How to Find the NIS2 Full Text on EUR-Lex (And the 5 Articles That Actually Matter)

Last verified: April 2026. NIS2 Directive (EU) 2022/2555 has been enforceable since 18 October 2024. All EUR-Lex links verified.

If you’ve spent time researching NIS2, you’ve read summaries — your compliance team’s briefing, a vendor’s whitepaper, a law firm’s explainer. Those documents interpret the directive. Sometimes accurately. Sometimes with outdated deadlines or oversimplified scope rules.

When you need to know exactly what the directive says — when a supplier asks you to certify a specific claim, when a regulator questions your interpretation, or when you’re building a gap analysis against the actual legal text — there’s no substitute for the original.

The NIS2 Directive (Directive (EU) 2022/2555) is publicly available on EUR-Lex, the EU’s official legal database. It’s free, searchable, and easier to navigate than most people expect. Here’s exactly where to find it and where to focus your reading.

The Official EUR-Lex Links

EUR-Lex hosts the directive at three useful addresses. Each serves a different purpose.

1. The Primary HTML Version (Bookmark This One)

eur-lex.europa.eu/eli/dir/2022/2555/oj/eng

This is the version published in the Official Journal of the European Union on 27 December 2022 (OJ L 333, pages 80–152). It’s the authoritative legal text — what lawyers, regulators, and courts cite. The URL uses the ELI (European Legislation Identifier) system: a stable, permanent reference that will not change.

2. The Consolidated HTML Version

eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng

As of April 2026, this points to the same text as the Official Journal version, since no formal amendments have been incorporated into NIS2. But the consolidated URL is worth bookmarking: if NIS2 is amended, this address will always show the current version with all changes integrated — while the OJ URL stays frozen at the original 2022 text. For long-term compliance reference, use this URL.

3. The Direct PDF Download

eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555

This downloads the PDF directly. The CELEX number in the URL (32022L2555) is EUR-Lex’s internal identifier: 3 = EU legislative document, 2022 = year, L = Directive, 2555 = sequential number. Knowing this is useful when searching EUR-Lex directly or citing the document in formal correspondence.

All three are free. No login or registration required.

HTML or PDF: Which Format to Use

For working with the directive text, the HTML version has clear practical advantages:

• Browser search (Ctrl+F) scans the entire directive instantly — find every reference to “supply chain” or “management body” without scrolling through 73 pages
• Expandable navigation panel on EUR-Lex lets you jump directly to individual articles and chapters, bypassing the 82 preamble recitals
• Inline cross-references hyperlink within the text — when Article 21 references Article 6, it links there
• No page-break interruptions — legal text flows continuously without sentences splitting across printed pages

Use the PDF when you need an offline copy, need to print for annotation, or need to share the directive as a self-contained file with legal colleagues who reference specific page numbers.

For day-to-day compliance work: HTML. For legal reference files: PDF.

The Structure: 9 Chapters, 46 Articles

Before opening the directive, one important orientation: the document opens with 82 recitals (the preamble), followed by the 46 operative articles. The recitals explain the policy rationale and help interpret ambiguous provisions — they carry interpretive weight but are not themselves legal obligations. The articles are what your organisation must comply with.

Here’s the full chapter breakdown:

Chapter	Articles	What It Covers
I — General Provisions	1–6	Subject matter, scope, definitions, relationship with other EU law
II — Coordinated Cybersecurity Frameworks	7–13	National cybersecurity strategies, CSIRTs, competent authorities
III — Cooperation at Union and International Level	14–19	Cooperation Group, EU-CyCLONe network, peer reviews
IV — Cybersecurity Risk-Management Measures and Reporting	20–25	Management body obligations, the 10 security measures, incident reporting deadlines
V — Jurisdiction and Registration	26–28	Which Member State supervises your organisation
VI — Information Sharing	29–30	Voluntary and mandatory threat information sharing
VII — Supervision and Enforcement	31–37	Audit powers, supervisory measures, fines
VIII — Delegated and Implementing Acts	38–39	Commission powers to issue further rules
IX — Final Provisions	40–46	Relationship with DORA and CER Directive, repeal of NIS1, transposition timeline

Two annexes follow the articles: Annex I lists the 11 essential entity sectors; Annex II lists the 7 important entity sectors.

If you’re working on compliance, Chapter IV (Articles 20–25) and Chapter VII (Articles 31–37) contain the obligations and consequences that drive 90% of compliance programme decisions.

The 5 Articles That Actually Matter

You don’t need to read all 46 articles to get your compliance programme moving. Five articles carry most of the operational weight.

Article 2 — Scope

Start here if you’re still determining whether NIS2 applies to your organisation. Article 2 defines the applicability criteria: sector coverage (Annexes I and II), size thresholds (50+ employees or €10M+ annual turnover), and the size-independent categories that fall under NIS2 regardless of headcount — trust service providers, DNS providers, TLD registries, and telecoms networks. Read the article text rather than a summary; the exceptions are where most scope disputes arise. Our NIS2 scope guide walks through the decision logic in plain language, but Article 2 is the authoritative source for legal certainty.

Article 21 — Cybersecurity Risk-Management Measures

This is the core compliance article. Article 21 specifies the 10 categories of security measures every essential and important entity must implement: risk analysis, incident handling, business continuity, supply chain security, access control, cryptography, HR security, and more. The full technical detail for digital entity types is in Commission Implementing Regulation (EU) 2024/2690, which supplements Article 21 with specific controls. Our Article 21 requirements breakdown maps each measure to its practical implementation steps.

Article 23 — Reporting Obligations

The 24-hour, 72-hour, and 1-month incident reporting timeline lives in Article 23. It defines what makes an incident “significant” (severe operational disruption or financial loss; considerable material or non-material damage to others), specifies what each notification stage must include, and sets out the rules for ongoing incidents. The incident reporting guide provides the operational workflow — but Article 23 is what regulators will check against in an enforcement scenario.

Article 20 — Governance of Cybersecurity Risk

Article 20 is what makes NIS2 fundamentally different from previous EU cybersecurity legislation. It places direct legal obligations on the management body — boards of directors, executive committees, and equivalent governing bodies. They must approve cybersecurity measures, oversee their implementation, and complete cybersecurity training. Management body members can be held personally liable for infringements of Article 21. If you’re making the compliance case to your board, this article is the brief.

Articles 32 and 33 — Supervisory Measures

Article 32 covers supervision of essential entities (proactive, ex-ante: audits and inspections before an incident occurs); Article 33 covers important entities (reactive, ex-post: supervision triggered by evidence of non-compliance). Both specify the audit and inspection powers regulators hold and the penalty maximums: €10M or 2% of global annual turnover for essential entities; €7M or 1.4% for important entities. See our NIS2 penalties guide for the full enforcement context.

Two More Documents Worth Reading

The directive text is the legal foundation. Two additional documents provide the implementation layer that translates those obligations into specific controls.

Commission Implementing Regulation (EU) 2024/2690

Published on 17 October 2024 — the same day NIS2 became enforceable — this Regulation provides detailed technical and methodological requirements for DNS service providers, TLD registries, cloud computing services, data centres, CDN providers, managed service providers, and several other digital entity categories. Unlike NIS2, which required national transposition, the CIR is a Regulation and applies directly in all EU Member States without further implementation. If your organisation falls into one of these categories, the CIR’s annex is your compliance specification. Full text at EUR-Lex. Our implementing regulation guide explains the structure in detail.

ENISA Technical Implementation Guidance (June 2025)

The EU Agency for Cybersecurity published its Technical Implementation Guidance in June 2025, mapping the CIR requirements to practical security controls and ISO 27001 equivalents. It’s not legally binding, but it’s the closest thing to an official how-to manual for the technical measures — and the document supervisory authorities are likely to reference when assessing whether an organisation’s implementation is “appropriate and proportionate.” Available free at enisa.europa.eu.

Frequently Asked Questions

Is the EUR-Lex text free to access?

Yes. EUR-Lex is the EU’s public legal database. No account, subscription, or payment is required for any document, including the full NIS2 directive text and all related implementing regulations.

Can I read NIS2 in languages other than English?

Yes. The directive is available in all 24 official EU languages on EUR-Lex. Use the language selector on the document page. All language versions are equally authentic under EU law — the choice of language does not affect your legal obligations.

Is the EUR-Lex version what member states actually enforce?

The directive sets the minimum requirements that each member state must implement in national law. National transposition legislation — such as Germany’s NIS2 Implementation Act (NIS2UmsuCG) or France’s national cybersecurity law — may add sector-specific requirements or adjust procedural details. The EUR-Lex text is the EU baseline. Check your national transposition for the precise rules applicable in your jurisdiction.

Are there annotated versions of NIS2?

Not from an official EU source. Several compliance platforms provide versions with practical commentary alongside the legal text. These can be useful for implementation context but are not legally authoritative — always verify interpretations against the EUR-Lex source text.

Putting It Into Practice

The NIS2 directive text is free, accessible, and less daunting than its reputation once you know the entry points. Bookmark the HTML version for working use, keep the PDF for legal reference files, and focus your initial reading on Chapter IV (Articles 20–25) and Chapter VII (Articles 31–37).

Five articles do most of the compliance work: Article 2 (scope), Article 20 (management accountability), Article 21 (the 10 security measures), Article 23 (incident reporting), and Articles 32/33 (supervision and penalties). Everything else in the directive builds around these five.

For compliance teams building out their programme, the NIS2 compliance checklist provides a structured map across all 10 Article 21 measures — a practical starting point for translating the directive text into an action plan. Our complete NIS2 directive guide expands on each section with implementation context, worked examples, and role-specific guidance.

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. “Directive (EU) 2022/2555 — Official Text” — EUR-Lex (eur-lex.europa.eu/eli/dir/2022/2555/oj/eng, linked above)
2. “EUR-Lex Consolidated Version — NIS2 Directive” — EUR-Lex (eur-lex.europa.eu/eli/dir/2022/2555/2022-12-27/eng, linked above)
3. “Directive (EU) 2022/2555 — PDF Version” — EUR-Lex Publications Office (eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022L2555, linked above)
4. “Commission Implementing Regulation (EU) 2024/2690” — EUR-Lex (linked above)
5. “NIS2 Technical Implementation Guidance” — ENISA (linked above)