What Is NIS2? The EU Cybersecurity Directive Explained
A clear explanation of NIS2 — what it is, why it matters, who it applies to, and what it requires. Understand the EU's most important cybersecurity regulation in plain language.
What Is NIS2? The EU Cybersecurity Directive Explained
NIS2 is the European Union's updated cybersecurity directive. Officially titled Directive (EU) 2022/2555, it establishes mandatory cybersecurity requirements for organisations operating across critical sectors in the EU.
If you've been hearing about NIS2 and wondering what it means for your organisation, this guide explains everything in plain language.
NIS2 in One Sentence
NIS2 requires organisations in critical sectors to implement robust cybersecurity measures, report security incidents within strict deadlines, and manage supply chain security — with real penalties for non-compliance.
Why NIS2 Exists
The original NIS Directive (2016) was the EU's first attempt at sector-wide cybersecurity legislation. It had problems:
- Inconsistent implementation: Each Member State interpreted it differently
- Too narrow: Only covered 7 sectors, leaving major gaps
- Weak enforcement: No minimum penalty thresholds, leading to inconsistent consequences
- No supply chain focus: Didn't address the growing risk from third-party vendors
The cyber threat landscape has changed dramatically since 2016. Ransomware attacks, supply chain compromises, and state-sponsored threats have made the original directive insufficient. NIS2 is the EU's response.
What NIS2 Changed From the Original NIS Directive
| Area | Original NIS (2016) | NIS2 (2022) |
|---|---|---|
| Sectors | 7 sectors | 18 sectors |
| Entity types | OES + DSPs | Essential + Important entities |
| Size threshold | Member State discretion | Harmonised: 50+ employees or €10M+ |
| Incident reporting | Without undue delay | 24-hour early warning, 72-hour notification |
| Supply chain | Not specifically addressed | Explicit requirements in Article 21 |
| Management liability | Not addressed | Personal liability for management bodies |
| Penalties | Member State discretion | Minimum thresholds: €10M/2% or €7M/1.4% |
| Supervision | Varied | Proactive (essential) and reactive (important) |
Who Does NIS2 Apply To?
NIS2 applies to organisations that meet both criteria:
- Operate in one of 18 designated sectors (energy, transport, banking, health, water, digital infrastructure, etc.)
- Meet size thresholds: 50+ employees or €10M+ annual turnover
Essential Entities
The most critical sectors: energy, transport, banking, health, water, wastewater, digital infrastructure, ICT service management, public administration, and space. Subject to proactive supervision.
Important Entities
Additional sectors: postal services, waste management, chemicals, food, manufacturing, digital providers, and research. Subject to reactive (incident-triggered) supervision.
Some entities are in scope regardless of size, including qualified trust service providers, TLD registries, and DNS providers.
What Does NIS2 Require?
NIS2 has three pillars of requirements:
1. Risk Management Measures (Article 21)
Organisations must implement ten specific cybersecurity measures covering risk analysis, incident handling, business continuity, supply chain security, network security, effectiveness assessment, training, cryptography, access control, and multi-factor authentication.
The key word in Article 21 is operational. Having policies is not enough. Your measures must work in practice and you must be able to prove it.
2. Incident Reporting (Article 23)
When a significant incident occurs:
- Within 24 hours: Submit an early warning to your national CSIRT
- Within 72 hours: Submit a full incident notification
- Within 1 month: Submit a final report with root cause analysis
3. Governance and Accountability (Article 20)
Management bodies must:
- Approve cybersecurity risk management measures
- Oversee their implementation
- Complete cybersecurity training
- Bear personal liability for failures
NIS2 Penalties
The penalty framework is designed to ensure compliance is taken seriously:
- Essential entities: Up to €10 million or 2% of global turnover
- Important entities: Up to €7 million or 1.4% of global turnover
- Management: Personal liability, potential temporary bans
These are minimum maximums — Member States can set even higher penalties in their national implementation.
NIS2 Timeline
| Date | What Happened |
|---|---|
| 16 Jan 2023 | NIS2 entered into force |
| 17 Oct 2024 | Deadline for national transposition |
| 17 Apr 2025 | Deadline for entity lists |
| Ongoing | National implementations continuing |
How to Prepare for NIS2
- Check if you're in scope — Review the sectors and size thresholds
- Assess your gaps — Map your current measures against the ten Article 21 requirements
- Focus on the operational gaps — Incident reporting, supply chain monitoring, and evidence management are where most organisations fall short
- Build continuous compliance — Use tools that maintain compliance as an ongoing operation, not a periodic project
Next Steps
- Read our complete NIS2 compliance guide for detailed implementation guidance
- Review the NIS2 compliance checklist to assess your readiness
- Learn why ISO 27001 alone isn't NIS2 compliance
- Discover how Orbiq helps with NIS2 compliance
Updated March 2026. This guide is maintained as national implementations progress.