NIS2 Requirements: Complete Guide to What You Must Do (2026)
All NIS2 requirements in one place — the 10 Article 21 risk management measures, incident reporting timelines, management liability, registration obligations, and 2026 enforcement updates.
NIS2 Requirements: Complete Guide to What You Must Do (2026)
The NIS2 Directive (Directive 2022/2555) creates specific, legally binding requirements for organisations operating in critical sectors across the EU. Knowing you're in scope is one thing. Understanding exactly what you must do is another.
This guide consolidates all NIS2 requirements in one place — the ten risk management measures, incident reporting timelines, management obligations, registration requirements, and the latest 2026 enforcement updates. If you want a broader overview of what NIS2 is and who it applies to, see our What Is NIS2? Complete Guide. For a step-by-step compliance roadmap, see our NIS2 Compliance Guide.
Who Is Subject to NIS2 Requirements?
Before diving into the requirements, confirm you're in scope. NIS2 applies to organisations that meet both criteria:
- Operate in one of 18 designated sectors (see below)
- Meet size thresholds: 50+ employees OR €10M+ annual turnover
Essential Entities (Annex I)
Large organisations (250+ employees or €50M+ turnover) in the most critical sectors:
| Sector | Examples |
|---|---|
| Energy | Electricity, gas, district heating, oil, hydrogen |
| Transport | Air, rail, water, road |
| Banking | Credit institutions |
| Financial market infrastructure | Trading venues, central counterparties |
| Health | Hospitals, EU reference labs, pharma, medical devices |
| Drinking water | Supply and distribution |
| Wastewater | Collection, disposal, treatment |
| Digital infrastructure | DNS, TLD registries, IXPs, cloud, data centres, CDNs, trust services |
| ICT service management (B2B) | Managed service providers, managed security service providers |
| Public administration | Central government entities |
| Space | Ground-based infrastructure operators |
Important Entities (Annex II)
Medium organisations (50+ employees or €10M+ turnover) in additional sectors:
| Sector | Examples |
|---|---|
| Postal and courier services | Licensed providers |
| Waste management | Collection, treatment, disposal |
| Chemicals | Manufacturing, production, distribution |
| Food | Production, processing, distribution |
| Manufacturing | Medical devices, electronics, machinery, vehicles |
| Digital providers | Online marketplaces, search engines, social networks |
| Research | Research organisations |
Size exceptions: DNS service providers, TLD registries, qualified trust service providers, and telecom providers are subject to NIS2 regardless of size.
The Five NIS2 Requirement Areas
NIS2 requirements cluster into five areas, each with its own obligations and enforcement mechanisms:
| Area | Core Requirement | Article |
|---|---|---|
| Risk management | Ten technical and organisational measures | Article 21 |
| Incident reporting | 24h / 72h / 1-month tiered reporting | Article 23 |
| Governance & accountability | Management approval, oversight, and liability | Article 20 |
| Registration | Register with national competent authority | Article 27 |
| Evidence management | On-demand proof of compliance | Supervisory framework |
The Ten Article 21 Risk Management Measures
Article 21 of the NIS2 Directive is the heart of the regulation's technical requirements. Organisations must implement measures that are "appropriate and proportionate" to their risk profile, size, and potential incident impact. Being proportionate does not mean minimal — it means calibrated.
(a) Risk Analysis and Information System Security Policies
Establish and maintain documented policies for risk analysis covering your information systems. Regular reviews, documented threat assessments, and clear risk ownership are required.
ISMS coverage: ✅ Core ISO 27001 component. An existing ISMS fully covers this if it's maintained actively — not just certified once.
(b) Incident Handling
Implement procedures for detecting, managing, and responding to security incidents. Given the 24-hour early warning requirement, your incident detection and escalation process must be fast, tested, and documented.
ISMS coverage: ⚠️ Process exists in most ISMS implementations, but the operational 24-hour capability — getting the right information to the right people and to the CSIRT in time — is typically absent.
What's needed operationally: Pre-drafted notification templates, incident classification checklists, tabletop exercises, and automated escalation triggers.
(c) Business Continuity and Crisis Management
Ensure business continuity through backup management, disaster recovery procedures, and crisis management capabilities. These must be tested — not just documented.
ISMS coverage: ✅ Standard in ISO 27001 / ISO 22301 implementations. Verify that recovery time objectives are current and tests are conducted at least annually.
(d) Supply Chain Security
Address security risks from direct suppliers and service providers. NIS2 explicitly requires consideration of the specific vulnerabilities of each supplier — meaning continuous monitoring of supply chain security posture, not annual questionnaires.
ISMS coverage: ⚠️ Most ISMS implementations include point-in-time vendor assessments. NIS2 expects continuous monitoring. This is the most common operational gap.
What's needed operationally: Vendor monitoring tools, NIS2-specific contractual clauses, centralised supply chain risk dashboards. Orbiq's vendor assurance platform automates this.
(e) Security in Network and Information Systems Acquisition, Development, and Maintenance
Address security across the entire lifecycle of your systems — procurement, development, and maintenance — including vulnerability handling and coordinated disclosure.
ISMS coverage: ✅ ISO 27001 Annex A controls cover secure development and vulnerability management. Verify that patch SLAs are defined and tracked.
(f) Policies to Assess Effectiveness of Cybersecurity Measures
Implement policies and procedures to assess whether your cybersecurity measures actually work. Regulators may request evidence on demand — annual audit reports alone are insufficient.
ISMS coverage: ⚠️ Audit processes exist, but the ability to produce compliance evidence on demand — for any point in time — is typically absent. This is the evidence management gap.
What's needed operationally: Automated evidence collection, continuously updated compliance dashboards, an auditable trail that survives regulatory inspection.
(g) Cybersecurity Hygiene and Training
Implement basic cyber hygiene practices and cybersecurity training for all staff. Critically, NIS2 Article 20(2) explicitly requires that management body members also undergo cybersecurity training — and that this training is documented.
ISMS coverage: ✅ Security awareness programmes are standard in ISO 27001. Add management-specific training records to satisfy the liability documentation requirement.
(h) Cryptography and Encryption
Maintain policies on the use of cryptography and, where appropriate, encryption — covering data at rest, data in transit, and key management.
ISMS coverage: ✅ Covered by ISO 27001. Ensure your cryptography policy reflects current standards and key management procedures are documented and followed.
(i) Human Resources Security, Access Control, and Asset Management
Address personnel security through background checks and onboarding/offboarding procedures; maintain least-privilege access controls; keep an accurate and current IT asset inventory.
ISMS coverage: ✅ Core ISO 27001 coverage. Verify that asset inventory is current and access reviews are conducted on a defined schedule.
(j) Multi-Factor Authentication and Secure Communications
Deploy multi-factor authentication where appropriate, and ensure secured communications for voice, video, and text — including backup communications that function even when primary infrastructure is compromised.
ISMS coverage: ⚠️ MFA is typically deployed, but secured emergency communications — channels that survive a major incident — are frequently missing.
Incident Reporting Requirements (Article 23)
When a significant incident occurs, NIS2 imposes a three-tier reporting obligation:
| Timeline | Report Type | Required Content |
|---|---|---|
| Within 24 hours | Early warning | Whether the incident is suspected to involve unlawful or malicious acts; whether it may have cross-border impact |
| Within 72 hours | Incident notification | Updated assessment of severity and impact; indicators of compromise; initial root cause hypothesis |
| Within 1 month | Final report | Full incident description, confirmed root cause, mitigation measures applied, cross-border impact assessment |
What Constitutes a "Significant" Incident?
An incident is reportable when it:
- Has caused or is capable of causing severe operational disruption or financial loss to your organisation
- Has affected or is capable of causing considerable material or non-material damage to other persons
In practice, the following events typically trigger reporting obligations:
- Ransomware attacks affecting critical services
- DDoS attacks impacting service availability
- Data breaches involving credentials to critical systems
- Supply chain compromises entering through third parties
- Systematic exploitation of high-severity vulnerabilities
Important: The 24-hour clock starts when the incident is classified as significant — not from initial detection. A clear incident classification procedure significantly reduces the time between discovery and the early warning submission.
For more detail on the reporting process, see our NIS2 Incident Reporting: The 24-Hour Deadline guide.
Management Accountability Requirements (Article 20)
Article 20 of NIS2 makes cybersecurity a board-level obligation — legally and explicitly:
- Approval: Management bodies must formally approve the cybersecurity risk management measures
- Oversight: Management must oversee implementation — not delegate without accountability
- Training: Management body members must complete regular cybersecurity training
- Liability: Management can be held personally liable for infringements
For essential entities, authorities may impose a temporary ban on individuals exercising management functions in cases of repeated violations or gross negligence.
What this requires in practice:
- A documented board resolution approving the cybersecurity measures
- Regular cybersecurity briefings and training records for all management body members
- Evidence that management has reviewed and signed off on the risk management programme
- Clear escalation procedures that reach management when incidents occur
This personal liability provision fundamentally changes the governance calculus. Cybersecurity can no longer be treated as a purely technical matter.
Registration Requirements (Article 27)
In-scope organisations must register with their national competent authority. Registration typically requires:
- Organisation name, address, and contact details
- Sector and type of entity (essential or important)
- Services and activities covered
- IP address ranges and domain names used
2026 national deadlines:
- Germany: Registration with the BSI (Bundesamt für Sicherheit in der Informationstechnik) required within three months of the amended BSI Act entering into force (December 6, 2025), making the registration deadline approximately April 2026
- Italy: Annual registration window ran January 1 – February 28, 2026
- Other Member States: Registration deadlines vary with national transposition timelines
NIS2 Penalties and Enforcement
NIS2 sets minimum penalty thresholds that apply across all Member States. National implementations may set higher maximums.
Financial Penalties
| Entity Type | Maximum Fine |
|---|---|
| Essential entities | €10 million or 2% of total worldwide annual turnover — whichever is higher |
| Important entities | €7 million or 1.4% of total worldwide annual turnover — whichever is higher |
Non-Financial Enforcement Powers
Beyond fines, national competent authorities can:
- Issue warnings and binding instructions requiring specific measures
- Order public disclosure of non-compliance
- Suspend certifications or authorisations
- Impose temporary management bans (essential entities)
- Order immediate remediation with defined deadlines
2026 Enforcement Updates
Several significant developments have shaped NIS2 enforcement in 2026:
Germany's transposition (December 2025): Unlike other Member States that passed standalone laws, Germany amended the existing BSI Act. This means German entities now operate under the updated BSI framework with specific registration, reporting, and audit obligations tied to the BSI as competent authority.
Audit deadline extension: The first compliance audit deadline was extended from December 31, 2025, to June 30, 2026 across several Member States, giving organisations additional preparation time.
Commission amendments (January 2026): On January 20, 2026, the European Commission proposed targeted amendments to NIS2 to increase legal clarity and reduce compliance burden for approximately 28,700 companies, including 6,200 micro and small enterprises. These amendments are expected to ease certain proportionality requirements without changing the core obligations.
Transposition status: As of March 2026, the majority of Member States have now transposed NIS2 into national law. France, Spain, and Poland remain in final legislative stages. Enforcement is actively ramping up in countries that transposed earlier (Belgium, Croatia, Hungary, Latvia, Lithuania).
Where ISO 27001 Falls Short of NIS2 Requirements
Many organisations with ISO 27001 certification assume they are NIS2-compliant. They are not — but they have a significant head start.
| NIS2 Requirement | ISO 27001 Coverage | Gap |
|---|---|---|
| Risk analysis and security policies | ✅ Covered | None |
| 24-hour incident reporting capability | ⚠️ Partial | Operational speed and CSIRT notification procedures |
| Business continuity | ✅ Covered | Verify tested |
| Continuous supply chain monitoring | ⚠️ Partial | Annual assessments ≠ continuous monitoring |
| Effectiveness assessment | ⚠️ Partial | On-demand evidence capability typically absent |
| Secure emergency communications | ❌ Not covered | No ISO 27001 control addresses this |
| Management formal approval + training records | ⚠️ Partial | Article 20 liability documentation often missing |
| BSI/CSIRT registration | ❌ Not covered | Regulatory requirement outside ISMS scope |
The conclusion: ISO 27001 covers documentation. NIS2 requires operational execution. The critical gaps lie in incident response speed, continuous supply chain monitoring, and evidence management — not in policy documentation.
For a full analysis, see ISO 27001 Is Not NIS2 Compliance.
Implementation Priorities
If you're starting from scratch or assessing your readiness, focus effort on the operational gaps first:
| Priority | Requirement | Why It's Critical |
|---|---|---|
| 🔴 High | 24-hour incident reporting | Hard deadline; failure creates regulatory exposure immediately |
| 🔴 High | Supply chain continuous monitoring | Most organisations rely on annual questionnaires — NIS2 expects more |
| 🔴 High | On-demand evidence management | Authorities can request proof at any time, not just at audit |
| 🟡 Medium | Secure emergency communications | Often absent; required under Article 21(j) |
| 🟡 Medium | Management training documentation | Required for Article 20 liability protection |
| 🟢 Lower | Risk analysis, BCM, cryptography | Typically covered by existing ISMS |
Use our NIS2 Compliance Checklist to map your existing controls against each of the ten measures and identify gaps precisely.
How Orbiq Addresses NIS2 Requirements
Orbiq is designed for European compliance from the ground up, addressing the operational requirements that matter most:
- Continuous Monitoring: Automated evidence collection and real-time compliance dashboards across all ten Article 21 measures — so you're always audit-ready, not just annually
- Vendor Assurance: Centralised supplier assessments with continuous monitoring of third-party security posture, satisfying the supply chain requirements of Article 21(d)
- Trust Center: A public-facing portal that demonstrates your compliance posture to customers, regulators, and auditors without consuming internal resources
- Evidence Management: Automatically collect and organise compliance evidence into an auditable trail that can be produced on demand
Unlike US-centric compliance platforms that treat EU regulations as add-ons, Orbiq is built for NIS2, GDPR, and DORA from day one — with EU data residency and European-first architecture.
Related NIS2 Articles
- What Is NIS2? Complete Guide to the EU NIS2 Directive
- NIS2 Compliance: How to Achieve and Maintain Compliance in 2026
- NIS2 Compliance Checklist: Complete Article 21 Requirements
- NIS2 Incident Reporting: The 24-Hour Deadline
- NIS2 Supply Chain Security
- Vendor Assurance Under NIS2
- ISO 27001 Is Not NIS2 Compliance
- NIS2 Audit Readiness: Continuous Evidence
- NIS2 Third-Party Risk Documentation
Sources & References
- NIS2 Directive (EU) 2022/2555 — Official Text — Official EU Commission page for the NIS2 Directive
- NIS 2 Directive, Article 21: Cybersecurity risk-management measures — Detailed Article 21 analysis
- Flipping the NIS2 Switch: Germany's Implementation (Morrison Foerster) — Germany BSI Act amendment December 2025
- NIS 2 Directive Transposed in Germany (DLA Piper) — Germany registration deadline April 2026
- NIS2 and 2026 Deadlines (Distline) — Italy 2026 deadlines; audit deadline moved to June 30, 2026
- NIS2 Directive Transposition Tracker (ECSO) — Current transposition status by Member State
- NIS2 Fines & Consequences — Penalty framework and enforcement powers
This guide is maintained by the Orbiq team. Last updated: March 2026.