSIRT and may need to register with their competent authority.
NIS2 Directive vs. Other EU Cybersecurity Legislation
The NIS2 Directive is one piece of the EU's evolving cybersecurity regulatory framework. Understanding how it interacts with other legislation is essential for compliance planning:
| Regulation | Relationship to NIS2 |
|---|---|
| DORA vs NIS2 (Digital Operational Resilience Act) | Lex specialis for financial sector. Financial entities subject to DORA are deemed compliant with equivalent NIS2 requirements. DORA is a regulation (directly applicable), not a directive. |
| Cyber Resilience Act (CRA) | Applies to manufacturers of products with digital elements. Complements NIS2 by addressing supply chain risk at the product level. CRA compliance can contribute to NIS2 Article 21 supply chain requirements. The CRA's September 2026 vulnerability reporting deadline is the first hard enforcement date for product manufacturers. |
| GDPR | NIS2 incident reporting (Article 23) and GDPR personal data breach reporting (Article 33 GDPR) may apply simultaneously for the same incident. Different timelines (NIS2: 24/72h; GDPR: 72h to supervisory authority). |
| EU Cybersecurity Act | Provides the certification framework referenced in NIS2 Article 24. EUCC, EU5G, and other schemes may be used to demonstrate NIS2 compliance. |
| eIDAS 2 / EUDIW | Digital identity regulation; overlaps with NIS2 for trust service providers and digital infrastructure operators. |
Key Definitions in the Directive (Article 6)
Article 6 defines 41 terms. The most important for compliance purposes:
- Essential entity: An entity listed in Annex I that meets the size threshold (or is in scope regardless of size)
- Important entity: An entity listed in Annex II that meets the size threshold
- Significant incident: An incident that has caused or is capable of causing severe disruption or financial loss, or that has caused or could cause considerable damage to others
- Network and information system: Electronic communications networks, devices, or software within such systems
- Cybersecurity: Activities to protect network and information systems against risks to their availability, authenticity, integrity, or confidentiality
- Incident: An event compromising the availability, authenticity, integrity, or confidentiality of stored, transmitted, or processed data or of services
What the NIS2 Directive Means for Your Organisation
The NIS2 Directive is not a compliance checkbox exercise. Its recitals (especially Recitals 79–93) make clear that the EU legislature intended operational cybersecurity, not just documented policies:
- Recital 79: Risk management measures must be proportionate and reflect actual risk exposure
- Recital 89: Incident reporting timelines are designed to ensure rapid information sharing to contain cross-border threats
- Recital 93: Management bodies must take direct ownership of cybersecurity risk, not delegate it entirely to technical teams
The directive's emphasis on management accountability (Article 20), continuous monitoring requirements, and supply chain security means compliance requires operational infrastructure — not just policy documents.
Organisations that want to demonstrate compliance credibly need:
- A functioning incident detection and reporting workflow capable of meeting 24/72-hour deadlines
- Supply chain monitoring that goes beyond annual questionnaires
- Evidence management that creates an auditable compliance trail
- Management training and governance showing board-level oversight
If you are deciding which tooling stack can support that operational layer, start with our compliance automation software comparison, compliance management software guide, and best ISMS software comparison, which separate EU-native operational workflows from generic framework mapping.
How Orbiq Helps With NIS2 Directive Compliance
Orbiq is built to address the operational gaps that make NIS2 directive compliance difficult in practice:
- Continuous Monitoring: Automated evidence collection across all 10 Article 21 measures, with real-time dashboards showing your compliance status
- Vendor Assurance: Centralised supplier assessments and continuous third-party monitoring to meet Article 21(2)(d) supply chain requirements
- Trust Center: A public-facing compliance portal that demonstrates your NIS2 posture to customers, regulators, and auditors
- Evidence Management: Automated collection and organisation of compliance evidence, creating the auditable trail that competent authorities expect under Articles 32–36
Unlike US-centric compliance platforms that treat NIS2 as an add-on, Orbiq is designed for European regulations from the ground up — with EU data residency and understanding of how competent authorities across DE, FR, NL, and BE approach NIS2 supervision.
Related NIS2 Articles
- What Is NIS2? Complete Guide to the EU NIS2 Directive
- NIS2 Compliance: How to Achieve and Maintain Compliance
- NIS2 Requirements: Complete Guide to What You Must Do
- NIS2 Compliance Checklist: Complete Article 21 Requirements
- NIS2 Incident Reporting: The 24-Hour Deadline
- NIS2 Supply Chain Security: Why Annual Assessments Aren't Enough
- ISO 27001 Is Not NIS2 Compliance
- NIS2 Audit Readiness: Continuous Evidence
- Compliance Management Software for European Companies
- Best ISMS Software for ISO 27001 and NIS2
Sources
- EUR-Lex — Directive (EU) 2022/2555 — official NIS2 legal text.
- European Commission — NIS2 transposition in EU countries — state-of-play and infringement update.
- European Commission — 23 Member States called to fully transpose NIS2, 28 November 2024 — letters of formal notice.
- European Commission — 19 Member States sent reasoned opinions, 7 May 2025 — reasoned opinions.
Last updated 13 April 2026. Transposition status changes through national laws and Commission notifications; verify country-specific details before relying on deadlines.