What Is the NIS2 Directive? A Complete Guide for 2026

Last verified: March 2026. NIS2 (Directive 2022/2555) is enforceable since 18 October 2024. On 20 January 2026, the European Commission proposed targeted amendments — this guide reflects both the current law and the proposed changes.

If you’re a compliance officer, CISO, or business leader at a European organisation, you’ve almost certainly heard about NIS2 by now. But cutting through the legal jargon to understand what it actually means for your organisation — that’s the hard part.

This guide breaks down the NIS2 Directive from start to finish: what it is, whether it applies to you, what it requires, and what happens if you don’t comply. No legal fluff — just the practical information you need to move from “I’ve heard of NIS2” to “I know exactly what we need to do.”

Quick Start: NIS2 Compliance in 6 Steps

1. Determine if NIS2 applies to you — check your sector (Annex I or II) and size (50+ employees or €10M+ turnover).
2. Classify your entity — essential or important — as this determines your penalty exposure and supervisory regime.
3. Conduct a gap analysis against the 10 Article 21 cybersecurity measures.
4. Implement risk management measures covering all 10 areas, using the NIS2 compliance templates to document policies and procedures.
5. Establish incident reporting procedures to meet the 24-hour, 72-hour, and 1-month deadlines.
6. Get board sign-off — Article 20 requires your management body to formally approve cybersecurity measures and undergo training.

Who should read what: If you’re a CISO or IT security manager, focus on Sections 3–4 (requirements and incident reporting). If you’re a compliance officer, start with Section 2 (scope) and Section 5 (penalties). If you’re board-level or C-suite, read Sections 1, 5, and 8 for the strategic picture and your personal liability exposure.

Free Download

Get the NIS2 Article 21 Compliance Checklist

90+ assessment items mapped to CIR 2024/2690 — instant PDF, no payment.

Download Free Checklist I agree to receive the checklist and occasional NIS2 updates. Unsubscribe anytime. Privacy Policy.

✓ Check your inbox — the PDF is on its way.

1. What Is the NIS2 Directive?

The NIS2 Directive — officially Directive (EU) 2022/2555 — is the European Union’s updated legal framework for cybersecurity. Adopted on 14 December 2022 and enforceable since 18 October 2024, it replaces the original NIS Directive (2016/1148) that had been in place since 2016 [1].

The full name tells you what it does: it establishes “measures for a high common level of cybersecurity across the Union.” In practice, NIS2 creates a unified set of rules requiring organisations in critical sectors to manage cybersecurity risks, report incidents, and face real consequences if they don’t.

Why Was NIS2 Needed?

The original NIS Directive was a landmark piece of legislation — the first EU-wide cybersecurity law. But it had significant weaknesses that became apparent over its years of implementation:

• Inconsistent implementation. Member States interpreted NIS1 differently, creating a patchwork of cybersecurity requirements across the EU. An organisation operating in multiple countries faced different rules in each one.
• Too narrow in scope. NIS1 covered only a handful of sectors. Large swathes of the digital economy — cloud providers, data centres, managed service providers, public administration — fell outside its reach entirely.
• Weak enforcement. Penalties under NIS1 were vague and varied wildly between countries. Some Member States imposed negligible fines, undermining the directive’s deterrent effect.
• Growing threat landscape. Cyberattacks increased dramatically in scale and sophistication between 2016 and 2022. The SolarWinds supply chain attack, the Colonial Pipeline ransomware incident, and state-sponsored campaigns targeting healthcare during COVID-19 all demonstrated that NIS1 was inadequate for the current threat environment.

NIS2 addresses all of these issues by widening the scope of covered sectors roughly tenfold, harmonising requirements and penalties across all Member States, and introducing direct management accountability for cybersecurity — something NIS1 never had [3].

2. Who Does NIS2 Apply To?

NIS2 applies to organisations that meet two criteria: they operate in a covered sector, and they exceed a minimum size threshold. The directive divides in-scope organisations into two categories — essential entities and important entities — each with different supervisory regimes and penalty levels [2].

Size Thresholds

As a general rule, NIS2 applies to:

• Medium-sized organisations: 50 or more employees, or annual turnover/balance sheet exceeding €10 million
• Large organisations: 250 or more employees, or annual turnover exceeding €50 million

Organisations below these thresholds are generally exempt — but there are important exceptions. Certain entity types fall under NIS2 regardless of size, including trust service providers, DNS service providers, TLD name registries, and providers of public electronic communications networks [12].

If your organisation is part of a larger corporate group, the group’s consolidated figures may apply — not just the local subsidiary’s headcount and turnover.

Essential vs. Important Entities

Aspect	Essential Entities (Annex I)	Important Entities (Annex II)
Sectors	Energy (electricity, oil, gas, hydrogen, district heating), Transport (air, rail, water, road), Banking & financial market infrastructure, Healthcare, Drinking water, Wastewater, Digital infrastructure, ICT service management (B2B), Public administration, Space	Postal & courier services, Waste management, Chemicals, Food production & processing, Manufacturing (medical devices, electronics, machinery, motor vehicles), Digital providers (marketplaces, search engines, social networks), Research organisations
Supervision	Proactive (ex-ante): audits, inspections, and checks before an incident occurs	Reactive (ex-post): supervision triggered by evidence of non-compliance or an incident
Maximum fines	€10 million or 2% of global annual turnover (whichever is higher)	€7 million or 1.4% of global annual turnover (whichever is higher)
Typical size	Large enterprises (250+ employees) in Annex I sectors — though medium-sized entities in some sectors also qualify	Medium enterprises (50–249 employees) in Annex I or II sectors, and large entities in Annex II sectors

Does This Apply to Me? A Quick Decision Tree

1. Is your organisation in an Annex I or Annex II sector? If no — NIS2 does not apply directly (but you may still be affected as a supply chain partner).
2. Does your organisation have 50+ employees or €10M+ turnover? If no — you are generally exempt, unless you’re a size-independent entity type (trust services, DNS, TLD registries, telecoms).
3. Are you in an Annex I sector with 250+ employees? You’re likely an essential entity.
4. Are you a medium-sized entity in an Annex I sector, or any qualifying entity in an Annex II sector? You’re likely an important entity.

Note: Some Member States may designate additional entities as essential or important based on national criteria. Check your national transposition law for specifics.

3. What Does NIS2 Require? The 10 Article 21 Measures

Article 21 of NIS2 sets out 10 cybersecurity risk-management measures that all essential and important entities must implement. These aren’t optional checkboxes — they’re the legal minimum. The measures must be “appropriate and proportionate,” taking into account your organisation’s size, risk exposure, and the potential societal impact of an incident [6].

The table below maps each Article 21 measure to the corresponding chapter in Commission Implementing Regulation (EU) 2024/2690, which provides the detailed technical requirements. ENISA’s Technical Implementation Guidance (published June 2025) then translates those requirements into practical controls, evidence examples, and mappings to ISO 27001 [5].

Art. 21 Measure	What It Covers	CIR 2024/2690 Annex
(a) Risk analysis & information security policies	Establish and maintain policies for assessing risks and defining security controls	Ch. 1 (NIS Policy) + Ch. 2 (Risk Management)
(b) Incident handling	Prevention, detection, analysis, containment, response, and recovery procedures	Ch. 3 (Incident Management)
(c) Business continuity & crisis management	Backup management, disaster recovery plans, and crisis response procedures	Ch. 4 (Business Continuity & Crisis Mgmt)
(d) Supply chain security	Security requirements for direct suppliers and service providers, including secure development practices	Ch. 5 (Supply Chain Security)
(e) Security in acquisition, development & maintenance	Vulnerability handling and disclosure across the system lifecycle	Ch. 6 (Security Testing) + Ch. 7 (Patch Mgmt)
(f) Effectiveness assessment	Policies and procedures to test and evaluate the effectiveness of your cybersecurity measures	Ch. 6 (Security Testing)
(g) Cyber hygiene & training	Basic cybersecurity practices for all staff and dedicated security awareness training	Ch. 11 (Cyber Hygiene & Training)
(h) Cryptography & encryption	Policies on when and how to use cryptographic controls and encryption	Ch. 9 (Cryptography)
(i) HR security, access control & asset management	Personnel vetting, role-based access controls, and a complete asset inventory	Ch. 12 (Access Control) + Ch. 13 (HR Security) + Ch. 14 (Asset Mgmt)
(j) Multi-factor authentication & secure communications	MFA or continuous authentication, secured voice/video/text, and emergency communication systems	Ch. 9 (Network Security) + Ch. 12 (Access Control)

This mapping is one of the most practical tools available for compliance teams. Rather than reading the full CIR (which runs to dozens of pages), use this table as your starting point: identify which Article 21 measures you haven’t addressed, then go directly to the corresponding CIR chapter for the detailed technical requirements [9].

Practical tip for CISOs: If your organisation already holds ISO 27001 certification, you’ve covered significant ground. The OpenKRITIS mapping table shows the overlap between NIS2, CIR 2024/2690, and ISO 27001 controls — use it to identify what’s already in place and what gaps remain.

4. Incident Reporting: The 24–72–30 Timeline

Article 23 of NIS2 introduces one of the directive’s most operationally demanding requirements: a strict, multi-stage incident reporting timeline. Miss a deadline and you face enforcement action — even if the underlying incident was handled well [8].

What Counts as a “Significant Incident”?

Not every cybersecurity event triggers the reporting obligation. An incident is “significant” under Article 23 if it:

• Has caused or is capable of causing severe operational disruption of your services, or financial loss to your organisation
• Has affected or is capable of affecting other persons by causing considerable material or non-material damage

The Commission Implementing Regulation 2024/2690 provides further technical criteria for what constitutes “significant” for the digital infrastructure entities it covers [4].

The Three-Stage Reporting Process

Stage	Deadline	What to Include
1. Early Warning	Within 24 hours of becoming aware	Brief notification: is this suspected malicious activity? Could it have cross-border impact?
2. Incident Notification	Within 72 hours of becoming aware	Updated assessment: severity, impact, indicators of compromise (IoCs)
3. Final Report	Within 1 month of the incident notification	Full description: root cause, threat type, mitigation measures taken, cross-border impact

If an incident is still ongoing when the 1-month deadline arrives, you must submit a progress report instead and then deliver the final report within 1 month of resolution.

Entities must also notify affected service recipients of significant threats and advise them of any protective measures they can take.

What this means in practice: The 24-hour early warning is deliberately low-bar — you don’t need full details, just a heads-up that something significant may have happened. The point is speed, not completeness. But “without undue delay” means your incident response team needs to be able to detect, triage, and escalate within hours, not days. If your current mean time to detect (MTTD) is measured in weeks, this is your most urgent compliance gap.

5. Penalties and Enforcement

NIS2 introduces the kind of penalty regime that gets board attention — and that’s by design. One of NIS1’s biggest failures was that penalties varied so widely between Member States that non-compliance was often cheaper than compliance. NIS2 fixes this with harmonised minimum penalty levels across the EU.

Financial Penalties

Entity Type	Maximum Fine
Essential entities	€10,000,000 or 2% of total worldwide annual turnover, whichever is higher
Important entities	€7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher

These are the minimum maximums — Member States can set higher ceilings in their national transposition laws [1].

Management Liability Under Article 20

This is what makes NIS2 fundamentally different from NIS1 for senior leaders. Article 20 requires that management bodies — boards of directors, executive committees, and equivalent governing bodies — must:

• Approve the cybersecurity risk-management measures taken under Article 21
• Oversee their implementation on an ongoing basis
• Undergo training to gain sufficient knowledge and skills to identify cybersecurity risks and assess risk-management practices

Critically, management body members can be held personally liable for infringements of Article 21. This isn’t theoretical — it means that if your organisation suffers a breach because adequate cybersecurity measures weren’t in place, the question won’t just be “what went wrong?” but “who approved (or failed to approve) the security programme?” [7] [13]

Some Member States have gone further in their transposition. Germany’s implementation, for example, introduces the possibility of temporary bans from management positions for non-compliance.

For board members and C-suite: NIS2 makes cybersecurity a fiduciary duty, not an IT department problem. Budget allocation, risk acceptance decisions, and training attendance are all now matters of personal legal exposure. The days of delegating cybersecurity entirely to the CISO without board engagement are over.

6. Key Timeline

Date	Event
16 January 2023	NIS2 Directive enters into force (20 days after publication in Official Journal)
17 October 2024	Transposition deadline — Member States must incorporate NIS2 into national law
18 October 2024	NIS1 formally repealed; NIS2 rules enforceable; CIR 2024/2690 published
17 April 2025	Member States must identify essential and important entities (first list)
June 2025	ENISA publishes Technical Implementation Guidance for CIR 2024/2690
20 January 2026	European Commission proposes targeted amendments to NIS2 (scope refinement, new entity categories)
Throughout 2026	National implementation ongoing — several Member States still transposing or finalising registration portals
17 October 2027	First scheduled Commission review of the Directive’s functioning

Where do things stand now? As of early 2026, the European Commission has sent reasoned opinions (the step before court referral) to 19 Member States for failing to fully transpose NIS2 by the deadline. Countries including Belgium, Italy, Croatia, and Lithuania were among the first to complete transposition, while others — including Germany, France, and the Netherlands — enacted their laws later in 2025 or early 2026 [10].

On 20 January 2026, the Commission proposed targeted amendments to NIS2. These would add new in-scope entities (European Digital Identity Wallet providers, submarine cable operators), introduce a “small mid-cap” category, and aim to further harmonise cross-border supervision. If adopted, these changes are expected to take effect in 2027 or 2028 [11].

7. NIS2 vs. NIS1: What Changed?

NIS2 isn’t a minor update — it’s a comprehensive replacement. Here’s what changed and why it matters:

Aspect	NIS1 (Directive 2016/1148)	NIS2 (Directive 2022/2555)
Scope	~7 sectors, entities identified individually by Member States	18 sectors, automatic inclusion based on sector + size threshold — roughly 10x more entities
Requirements	General obligation to adopt “appropriate” security measures — loosely defined	10 specific measures in Article 21, with technical detail in CIR 2024/2690 (150+ controls)
Incident reporting	“Without undue delay” — no fixed timeline in the directive itself	Strict 24h/72h/1-month three-stage process with specific content requirements
Penalties	Set by each Member State — ranged from negligible to moderate	Harmonised minimums: €10M/2% for essential, €7M/1.4% for important
Supply chain	Not specifically addressed	Article 21(d) makes supply chain security a core obligation; entities must assess supplier practices
Management accountability	No specific provision	Article 20: boards must approve measures, undergo training, and face personal liability
Supervision	Mostly reactive	Essential entities: proactive ex-ante supervision; important entities: reactive ex-post
Harmonisation	Wide discretion for Member States led to fragmented implementation	Significantly reduced discretion; harmonised entity classification, measures, and penalties

The shift in management accountability alone makes NIS2 a different category of regulation. Under NIS1, cybersecurity was an operational concern. Under NIS2, it’s a governance obligation with personal consequences for the people at the top [3].

8. How to Achieve NIS2 Compliance: A 6-Step Roadmap

Compliance isn’t a single project — it’s an ongoing programme. But you need a starting point. Here’s a practical roadmap built around the directive’s actual requirements:

Step 1: Determine Your Scope and Classification

Before doing anything else, establish whether NIS2 applies to your organisation and whether you’re essential or important. Use the NIS2 scope assessment guide and check your national transposition law, as some Member States have added sectors or adjusted thresholds.

Effort level: Low | Owner: Compliance / Legal

Step 2: Conduct a Gap Analysis Against Article 21

Map your current cybersecurity posture against each of the 10 Article 21 measures. Use the NIS2 compliance checklist to systematically identify where you meet requirements and where gaps exist. If you hold ISO 27001, start with the NIS2-to-ISO mapping to identify overlap.

Effort level: Medium | Owner: CISO / IT Security

Step 3: Build Your Policy and Documentation Framework

NIS2 compliance is evidence-based — you need documented policies, procedures, and records. The NIS2 compliance templates provide ready-to-use frameworks for each Article 21 measure, from risk analysis policies to incident response plans.

Effort level: Medium to High | Owner: CISO + Compliance

Step 4: Implement Technical Controls

Close the gaps identified in Step 2. This is where the CIR 2024/2690 Annex becomes your detailed requirements document — each chapter specifies the technical and methodological measures you need. Prioritise based on risk: supply chain security and incident handling tend to be the biggest gaps for organisations new to NIS2.

Effort level: High | Owner: CISO / IT Operations

Step 5: Establish Incident Reporting Procedures

The 24-hour early warning deadline requires a well-rehearsed process. Define escalation paths, notification templates, and communication channels to your national CSIRT. Test with tabletop exercises. Review the incident reporting guide for the detailed requirements at each stage.

Effort level: Medium | Owner: CISO + Legal

Step 6: Secure Board Approval and Ongoing Governance

Article 20 requires your management body to formally approve the cybersecurity measures and demonstrate they understand the risks. Schedule board training, establish a regular cybersecurity reporting cadence, and document management approval of your security programme.

Effort level: Low to Medium | Owner: Board / C-Suite + CISO

When NOT to Use This Roadmap as a Compliance Shortcut

This 6-step process is a starting framework, not a complete compliance programme. It won’t replace the need for qualified cybersecurity professionals to implement technical controls, legal counsel to review your obligations under national law, or ongoing monitoring and testing to maintain compliance. If your organisation has complex cross-border operations, operates in multiple Annex I sectors, or provides critical infrastructure services, engage specialist support early.

9. Frequently Asked Questions

Is NIS2 a regulation or a directive?

NIS2 is a directive (Directive (EU) 2022/2555), which means each Member State must transpose it into national law. The exact rules can vary slightly by country. However, the Commission Implementing Regulation (EU) 2024/2690 — which sets the technical requirements for certain digital entities — is a regulation and applies directly without national transposition [4].

Does NIS2 apply to SMEs?

Generally, organisations with fewer than 50 employees and under €10 million turnover are not in scope. But certain entity types — trust service providers, DNS providers, TLD registries, telecoms providers — are covered regardless of size. And if your SME is part of a larger corporate group that exceeds the thresholds, the group’s figures apply [12].

What happens if I don’t comply?

Financial penalties up to €10 million or 2% of global turnover for essential entities; €7 million or 1.4% for important entities. Plus personal liability for management body members under Article 20. Some national laws add further sanctions, including temporary management bans.

When did NIS2 come into force?

The directive entered into force on 16 January 2023. Member States had until 17 October 2024 to transpose it. NIS1 was formally repealed on 18 October 2024. As of early 2026, most — but not all — Member States have completed transposition.

Does NIS2 apply outside the EU?

Yes, if your organisation provides covered services within the EU. Non-EU entities providing cloud computing, managed services, online marketplace services, or other in-scope services to EU customers fall under NIS2 and must designate an EU representative [1].

This article provides general information only and does not constitute legal or regulatory advice. Requirements may vary by jurisdiction and organisation type. Consult a qualified legal professional or compliance specialist for advice specific to your situation.

Sources

1. “Directive (EU) 2022/2555 — Official Text” — EUR-Lex, Full text
2. “Cybersecurity of network and information systems — NIS2 Summary” — EUR-Lex, Summary
3. “NIS2 Directive: securing network and information systems” — European Commission, Policy page
4. “Commission Implementing Regulation (EU) 2024/2690” — EUR-Lex, Full text
5. “NIS2 Technical Implementation Guidance” — ENISA, Publication page
6. “NIS 2 Directive, Article 21” — nis-2-directive.com
7. “NIS 2 Directive, Article 20” — nis-2-directive.com
8. “NIS 2 Directive, Article 23” — nis-2-directive.com
9. “NIS2 Implementing Act — NIS2/ISO 27001 Mapping” — OpenKRITIS
10. “NIS2 Directive Transposition Tracker” — ECSO, Tracker
11. “NIS2 Update: EU Moves to Harmonise Cyber Controls” — DLA Piper, Analysis
12. “NIS2 & SME guidelines” — Arthur Cox LLP, Article
13. “NIS2 directive explained: Management bodies rules” — DLA Piper, Analysis