What Is NIS2? The Complete Guide to the EU NIS2 Directive (2026)
What is NIS2? The EU NIS2 Directive (2022/2555) requires organisations in 18 critical sectors to implement cybersecurity measures, report incidents, and manage supply chain security. Complete guide covering requirements, penalties, timeline, and how to comply.
What Is NIS2? The Complete Guide to the EU NIS2 Directive
NIS2 is the European Union's updated cybersecurity directive. Officially titled Directive (EU) 2022/2555, it establishes mandatory cybersecurity requirements for organisations operating across critical sectors in the EU.
If you've been hearing about NIS2 and wondering what it means for your organisation, this guide explains everything in plain language.
NIS2 in One Sentence
NIS2 requires organisations in critical sectors to implement robust cybersecurity measures, report security incidents within strict deadlines, and manage supply chain security — with real penalties for non-compliance.
Why NIS2 Exists
The original NIS Directive (2016) was the EU's first attempt at sector-wide cybersecurity legislation. It had problems:
- Inconsistent implementation: Each Member State interpreted it differently
- Too narrow: Only covered 7 sectors, leaving major gaps
- Weak enforcement: No minimum penalty thresholds, leading to inconsistent consequences
- No supply chain focus: Didn't address the growing risk from third-party vendors
The cyber threat landscape has changed dramatically since 2016. Ransomware attacks, supply chain compromises, and state-sponsored threats have made the original directive insufficient. NIS2 is the EU's response.
What NIS2 Changed From the Original NIS Directive
| Area | Original NIS (2016) | NIS2 (2022) |
|---|---|---|
| Sectors | 7 sectors | 18 sectors |
| Entity types | OES + DSPs | Essential + Important entities |
| Size threshold | Member State discretion | Harmonised: 50+ employees or €10M+ |
| Incident reporting | Without undue delay | 24-hour early warning, 72-hour notification |
| Supply chain | Not specifically addressed | Explicit requirements in Article 21 |
| Management liability | Not addressed | Personal liability for management bodies |
| Penalties | Member State discretion | Minimum thresholds: €10M/2% or €7M/1.4% |
| Supervision | Varied | Proactive (essential) and reactive (important) |
Who Does NIS2 Apply To?
NIS2 applies to organisations that meet both criteria:
- Operate in one of 18 designated sectors (energy, transport, banking, health, water, digital infrastructure, etc.)
- Meet size thresholds: 50+ employees or €10M+ annual turnover
Essential Entities
The most critical sectors: energy, transport, banking, health, water, wastewater, digital infrastructure, ICT service management, public administration, and space. Subject to proactive supervision.
Important Entities
Additional sectors: postal services, waste management, chemicals, food, manufacturing, digital providers, and research. Subject to reactive (incident-triggered) supervision.
Some entities are in scope regardless of size, including qualified trust service providers, TLD registries, and DNS providers.
What Does NIS2 Require?
NIS2 has three pillars of requirements:
1. Risk Management Measures (Article 21)
Organisations must implement ten specific cybersecurity measures covering risk analysis, incident handling, business continuity, supply chain security, network security, effectiveness assessment, training, cryptography, access control, and multi-factor authentication.
The key word in Article 21 is operational. Having policies is not enough. Your measures must work in practice and you must be able to prove it.
2. Incident Reporting (Article 23)
When a significant incident occurs:
- Within 24 hours: Submit an early warning to your national CSIRT
- Within 72 hours: Submit a full incident notification
- Within 1 month: Submit a final report with root cause analysis
3. Governance and Accountability (Article 20)
Management bodies must:
- Approve cybersecurity risk management measures
- Oversee their implementation
- Complete cybersecurity training
- Bear personal liability for failures
NIS2 Penalties
The penalty framework is designed to ensure compliance is taken seriously:
- Essential entities: Up to €10 million or 2% of global turnover
- Important entities: Up to €7 million or 1.4% of global turnover
- Management: Personal liability, potential temporary bans
These are minimum maximums — Member States can set even higher penalties in their national implementation.
NIS2 Timeline
| Date | What Happened |
|---|---|
| 16 Jan 2023 | NIS2 entered into force |
| 17 Oct 2024 | Deadline for national transposition |
| 17 Apr 2025 | Deadline for entity lists |
| Ongoing | National implementations continuing |
How to Prepare for NIS2
- Check if you're in scope — Review the sectors and size thresholds
- Assess your gaps — Map your current measures against the ten Article 21 requirements
- Focus on the operational gaps — Incident reporting, supply chain monitoring, and evidence management are where most organisations fall short
- Build continuous compliance — Use compliance automation to maintain compliance as an ongoing operation, not a periodic project
- Implement continuous monitoring — Platforms like Orbiq's continuous monitoring automate evidence collection and keep your compliance status current at all times
- Establish a Trust Center — A Trust Center communicates your compliance posture externally to customers, auditors, and regulators
How Orbiq Helps With NIS2 Compliance
Orbiq is built for European compliance from the ground up. As a Trust Center and compliance platform, it addresses the operational gaps that matter most for NIS2:
- Continuous Monitoring: Automated evidence collection and real-time compliance dashboards across all ten Article 21 measures
- Vendor Assurance: Centralised supplier assessments, automated questionnaire distribution, and continuous monitoring of third-party compliance posture
- Trust Center: A public-facing portal that demonstrates your compliance posture to customers, auditors, and regulators
- Evidence Management: Collect and organise compliance evidence automatically, creating an auditable trail that survives regulatory scrutiny
Unlike US-centric platforms that retrofit European regulations as an afterthought, Orbiq is designed for GDPR, NIS2, and DORA from day one — with EU data residency and European-first thinking.
Related NIS2 Articles
- NIS2 Compliance: How to Achieve and Maintain Compliance
- NIS2 Directive: Complete Guide to Directive (EU) 2022/2555
- NIS2 Requirements: Complete Guide to What You Must Do
- NIS2 Compliance Checklist: Complete Article 21 Requirements
- NIS2 Incident Reporting: The 24-Hour Deadline
- NIS2 Supply Chain Security: Why Annual Assessments Aren't Enough
- Vendor Assurance Under NIS2
- ISO 27001 Certification: The Complete Guide
- ISO 27001 Is Not NIS2 Compliance
- NIS2: Affected but Operationally Unprepared
- NIS2 Audit Readiness: Continuous Evidence
- NIS2 Incident Response Plan vs. Management System
- NIS2: Internal Proof vs External Proof
- NIS2 Third-Party Risk Documentation
- NIS2 Articles 21 and 23: Incident Reporting and Supply Chain
Updated March 2026. This guide is maintained as national implementations progress.