What Is NIS2? A Complete Guide for EU Organizations

Why NIS2 Matters

The Network and Information Security Directive 2 (NIS2) replaces the original NIS Directive from 2016. It dramatically expands the scope of EU cybersecurity regulation — from roughly 10,000 entities to over 160,000 across 18 critical sectors.

If your organization operates in the EU, provides essential or important services, and has more than 50 employees or €10M turnover, NIS2 almost certainly applies to you.

Who Is in Scope?

NIS2 classifies entities into two categories:

Essential Entities (Annex I)

• Energy (electricity, oil, gas, hydrogen)
• Transport (air, rail, water, road)
• Banking and financial market infrastructures
• Health (hospitals, laboratories, medical devices)
• Drinking water and waste water
• Digital infrastructure (DNS, TLD registries, cloud, data centres)
• ICT service management (B2B)
• Public administration
• Space

Important Entities (Annex II)

• Postal and courier services
• Waste management
• Chemical manufacturing
• Food production and distribution
• Manufacturing (medical devices, machinery, electronics, vehicles)
• Digital providers (marketplaces, search engines, social platforms)
• Research organizations

Size Thresholds

Generally, NIS2 applies to medium and large organizations:

• Medium: 50–249 employees OR €10M–€50M turnover
• Large: 250+ employees OR €50M+ turnover

Some entities are in scope regardless of size — DNS providers, TLD registries, trust service providers, and sole providers of essential services.

The 10 Security Measures (Article 21)

Article 21 is the heart of NIS2. It mandates 10 cybersecurity risk-management measures:

1. Risk analysis and information system security policies — Art. 21(2)(a)
2. Incident handling — Art. 21(2)(b)
3. Business continuity and crisis management — Art. 21(2)(c)
4. Supply chain security — Art. 21(2)(d)
5. Security in network and information systems — Art. 21(2)(e)
6. Effectiveness assessment — Art. 21(2)(f)
7. Cyber hygiene and training — Art. 21(2)(g)
8. Cryptography and encryption — Art. 21(2)(h)
9. HR security, access control, asset management — Art. 21(2)(i)
10. Multi-factor authentication and secure communications — Art. 21(2)(j)

Incident Reporting (Article 23)

NIS2 introduces strict incident notification timelines:

Timeline	Requirement
24 hours	Early warning to CSIRT — is the incident suspected to be malicious?
72 hours	Detailed notification — severity, impact, indicators of compromise
1 month	Final report — root cause, mitigation measures, cross-border impact

Organizations must also notify affected users of significant cyber threats.

Penalties

The penalty regime is substantial:

• Essential entities: Up to €10M or 2% of global annual turnover (whichever is higher)
• Important entities: Up to €7M or 1.4% of global annual turnover
• Personal liability: Management bodies can be held personally liable for compliance failures

How to Prepare: A Practical Timeline

Months 1–2: Assessment

• Determine if NIS2 applies to your organization (use our free assessment tool)
• Map your current security measures to the 10 Art. 21 requirements
• Identify gaps and prioritize them by risk impact

Months 3–4: Foundation

• Establish or update your risk management framework
• Document security policies covering all 10 measures
• Set up incident detection and response procedures

Months 5–6: Supply Chain

• Inventory your critical ICT third-party providers
• Assess vendor security posture (questionnaires, certifications)
• Include NIS2 clauses in vendor contracts

Months 7–9: Implementation

• Deploy technical controls (MFA, encryption, monitoring)
• Conduct security awareness training
• Test business continuity and disaster recovery plans

Months 10–12: Verification

• Run effectiveness assessments
• Conduct penetration testing
• Prepare evidence for regulatory review

FAQ