OFFICIAL GUIDANCE • UPDATED JUNE 2026

The Complete Guide to
NIS2 Compliance

Everything European organizations need to understand about the NIS2 Directive — who it applies to, what Article 21 requires, what the penalties are, and how to achieve compliance without a €50,000 consultant.

Reading time: 12 minutes
Download as PDFStart Free Assessment

What is the NIS2 Directive?

The NIS2 Directive (EU Directive 2022/2555) is the European Union's updated cybersecurity framework, replacing the original NIS Directive from 2016. It came into force on 16 January 2023 and EU member states were required to transpose it into national law by 17 October 2024.

NIS2 significantly expands the scope of the original directive — covering more sectors, imposing stricter requirements, and introducing substantially higher penalties for non-compliance.

Key Facts

  • Full name: Directive (EU) 2022/2555
  • Enforcement date: October 17, 2024
  • Replaces: NIS Directive (EU) 2016/1148
  • Applies to: 18 critical sectors across all EU member states
  • Maximum fine: €10,000,000 or 2% of global annual turnover

The primary objective of NIS2 is to achieve a high common level of cybersecurity across the EU by requiring organizations in critical sectors to implement robust risk management measures and report significant incidents.

Unlike its predecessor, NIS2 explicitly addresses supply chain security — meaning organizations are legally liable for the security posture of their third-party vendors and suppliers.

Who Does NIS2 Apply To?

NIS2 introduces two categories of covered entities:

Essential Entities

Higher fines, stricter supervision, proactive audits

Size Thresholds

  • • Large enterprises: 250+ employees OR
  • • €50M+ annual turnover OR €43M+ balance sheet

Sectors

Energy, Transport, Banking, Financial Market Infrastructure, Health, Drinking Water, Wastewater, Digital Infrastructure, ICT Service Management, Public Administration, Space

Important Entities

Lower fines, reactive supervision, post-incident audits

Size Thresholds

  • • Medium enterprises: 50-249 employees OR
  • • €10M-€50M annual turnover

Sectors

Postal Services, Waste Management, Chemicals, Food, Manufacturing, Digital Providers, Research

Size Thresholds Are Not Absolute

Even small organizations may be covered if they are identified as critical to national infrastructure by member states, or if they provide services exclusively to essential entities. If you are unsure whether NIS2 applies to your organization, consult your national cybersecurity authority or legal counsel.

Does NIS2 Apply to Non-EU Companies?

Yes. NIS2 applies to any organization that provides services to entities or persons in the EU, regardless of where the organization itself is headquartered. If your company has EU customers, clients, or subsidiaries, NIS2 likely applies to you.

The 18 Covered Sectors

NIS2 covers 18 sectors grouped into essential and important entities. Organizations in any of these sectors must comply with Article 21 requirements.

Essential Entities (11 Sectors)

Energy

Electricity, oil, gas, hydrogen producers and distributors

Transport

Air, rail, water, and road transport operators

Banking

Credit institutions and financial services

Financial Market Infra

Trading platforms, central counterparties

Health

Healthcare providers, EU reference labs, pharma

Drinking Water

Suppliers and distributors for human consumption

Wastewater

Urban and industrial wastewater operators

Digital Infra

IXPs, DNS, TLDs, cloud, data centers, CDNs

ICT Service Management

MSPs and Managed Security Service Providers

Public Administration

Central and regional government entities

Space

Ground-based infra supporting space services

Important Entities (7 Sectors)

Postal & Courier

Universal service providers and courier operators

Waste Management

Collection and treatment infrastructure

Chemicals

Chemical manufacturers and distributors

Food Production

Large-scale food producers and distributors

Manufacturing

Medical devices, computers, electronics, machinery

Digital Providers

Online marketplaces, search engines, social media

Research

Organizations with significant national importance

What Does Article 21 Require?

Article 21 is the core technical requirement of NIS2. It mandates that covered entities implement "appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems."

Article 21 specifies 10 minimum security measures:

1

Art. 21.2(a) — Risk Analysis & Information System Security Policies

Organizations must maintain documented, regularly reviewed policies for analyzing and managing information security risks. This includes asset inventories, risk registers, and formal governance frameworks.

What this means practically: You need a written information security policy, a risk register, and evidence that leadership has approved both.
2

Art. 21.2(b) — Incident Handling

Formal procedures for detecting, responding to, and recovering from cybersecurity incidents. Includes mandatory reporting to national authorities within 24 hours of becoming aware of a significant incident.

Reporting timeline: • 24 hours: Initial early warning to CSIRT • 72 hours: Incident notification with assessment • 1 month: Final report
3

Art. 21.2(c) — Business Continuity

Business continuity management including backup procedures, disaster recovery, and crisis management. Must be tested regularly and documented.

4

Art. 21.2(d) — Supply Chain Security Crucial Focus

Assessment and management of security risks in relationships with direct suppliers and service providers. Organizations must evaluate the security practices of their vendors.

This is the provision NIS2Engine directly addresses. Article 21.2(d) requires you to assess and document the security posture of every third-party vendor. Manual spreadsheet audits do not satisfy this requirement at scale.
5

Art. 21.2(e) — Security in System Acquisition & Development

Security must be considered throughout the lifecycle of network and information systems, including vulnerability handling and disclosure policies.

6

Art. 21.2(f) — Policies for Assessing Effectiveness

Organizations must have policies to assess the effectiveness of their cybersecurity risk management measures. This requires measurable metrics and regular review.

7

Art. 21.2(g) — Basic Cyber Hygiene & Training

Implementation of basic cyber hygiene practices and regular cybersecurity training for all staff. Includes software updates, password policies, and phishing awareness.

8

Art. 21.2(h) — Cryptography & Encryption Policies

Policies on the use of cryptography and encryption, including key management procedures.

9

Art. 21.2(i) — Human Resources Security

Personnel security policies including background checks, access rights management, and procedures for personnel changes.

10

Art. 21.2(j) — MFA & Secure Communications

Use of multi-factor authentication, continuous authentication solutions, and end-to-end encryption for voice, video, and text communications.

The Proportionality Principle

NIS2 requires measures that are "appropriate and proportionate" to the risk. This means a 50-person SaaS company and a 10,000-person bank are not held to identical standards. However, proportionality does not mean organizations can opt out of any of the 10 requirements — it affects the depth of implementation, not whether it applies.

Supply Chain Security — The Hidden Risk

Article 21.2(d) is the provision most organizations underestimate. It requires organizations to assess and manage security risks in their supply chains — specifically in relationships with direct suppliers and service providers.

Why This Matters

Under NIS2, if a breach occurs through a third-party vendor, your organization bears regulatory liability for failing to adequately assess that vendor's security posture.

Real scenario: Your SaaS accounting software provider is breached. Attackers access your client financial data through the vendor's system. Under NIS2, your organization may face fines not just for the breach itself, but for failing to conduct adequate vendor security assessments prior to the incident.

What Regulators Expect

1. Document

Written records of which vendors have access to your systems and data.

2. Assess

Regular technical assessment of each vendor's security posture.

3. Act

Formal remediation requirements for non-compliant vendors, including written notices.

What is NOT Sufficient

  • Asking vendors to fill in a security questionnaire once a year
  • Reviewing vendor SOC 2 reports without independent verification
  • Storing vendor contracts without security assessment documentation
  • Manual spreadsheet tracking of vendor risk

What Regulators Consider Adequate

  • Regular automated technical scans of vendor domains and infrastructure
  • Scored, dated, documented assessment reports for each vendor
  • Formal remediation letters sent to non-compliant vendors with specific findings
  • Evidence of continuous monitoring, not just point-in-time assessment

Penalties for Non-Compliance

NIS2 introduced significantly higher penalties than its predecessor. Fines are calculated as the higher of a fixed amount or a percentage of global annual turnover.

Entity TypeMaximum FinePer Turnover
Essential Entities€10,000,0002% of global annual turnover
Important Entities€7,000,0001.4% of global annual turnover

WHICHEVER IS HIGHER applies. This means a large enterprise with €500M global turnover could face fines of up to €10,000,000.

Additional Enforcement Powers

  • Impose temporary bans on management personnel from holding leadership positions
  • Issue public notifications of non-compliance (naming and shaming)
  • Require organizations to inform customers of security risks
  • Mandate audits at the organization's expense
  • Issue binding instructions to remediate specific security deficiencies

Personal Liability

NIS2 introduces personal liability for management bodies. Board members and C-suite executives can be held personally liable for failing to implement adequate cybersecurity measures.

Under Article 20, management bodies must:

  • Approve cybersecurity risk management measures
  • Oversee implementation
  • Receive regular cybersecurity training
  • Be personally liable for organizational non-compliance

Key Deadlines

Jan 16, 2023

NIS2 Directive entered into force

EU published Directive 2022/2555 in the Official Journal

Oct 17, 2024

Member State Transposition DeadlineYou are here

All EU member states required to transpose NIS2 into national law. Enforcement began from this date.

Oct 17, 2024 – Ongoing

Registration Requirements

Covered entities must register with their national competent authority. Registration deadlines vary by member state.

Continuous

Annual Assessment Requirement

NIS2 does not specify a fixed annual deadline but requires continuous monitoring and regular assessment of security measures.

A Practical Compliance Roadmap

Getting NIS2 compliant doesn't require a €50,000 consultant. Here is a practical roadmap for organizations of 50-500 employees.

Phase 1 — Weeks 1-2

Assess

1. Determine Applicability

Use the sector and size thresholds. When in doubt, assume yes.

2. Map Assets

Create an inventory of all systems, applications, and data assets.

3. Map Vendor Relationships

List every third-party vendor with access to your systems. This is your vendor register.

4. Assess Posture (Automated)

Run technical assessments of your domain and all vendor domains using NIS2Engine.

Phase 2 — Weeks 3-4

Document

5. Information Security Policy

Must be approved by leadership. Templates available from ENISA.

6. Risk Register

Document identified risks, likelihood, impact, and mitigation status.

7. Document Assessments (Automated)

Store dated, scored PDF reports for each vendor generated by NIS2Engine.

8. Send Remediation Letters (Automated)

Issue formal AI-generated notices to non-compliant vendors in 5 languages.

Phase 3 — Months 2-3

Implement

  • 9. Incident Response Procedures

    Written plan, defined roles, tested annually.

  • 10. Monitoring & Alerting

    Continuous monitoring for own infra and vendor portfolio.

  • 11. Staff Training

    Cyber awareness training for staff, board training on NIS2.

Phase 4 — Ongoing

Maintain

  • 12. Monthly Re-assessment (Automated)

    Automated continuous scanning to satisfy Article 21 requirements.

  • 13. Annual Policy Review

    Update InfoSec policy and risk register annually.

  • 14. Incident Reporting Readiness

    Team must know 24h reporting requirement to CSIRT.

Frequently Asked Questions

Is NIS2 directly applicable or does it depend on national law?

NIS2 is an EU directive, not a regulation, which means it required transposition into national law by each member state by October 17, 2024. Most member states have now transposed it. The specific national law applies to your organization, but the requirements are substantially identical across all member states since they derive from the same directive.

My company is outside the EU but has EU customers. Does NIS2 apply?

Potentially yes. NIS2 applies to entities that provide services within the EU, regardless of where they are established. If you provide digital services to EU customers and meet the size thresholds, you may be covered. Consult your legal counsel for a definitive answer specific to your situation.

What is a 'significant incident' that must be reported?

NIS2 defines a significant incident as one that has caused or is capable of causing serious operational disruption or financial loss, or has affected or is capable of affecting other persons by causing considerable material or non-material damage. Your national CSIRT guidance will have specific thresholds.

Do I need to assess every vendor or just the critical ones?

Article 21.2(d) refers to 'direct suppliers and service providers' without limiting it to critical ones. Best practice and regulatory guidance suggests prioritizing vendors with access to your systems and data, but documenting your prioritization rationale.

Can we use questionnaires instead of technical scans?

Questionnaires alone are generally considered insufficient. They rely on self-reporting by vendors and do not provide independent verification of actual security posture. Technical passive OSINT assessments like those performed by NIS2Engine provide objective, independently verifiable evidence.

Is NIS2Engine scanning legal?

Yes. NIS2Engine uses passive OSINT techniques only — we analyze publicly available information identical to what any internet user can observe. We do not exploit vulnerabilities, require authentication, or interact with vendor systems beyond normal HTTP/HTTPS requests. This is standard security research practice and is fully compliant with EU law.

Ready to Automate Your
NIS2 Vendor Compliance?

Generate your first vendor scorecard in under 30 seconds. No signup required for the free scan.

Note: This guide is for informational purposes only and does not constitute legal advice. Consult qualified legal counsel for advice specific to your organization.