What is the NIS2 Directive?
The NIS2 Directive (EU Directive 2022/2555) is the European Union's updated cybersecurity framework, replacing the original NIS Directive from 2016. It came into force on 16 January 2023 and EU member states were required to transpose it into national law by 17 October 2024.
NIS2 significantly expands the scope of the original directive — covering more sectors, imposing stricter requirements, and introducing substantially higher penalties for non-compliance.
Key Facts
- • Full name: Directive (EU) 2022/2555
- • Enforcement date: October 17, 2024
- • Replaces: NIS Directive (EU) 2016/1148
- • Applies to: 18 critical sectors across all EU member states
- • Maximum fine: €10,000,000 or 2% of global annual turnover
The primary objective of NIS2 is to achieve a high common level of cybersecurity across the EU by requiring organizations in critical sectors to implement robust risk management measures and report significant incidents.
Unlike its predecessor, NIS2 explicitly addresses supply chain security — meaning organizations are legally liable for the security posture of their third-party vendors and suppliers.
Who Does NIS2 Apply To?
NIS2 introduces two categories of covered entities:
Higher fines, stricter supervision, proactive audits
Size Thresholds
- • Large enterprises: 250+ employees OR
- • €50M+ annual turnover OR €43M+ balance sheet
Sectors
Energy, Transport, Banking, Financial Market Infrastructure, Health, Drinking Water, Wastewater, Digital Infrastructure, ICT Service Management, Public Administration, Space
Lower fines, reactive supervision, post-incident audits
Size Thresholds
- • Medium enterprises: 50-249 employees OR
- • €10M-€50M annual turnover
Sectors
Postal Services, Waste Management, Chemicals, Food, Manufacturing, Digital Providers, Research
Size Thresholds Are Not Absolute
Even small organizations may be covered if they are identified as critical to national infrastructure by member states, or if they provide services exclusively to essential entities. If you are unsure whether NIS2 applies to your organization, consult your national cybersecurity authority or legal counsel.
Does NIS2 Apply to Non-EU Companies?
Yes. NIS2 applies to any organization that provides services to entities or persons in the EU, regardless of where the organization itself is headquartered. If your company has EU customers, clients, or subsidiaries, NIS2 likely applies to you.
The 18 Covered Sectors
NIS2 covers 18 sectors grouped into essential and important entities. Organizations in any of these sectors must comply with Article 21 requirements.
Essential Entities (11 Sectors)
Energy
Electricity, oil, gas, hydrogen producers and distributors
Transport
Air, rail, water, and road transport operators
Banking
Credit institutions and financial services
Financial Market Infra
Trading platforms, central counterparties
Health
Healthcare providers, EU reference labs, pharma
Drinking Water
Suppliers and distributors for human consumption
Wastewater
Urban and industrial wastewater operators
Digital Infra
IXPs, DNS, TLDs, cloud, data centers, CDNs
ICT Service Management
MSPs and Managed Security Service Providers
Public Administration
Central and regional government entities
Space
Ground-based infra supporting space services
Important Entities (7 Sectors)
Postal & Courier
Universal service providers and courier operators
Waste Management
Collection and treatment infrastructure
Chemicals
Chemical manufacturers and distributors
Food Production
Large-scale food producers and distributors
Manufacturing
Medical devices, computers, electronics, machinery
Digital Providers
Online marketplaces, search engines, social media
Research
Organizations with significant national importance
What Does Article 21 Require?
Article 21 is the core technical requirement of NIS2. It mandates that covered entities implement "appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems."
Article 21 specifies 10 minimum security measures:
Art. 21.2(a) — Risk Analysis & Information System Security Policies
Organizations must maintain documented, regularly reviewed policies for analyzing and managing information security risks. This includes asset inventories, risk registers, and formal governance frameworks.
Art. 21.2(b) — Incident Handling
Formal procedures for detecting, responding to, and recovering from cybersecurity incidents. Includes mandatory reporting to national authorities within 24 hours of becoming aware of a significant incident.
Art. 21.2(c) — Business Continuity
Business continuity management including backup procedures, disaster recovery, and crisis management. Must be tested regularly and documented.
Art. 21.2(d) — Supply Chain Security Crucial Focus
Assessment and management of security risks in relationships with direct suppliers and service providers. Organizations must evaluate the security practices of their vendors.
Art. 21.2(e) — Security in System Acquisition & Development
Security must be considered throughout the lifecycle of network and information systems, including vulnerability handling and disclosure policies.
Art. 21.2(f) — Policies for Assessing Effectiveness
Organizations must have policies to assess the effectiveness of their cybersecurity risk management measures. This requires measurable metrics and regular review.
Art. 21.2(g) — Basic Cyber Hygiene & Training
Implementation of basic cyber hygiene practices and regular cybersecurity training for all staff. Includes software updates, password policies, and phishing awareness.
Art. 21.2(h) — Cryptography & Encryption Policies
Policies on the use of cryptography and encryption, including key management procedures.
Art. 21.2(i) — Human Resources Security
Personnel security policies including background checks, access rights management, and procedures for personnel changes.
Art. 21.2(j) — MFA & Secure Communications
Use of multi-factor authentication, continuous authentication solutions, and end-to-end encryption for voice, video, and text communications.
The Proportionality Principle
NIS2 requires measures that are "appropriate and proportionate" to the risk. This means a 50-person SaaS company and a 10,000-person bank are not held to identical standards. However, proportionality does not mean organizations can opt out of any of the 10 requirements — it affects the depth of implementation, not whether it applies.
Supply Chain Security — The Hidden Risk
Article 21.2(d) is the provision most organizations underestimate. It requires organizations to assess and manage security risks in their supply chains — specifically in relationships with direct suppliers and service providers.
Why This Matters
Under NIS2, if a breach occurs through a third-party vendor, your organization bears regulatory liability for failing to adequately assess that vendor's security posture.
What Regulators Expect
1. Document
Written records of which vendors have access to your systems and data.
2. Assess
Regular technical assessment of each vendor's security posture.
3. Act
Formal remediation requirements for non-compliant vendors, including written notices.
What is NOT Sufficient
- ✗ Asking vendors to fill in a security questionnaire once a year
- ✗ Reviewing vendor SOC 2 reports without independent verification
- ✗ Storing vendor contracts without security assessment documentation
- ✗ Manual spreadsheet tracking of vendor risk
What Regulators Consider Adequate
- Regular automated technical scans of vendor domains and infrastructure
- Scored, dated, documented assessment reports for each vendor
- Formal remediation letters sent to non-compliant vendors with specific findings
- Evidence of continuous monitoring, not just point-in-time assessment
Penalties for Non-Compliance
NIS2 introduced significantly higher penalties than its predecessor. Fines are calculated as the higher of a fixed amount or a percentage of global annual turnover.
| Entity Type | Maximum Fine | Per Turnover |
|---|---|---|
| Essential Entities | €10,000,000 | 2% of global annual turnover |
| Important Entities | €7,000,000 | 1.4% of global annual turnover |
WHICHEVER IS HIGHER applies. This means a large enterprise with €500M global turnover could face fines of up to €10,000,000.
Additional Enforcement Powers
- Impose temporary bans on management personnel from holding leadership positions
- Issue public notifications of non-compliance (naming and shaming)
- Require organizations to inform customers of security risks
- Mandate audits at the organization's expense
- Issue binding instructions to remediate specific security deficiencies
Personal Liability
NIS2 introduces personal liability for management bodies. Board members and C-suite executives can be held personally liable for failing to implement adequate cybersecurity measures.
Under Article 20, management bodies must:
- Approve cybersecurity risk management measures
- Oversee implementation
- Receive regular cybersecurity training
- Be personally liable for organizational non-compliance
Key Deadlines
Jan 16, 2023
NIS2 Directive entered into force
EU published Directive 2022/2555 in the Official Journal
Oct 17, 2024
Member State Transposition DeadlineYou are here
All EU member states required to transpose NIS2 into national law. Enforcement began from this date.
Oct 17, 2024 – Ongoing
Registration Requirements
Covered entities must register with their national competent authority. Registration deadlines vary by member state.
Continuous
Annual Assessment Requirement
NIS2 does not specify a fixed annual deadline but requires continuous monitoring and regular assessment of security measures.
A Practical Compliance Roadmap
Getting NIS2 compliant doesn't require a €50,000 consultant. Here is a practical roadmap for organizations of 50-500 employees.
Assess
1. Determine Applicability
Use the sector and size thresholds. When in doubt, assume yes.
2. Map Assets
Create an inventory of all systems, applications, and data assets.
3. Map Vendor Relationships
List every third-party vendor with access to your systems. This is your vendor register.
4. Assess Posture (Automated)
Run technical assessments of your domain and all vendor domains using NIS2Engine.
Document
5. Information Security Policy
Must be approved by leadership. Templates available from ENISA.
6. Risk Register
Document identified risks, likelihood, impact, and mitigation status.
7. Document Assessments (Automated)
Store dated, scored PDF reports for each vendor generated by NIS2Engine.
8. Send Remediation Letters (Automated)
Issue formal AI-generated notices to non-compliant vendors in 5 languages.
Implement
9. Incident Response Procedures
Written plan, defined roles, tested annually.
10. Monitoring & Alerting
Continuous monitoring for own infra and vendor portfolio.
11. Staff Training
Cyber awareness training for staff, board training on NIS2.
Maintain
12. Monthly Re-assessment (Automated)
Automated continuous scanning to satisfy Article 21 requirements.
13. Annual Policy Review
Update InfoSec policy and risk register annually.
14. Incident Reporting Readiness
Team must know 24h reporting requirement to CSIRT.
Frequently Asked Questions
Is NIS2 directly applicable or does it depend on national law?
NIS2 is an EU directive, not a regulation, which means it required transposition into national law by each member state by October 17, 2024. Most member states have now transposed it. The specific national law applies to your organization, but the requirements are substantially identical across all member states since they derive from the same directive.
My company is outside the EU but has EU customers. Does NIS2 apply?
Potentially yes. NIS2 applies to entities that provide services within the EU, regardless of where they are established. If you provide digital services to EU customers and meet the size thresholds, you may be covered. Consult your legal counsel for a definitive answer specific to your situation.
What is a 'significant incident' that must be reported?
NIS2 defines a significant incident as one that has caused or is capable of causing serious operational disruption or financial loss, or has affected or is capable of affecting other persons by causing considerable material or non-material damage. Your national CSIRT guidance will have specific thresholds.
Do I need to assess every vendor or just the critical ones?
Article 21.2(d) refers to 'direct suppliers and service providers' without limiting it to critical ones. Best practice and regulatory guidance suggests prioritizing vendors with access to your systems and data, but documenting your prioritization rationale.
Can we use questionnaires instead of technical scans?
Questionnaires alone are generally considered insufficient. They rely on self-reporting by vendors and do not provide independent verification of actual security posture. Technical passive OSINT assessments like those performed by NIS2Engine provide objective, independently verifiable evidence.
Is NIS2Engine scanning legal?
Yes. NIS2Engine uses passive OSINT techniques only — we analyze publicly available information identical to what any internet user can observe. We do not exploit vulnerabilities, require authentication, or interact with vendor systems beyond normal HTTP/HTTPS requests. This is standard security research practice and is fully compliant with EU law.