Directive (EU) 2022/2555 is better known as NIS2: the European Union law that sets cybersecurity obligations for many organisations providing important or essential services across the EU. It replaced the first NIS Directive by widening the sectors in scope, strengthening management accountability, clarifying incident reporting duties, and giving national authorities broader enforcement powers.
The primary legal source remains Directive (EU) 2022/2555 as published in the Official Journal of the European Union, with ENISA guidance providing useful interpretation for implementation. National law still matters because each Member State transposes the directive into its own legal framework, so organisations should treat EU-level requirements as the baseline and then verify local thresholds, registration duties, reporting portals, and supervisory procedures. Current as of 2026, many compliance programmes are moving from interpretation into operating evidence: policies, risk registers, incident records, supplier assurance, and board-level oversight.
NIS1 focused on operators of essential services and a narrower group of digital service providers. NIS2 keeps the goal of improving cyber resilience across the internal market, but it applies to a broader set of sectors and uses a more structured distinction between essential entities and important entities.
The most practical change is that NIS2 is less dependent on each country identifying individual operators one by one. In many cases, an organisation is in scope by default if it operates in a listed sector and meets the size-cap rule. That shifts the burden toward organisations to assess their own status, document the reasoning, and be ready to explain it to customers, regulators, auditors, and insurers.
NIS2 also makes governance more explicit. Management bodies are expected to approve cybersecurity risk-management measures, oversee implementation, and receive training so they can understand the risks being accepted on behalf of the organisation. This is a significant change for organisations where cybersecurity has historically been treated as a technical function rather than a board-level risk discipline.
The scope assessment starts with the directive’s sector annexes. Annex I covers sectors of high criticality, including energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management, public administration, and space. Annex II covers other critical sectors, including postal and courier services, waste management, chemicals, food, certain manufacturing activities, digital providers, and research organisations.
The next step is the size-cap rule. Medium and large entities operating in those listed sectors are generally in scope by default, while certain micro and small entities can still be included where the directive or national law treats their services as particularly important. Examples can include some providers connected to electronic communications, domain name systems, trust services, or other functions where a small operator may still create systemic risk.
A practical decision framework is to identify the services being provided, map those services to Annex I or Annex II, apply the size-cap rule, check Member State add-ons or derogations, and then determine the supervisory regime and immediate compliance steps. This approach reflects Article 2 and Annexes I and II of Directive (EU) 2022/2555 and avoids a common mistake: assessing scope only by company size while ignoring the nature of the service.
Essential entities and important entities are both subject to cybersecurity and reporting obligations, but they are supervised differently. Essential entities generally face more proactive supervision, including the possibility of audits, inspections, and requests for evidence before a major incident occurs. Important entities are more commonly supervised after evidence of non-compliance or following an incident, although national authorities retain meaningful enforcement powers over both categories.
Article 21 is the operational centre of NIS2 compliance. It requires appropriate and proportionate technical, operational, and organisational measures to manage risks to network and information systems and to minimise the impact of incidents on service recipients and connected services.
In practice, this means the organisation needs a functioning cybersecurity management system rather than isolated documents. Policies should connect to risk assessment, asset visibility, access control, vulnerability handling, incident response, backup and recovery, business continuity, encryption or cryptography where appropriate, secure development or acquisition practices, and regular testing. Evidence matters because regulators and customers will usually want to see how controls work, not just whether a policy exists.
Supply-chain security deserves particular attention. NIS2 expressly brings supplier and service-provider dependencies into the risk conversation, which is important for organisations relying on managed service providers, cloud platforms, software vendors, outsourced SOCs, and critical maintenance partners. A weak supplier assurance process can become a compliance gap even where internal security controls appear mature.
Many organisations use ISO/IEC 27001, NIST CSF, CIS Controls, or sector-specific regulations to structure the control environment. Those frameworks do not automatically equal NIS2 compliance, but they can make the work easier by giving security teams a familiar way to organise policies, risks, controls, evidence, and continual improvement. Where an organisation is building an implementation plan, structured training such as the NIS2 Directive Lead Implementer course can help translate the directive into governance, risk, and control activities without treating the course itself as a substitute for legal or regulatory work.
NIS2 requires reporting of significant incidents, meaning incidents that cause or are capable of causing substantial operational disruption, financial loss, or material or non-material damage to natural or legal persons. This is not the same as GDPR personal data breach reporting, although the same incident may trigger obligations under both regimes. Security, legal, privacy, communications, and service-owner teams therefore need a shared triage process rather than separate reporting tracks that only meet at the end.
The reporting workflow under Article 23 is staged. The purpose is to give authorities early visibility without forcing organisations to provide complete root-cause analysis before the facts are known. A reusable playbook should define who can declare a potentially significant incident, who contacts the competent authority or CSIRT, who approves submissions, and how evidence is preserved while technical containment continues.
| Stage | Timing | What the submission should cover |
|---|---|---|
| Early warning | Within 24 hours of becoming aware of a significant incident | Basic facts, suspected malicious or unlawful cause, possible cross-border impact, and whether assistance may be needed. |
| Incident notification | Within 72 hours of becoming aware | Updated assessment of severity and impact, affected services, indicators of compromise where available, and initial mitigation steps. |
| Final report | Within one month of the incident notification | Root cause where known, full impact assessment, remediation actions, lessons learned, and measures to reduce recurrence. |
The practical challenge is that the first report may be due while the incident is still uncertain. Organisations should therefore pre-agree severity criteria, maintain current contact details, prepare templates, and rehearse escalation with legal and operational teams. Member States may specify portals, formats, language requirements, and additional steps, so the local CSIRT or competent authority process should be built into the playbook before an incident occurs.
NIS2 makes cybersecurity oversight a management responsibility. Management bodies must approve the cybersecurity risk-management measures used by the organisation and oversee their implementation. They can also be held accountable where failures occur, depending on the national implementing law and the facts of the case.
This does not mean every board member needs to become a security engineer. It does mean management should understand the organisation’s critical services, material cyber risks, major dependencies, incident readiness, investment decisions, and unresolved control weaknesses. Training is part of that duty because directors and senior leaders cannot meaningfully approve a risk posture they do not understand.
One common implementation mistake is to present NIS2 as a one-off compliance project ending with a policy pack. A more defensible approach is to build a governance cycle: regular risk review, control testing, supplier assurance, incident exercises, management reporting, and documented decisions about accepted risk. That cycle is what turns regulatory text into operational resilience.
NIS2 gives national authorities stronger enforcement tools than NIS1. These may include information requests, security audits, binding instructions, orders to remedy deficiencies, administrative fines, and measures affecting management responsibility. The exact process and authority structure depend on the Member State’s implementing law.
The directive distinguishes between essential and important entities when setting the enforcement model. Essential entities are subject to more proactive supervision and face a higher penalty ceiling. Important entities can still face significant enforcement, especially after incidents, complaints, or evidence of non-compliance, but supervision is generally more reactive.
National variation is a real operational issue. A group operating in several EU Member States may need to register or report through more than one channel, align local legal interpretations, and maintain evidence that satisfies different authorities. Suppliers serving in-scope customers should also expect contract clauses requiring NIS2-related security commitments, incident notification support, audit cooperation, and resilience evidence.
A useful NIS2 programme begins with scope and ownership. The organisation should document why it is, or is not, an essential or important entity, identify the legal entity or entities affected, and assign accountability across security, risk, legal, procurement, operations, and executive management. Without that foundation, control work can drift into generic cybersecurity improvement without a clear regulatory target.
The next step is a gap assessment against Article 21 and Article 23. This should test whether risk management, incident response, business continuity, supplier assurance, access control, vulnerability management, backup, encryption, and governance reporting are operating in practice. Where existing ISO/IEC 27001, DORA, CER Directive, sector regulation, or customer assurance work already exists, teams should reuse evidence rather than create duplicate control sets.
Implementation should then prioritise the controls that reduce both operational risk and reporting risk. Incident classification, supplier dependency mapping, executive reporting, backup recoverability, privileged access, and crisis communications often reveal gaps quickly because they cut across multiple teams. In addition, evidence should be designed from the start: meeting minutes, risk decisions, test results, supplier reviews, incident exercises, and remediation tracking are often as important as the written policy.
NIS2 compliance is part of a wider resilience programme, not a separate legal exercise. The organisations that handle it most effectively tend to combine regulatory interpretation with practical security operations, supplier governance, incident readiness, and management oversight. That approach also makes it easier to respond when national authorities refine procedures or when customers ask for evidence of compliance.
Readynez provides security training options for teams building these capabilities, including related ISACA governance and security courses and Unlimited Security Training for organisations planning a broader upskilling path. To discuss which learning route fits an organisation’s current NIS2 responsibilities, contact the team.
NIS2 requires in-scope entities to manage cybersecurity risk, report significant incidents, maintain business continuity and crisis management capabilities, address supply-chain security, and ensure management oversight. The detail sits mainly in Directive (EU) 2022/2555 and the relevant Member State implementing law.
No. NIS2 generally applies to medium and large entities operating in the sectors listed in Annex I and Annex II, with some targeted inclusions for smaller entities where the service is especially important. Organisations should assess both the sector mapping and the national implementation rules before deciding they are out of scope.
Essential entities usually operate in sectors of high criticality and face more proactive supervision by authorities. Important entities are also subject to NIS2 duties, but supervision is generally more reactive, often following an incident or evidence of non-compliance.
For significant incidents, NIS2 uses a staged reporting model: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month of the incident notification. Local authorities may specify the reporting portal, format, and additional procedural requirements.
ISO/IEC 27001 can help structure risk management, controls, governance, and evidence, but certification to ISO/IEC 27001 does not automatically prove NIS2 compliance. The organisation still needs to map its controls and reporting process to the directive and the relevant national implementing law.
Non-compliance can lead to regulatory action such as information requests, audits, binding instructions, remediation orders, administrative fines, and management-related measures. The exact consequences depend on whether the entity is essential or important and how the Member State has implemented the directive.
Get Unlimited access to ALL the LIVE Instructor-led Security courses you want - all for the price of less than one course.
You're viewing our global site from United States
Would you like to view the site in
English
with prices in
Dollar?