The NIS Directive was the European Union’s first horizontal cybersecurity law for critical services and certain digital providers, introduced in 2016.
NIS2, formally Directive (EU) 2022/2555, replaces that earlier framework with wider sector coverage, clearer governance duties, tighter incident reporting and stronger enforcement. The change matters because many organisations that were peripheral under NIS now need to decide whether they are directly regulated, indirectly exposed through supply chains, or required to coordinate with customers that fall within scope.
The original NIS Directive, Directive (EU) 2016/1148, focused on operators of essential services and digital service providers. Operators of essential services were identified in areas such as energy, transport, banking, financial market infrastructure, health, drinking water supply and digital infrastructure. Digital service providers covered online marketplaces, online search engines and cloud computing services, subject to the rules set by the Directive and national implementation.
NIS2 keeps the same broad purpose: improving the security of network and information systems across the EU. Its method is different. It expands the sectors covered, reduces variation between Member States, creates a distinction between essential and important entities, and gives national competent authorities and CSIRTs a clearer basis for supervision and incident handling.
NIS helped establish national cybersecurity strategies, competent authorities, CSIRTs and cooperation mechanisms across the EU. Even so, implementation varied significantly between Member States. Some sectors were covered in one country but treated differently in another, and organisations operating across borders could face uncertainty about obligations, reporting routes and supervisory expectations.
The threat environment also changed. Ransomware against healthcare, energy and public services, attacks on managed service providers, and supply-chain compromises showed that disruption could spread well beyond the organisation first attacked. NIS2 responds by treating cybersecurity as an operational resilience issue across connected sectors rather than as a narrow IT compliance task.
The clearest difference is scope. NIS applied to operators of essential services and certain digital service providers. NIS2 divides covered organisations into essential entities and important entities, with sectors listed in Annex I and Annex II of the Directive. Essential sectors include areas such as energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space. Important sectors include postal and courier services, waste management, chemicals, food, manufacturing, digital providers and research, depending on the specific activity described in the Directive.
NIS2 also uses a size-cap rule. In general, medium and large entities in the listed sectors are more likely to be in scope, although some smaller organisations can still be included because of the type of service they provide, their importance to public safety, or Member State designation. This is one reason a simple “company size only” test can mislead compliance teams.
Cross-border activity is another practical change. An organisation established outside the EU may still need to assess NIS2 exposure if it offers covered services into the EU, and groups with subsidiaries in several Member States may face more than one supervisory relationship. Suppliers that are not directly regulated can also feel the impact when regulated customers require stronger evidence of security controls, vulnerability handling, incident escalation and continuity planning.
| Area | NIS | NIS2 |
|---|---|---|
| Legal framework | Directive (EU) 2016/1148 | Directive (EU) 2022/2555 |
| Entity categories | Operators of essential services and digital service providers | Essential entities and important entities |
| Scope | Narrower sector coverage with more variation in national designation | Broader Annex I and Annex II sectors, with size-cap and specific inclusion rules |
| Incident reporting | Reporting obligations set through the Directive and national implementation | Early warning within 24 hours, incident notification within 72 hours and final report within one month for significant incidents |
| Governance | Security and risk-management duties, with national enforcement | Explicit management accountability, risk-management measures and stronger supervision |
| Penalties | Determined by Member States under national implementing laws | Maximum administrative fines set by category: up to EUR 10 million for essential entities and up to EUR 7 million for important entities, or the relevant percentage of worldwide annual turnover specified in the Directive |
It is also important not to confuse NIS2 with other EU cyber laws. The Cyber Resilience Act, for example, concerns cybersecurity requirements for products with digital elements, while NIS2 focuses on organisational and service resilience in covered sectors. Readers comparing those obligations may find this Cyber Resilience Act vs NIS2 explainer useful, but the legal tests are separate.
A pragmatic scoping exercise should start with services, not legal entities. Many groups begin by asking whether the parent company is “a healthcare company” or “a technology company”, but NIS2 analysis is more precise than that. The better first question is which services are actually provided, in which countries, and whether those services match an Annex I or Annex II activity.
The next step is to apply the size-cap rule and then check for exceptions. Medium and large entities in covered sectors are more likely to be regulated, but certain services may be included regardless of size or because a Member State designates them as critical. Organisations should also check national implementing rules and any registers or guidance issued by the relevant competent authority, because supervision and registration processes are handled at Member State level.
Finally, multinational groups should separate the analysis for subsidiaries, branches and non-EU entities offering services into the EU. A supplier may be outside direct scope in one part of the group while another entity is clearly covered. Treating the group as a single yes-or-no answer can cause missed reporting obligations or unnecessary control work in the wrong place.
NIS2 creates a staged reporting process for significant incidents. A significant incident is generally one that causes or is capable of causing severe operational disruption or financial loss, or one that affects or is capable of affecting others by causing considerable material or non-material damage. The precise assessment will depend on facts, national procedures and any sector-specific guidance.
For significant incidents, the early warning is due within 24 hours of becoming aware of the incident. This is intended to flag whether unlawful or malicious activity is suspected and whether cross-border impact is possible. A more detailed incident notification is due within 72 hours, followed by a final report within one month. Where the incident is still ongoing at that point, an interim report may be required before the final report is completed.
In practice, the timeline is demanding because the first 24 hours are usually when information is least complete. A workable reporting design should identify who detects and triages the event, who has authority to notify the CSIRT or competent authority, how legal and communications teams are brought in, and how evidence is preserved without slowing containment. For groups operating in more than one Member State, the process also needs a way to decide whether multiple national notifications are required.
A common mistake is to borrow GDPR reporting assumptions and apply them to NIS2. The timing, thresholds and authorities are not the same. Cybersecurity teams should build an incident classification model that distinguishes personal data breach reporting from NIS2 significant incident reporting, while still allowing the two processes to run together when one event triggers both regimes.
NIS2 gives governance more weight than NIS. Management bodies of essential and important entities are expected to approve cybersecurity risk-management measures, oversee their implementation and be accountable for failures to meet the Directive’s requirements. The Directive also includes expectations around training, which makes board and senior management awareness part of the compliance operating model rather than an optional awareness activity.
The required measures are not limited to security tools. They include risk analysis, incident handling, business continuity, supply-chain security, secure acquisition and development, vulnerability handling, policies for assessing risk-management measures, cyber hygiene, cryptography where appropriate, access control and the use of multi-factor authentication or secure communications where relevant. The challenge is proving that these measures operate consistently, not merely that products have been purchased.
Established frameworks can help structure that evidence. ISO/IEC 27001 supports governance, risk assessment, control ownership and continual improvement, while NIST CSF 2.0 provides a practical language for identifying, protecting, detecting, responding, recovering and governing cyber risk. Organisations that already maintain an information security management system may still need to extend it to cover NIS2-specific reporting, supplier oversight and management accountability. In that context, an ISO/IEC 27001 Lead Implementer learning path can be relevant for teams strengthening control design and governance, although certification is not a substitute for legal scoping.
Under NIS, penalties were determined by Member States, which contributed to uneven enforcement approaches. NIS2 sets clearer maximum administrative fines.
Supervision also differs by entity category. Essential entities may be subject to more proactive supervision, while important entities are generally supervised after evidence of non-compliance or incidents, subject to national implementation. Competent authorities may require information, conduct audits, issue warnings or instructions, and take enforcement action where necessary.
The UK should be treated separately. It is no longer an EU Member State and is not subject to NIS2, although it maintains its own NIS regime and has considered updates to reflect changes in cyber risk. Organisations operating in both the EU and the UK should avoid assuming that one compliance analysis covers both regimes.
EU Member States were required to transpose NIS2 into national law by 17 October 2024. For affected organisations, preparation should therefore focus on operational readiness under the applicable national rules rather than on the Directive as an abstract document. Official legal texts, national competent authority guidance, CSIRT procedures and sector-specific instructions should be treated as primary sources.
A practical readiness plan should begin with scoping and ownership. Once the organisation knows which services and legal entities are affected, it can assign accountable management, define reporting lines and identify which existing controls already satisfy part of the requirement. Gaps then become easier to prioritise: incident reporting workflow, supplier security, vulnerability disclosure, continuity planning, evidence retention and management reporting often need more attention than another dashboard.
Operationally, NIS2 may increase demand for GRC specialists, incident coordinators and security leaders who can translate legal obligations into repeatable processes. In sectors such as energy, water, transport and healthcare, OT security input is also essential because disruption is rarely limited to corporate IT. A policy that works for office systems may be inadequate where safety, availability and legacy operational technology are involved.
Readynez provides an in-context option for teams that need structured implementation training through its NIS 2 Directive Lead Implementer course. The more important point is that training should be tied to a live compliance plan: participants should leave with clearer control ownership, reporting responsibilities and evidence requirements rather than only a general understanding of the Directive.
The key benefit of understanding NIS vs NIS2 is avoiding work that looks busy but misses the legal and operational risk. NIS2 expands the number of affected organisations, clarifies incident reporting deadlines, increases management responsibility and makes supply-chain resilience harder to ignore. It also requires organisations to think across borders, legal entities and service lines.
This content is informational and should not be treated as legal advice. The most reliable next step is to confirm scope against Directive (EU) 2022/2555, national implementing law and the relevant competent authority or CSIRT guidance. Organisations building broader security capability can also consider Readynez security training options and Unlimited Security Training as part of a wider skills plan. For questions about suitable training routes, readers can contact Readynez.
Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course.
You're viewing our global site from United States
Would you like to view the site in
English
with prices in
Dollar?