EU Regulation

Network and Information Security Directive (NIS2)

The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.

Effective: 18 October 2024Last updated: 18 October 2024

Overview

The NIS2 Directive (Directive 2022/2555) is the EU's updated cybersecurity framework, adopted on 14 December 2022 with a transposition deadline of 17 October 2024 for EU member states. It replaces the original NIS Directive (2016/1148) and significantly broadens its scope and enforcement mechanisms.

NIS2 categorises entities as either "essential" or "important" based on sector and size. Essential entities include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space. Important entities cover postal services, waste management, chemicals, food production, manufacturing, digital providers, and research.

The directive applies to medium and large enterprises in these sectors (50+ employees or €10M+ turnover), though member states may extend it to smaller entities in critical roles. Supply chain security receives particular emphasis, requiring entities to assess and manage risks from direct suppliers and service providers.

Organisations must implement "appropriate and proportionate" cybersecurity risk-management measures covering at least: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; security in network and information system acquisition, development, and maintenance; vulnerability handling and disclosure; cybersecurity testing; use of cryptography and encryption; human resources security; and access control and asset management.

Significant incidents must be reported to the national CSIRT or competent authority within defined timeframes: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month. The directive introduces personal liability for management bodies, who must approve cybersecurity measures, oversee their implementation, and undergo cybersecurity training.

Member states must designate national competent authorities, establish CSIRTs, and participate in the EU Cyber Crisis Liaison Organisation Network (CyCLONe) for coordinated incident response. The European Union Agency for Cybersecurity (ENISA) plays a central support and coordination role.

Key Articles & Provisions

Art. 3

Essential and important entities

Defines which entities fall under NIS2 based on sector (Annex I for essential, Annex II for important) and size thresholds (medium: 50+ employees or €10M+ turnover; large: 250+ employees or €50M+ turnover).

Art. 20

Governance

Requires management bodies to approve cybersecurity risk-management measures, oversee implementation, undergo training, and bear personal liability for non-compliance.

Art. 21

Cybersecurity risk-management measures

Lists minimum measures including risk analysis, incident handling, business continuity, supply chain security, vulnerability management, cryptography, access control, and multi-factor authentication.

Art. 23

Reporting obligations

Mandates early warning within 24 hours, incident notification within 72 hours, and final report within one month for significant incidents affecting service provision.

Art. 22

Coordinated vulnerability disclosure

Establishes a coordinated framework for vulnerability disclosure through national CSIRTs, with ENISA developing a European vulnerability database.

Art. 32-33

Supervisory and enforcement measures

Grants authorities powers for inspections, audits, and orders. Essential entities face proactive supervision; important entities face reactive supervision upon evidence of non-compliance.

Penalties & Enforcement

Maximum Fine

€10,000,000

Or

2% of total annual worldwide turnover

Enforcement Examples

  • Essential entities face fines up to €10M or 2% of global turnover (whichever is higher)
  • Important entities face fines up to €7M or 1.4% of global turnover (whichever is higher)
  • Management bodies can be held personally liable and temporarily banned from exercising managerial functions

Check Your Compliance Status

Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.

Start Free Assessment

Disclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.

Network and Information Security Directive (NIS2) by Country

Explore how Network and Information Security Directive is implemented and enforced in each EU member state.

🇩🇪Germany🇫🇷France🇳🇱Netherlands🇪🇸Spain🇮🇹Italy🇵🇱Poland🇵🇹Portugal🇸🇪Sweden🇦🇹Austria🇧🇪Belgium🇩🇰Denmark🇫🇮Finland🇮🇪Ireland🇭🇺Hungary

Network and Information Security Directive (NIS2) by Industry

See industry-specific requirements and guidance for Network and Information Security Directive.

Technologyhigh risk
Financial Serviceshigh risk
Healthcarehigh risk
Energyhigh risk
Transporthigh risk
Manufacturingmedium risk
Government & Public Administrationhigh risk
Telecommunicationshigh risk