What is the NIS2 Directive, and why was it introduced?
The NIS2 Directive (EU) 2022/2555 is the European Union’s main cybersecurity law. Its purpose is to strengthen the resilience of critical infrastructure and essential services across all Member States.
It replaces and expands the original NIS Directive (NIS1), which was the first EU-wide cybersecurity framework but proved too limited in scope, enforcement, and consistency between countries.
NIS2 was introduced because cyber risk is no longer theoretical. Organizations across Europe face daily threats, while security maturity remained uneven under the previous framework:
Cyberattacks increased in frequency and sophistication, particularly after the COVID-19 pandemic.
Cyber resilience differed significantly between Member States and between sectors.
Large-scale incidents lacked a coordinated EU-wide response mechanism.
To address these weaknesses, NIS2 introduces stronger security obligations, mandatory reporting requirements, expanded sector coverage, and reinforced cooperation between national authorities.
The objective is clear: create a consistently high level of cybersecurity and operational resilience across the European Union.
Which entities fall under NIS2, and how are they classified?
NIS2 applies to a broader range of organizations than NIS1. It uses a size-based threshold: all medium and large organizations operating in covered sectors are included by law.
The previous distinction between operators of essential services (OES) and digital service providers (DSPs) no longer exists.
Instead, organizations fall into two regulatory categories:
Essential Entities include sectors critical to society and the economy, such as energy, transport, healthcare, water, and public administration.
Important Entities cover other key economic sectors, including manufacturing, postal services, waste management and digital service providers.
Both groups must comply with NIS2 requirements. However, essential entities are subject to closer supervision, including possible audits and inspections, while enforcement for important entities is mainly reactive following incidents or violations.
If your organization is medium-sized or larger and operates in one of the regulated sectors, you are legally in scope even if you have not received formal notification.
What cybersecurity and risk management measures are required?
Organizations subject to NIS2 must implement appropriate and proportionate technical, operational and organizational measures based on an all-hazards approach, meaning protection against both cyber and physical risks.
These requirements are not theoretical. Authorities expect organizations to demonstrate effective operational security.
Minimum measures include:
The ability to prevent, detect and respond to incidents.
Business continuity and disaster recovery planning.
Supply chain and third-party risk management.
A formal vulnerability handling and disclosure process.
Use of strong authentication mechanisms such as multi-factor authentication.
The intent is not only to protect IT systems, but to integrate cybersecurity into daily operations, management decisions, and risk governance.
How quickly must you report a cybersecurity incident?
NIS2 introduces legally binding timelines for reporting significant incidents:
Early Warning (within 24 hours): Authorities must be alerted as soon as a significant incident is detected. This includes whether the incident may be malicious or involve other countries.
Incident Notification (within 72 hours): An initial assessment must be submitted covering severity, likely cause and potential consequences.
Final Report (within 1 month): A complete incident report must be provided, including lessons learned and corrective actions.
Reporting is mandatory even if the technical root cause is not fully known. Late or incomplete notifications may result in penalties.
What penalties apply for non-compliance?
NIS2 introduces harmonized sanctions across the European Union to ensure that cybersecurity becomes a board-level responsibility.
Financial penalties can reach:
Beyond fines, authorities may impose corrective orders and increased supervision.
Senior managers may also be held personally accountable for serious failures in governance or oversight, particularly where risks were known and ignored.
How does NIS2 interact with other EU laws like DORA and CER?
NIS2 forms part of an integrated European resilience framework.
The CER Directive applies to physical security. Organizations classified as critical under CER are automatically subject to NIS2 for cybersecurity requirements.
The DORA Regulation applies to the financial sector. Because it is a sector-specific law (lex specialis), its cybersecurity requirements replace NIS2 for regulated financial institutions.
Understanding these overlaps is essential to avoid non-compliance or duplicated effort.
