What is the NIS 2 Directive and why was it introduced?
The NIS 2 Directive (EU) 2022/2555 is the European Union’s main cybersecurity law. Specifically, it strengthens the resilience of critical infrastructure and essential services across all Member States. Moreover, it replaces the original NIS1 Directive, which proved too limited in scope, enforcement, and consistency between countries. As a result, the NIS 2 Directive now sets a higher and more uniform baseline for cybersecurity across Europe.
In practice, three gaps in NIS1 drove the update. First, cyberattacks increased in frequency and sophistication, particularly after the COVID-19 pandemic. Second, cyber resilience differed significantly between Member States and sectors. Third, large-scale incidents lacked a coordinated EU-wide response mechanism. Therefore, the new framework introduces stronger security obligations, mandatory reporting timelines, expanded sector coverage, and reinforced cooperation between national authorities.
Which entities fall under the NIS 2 Directive and how are they classified?
The NIS 2 Directive applies to all medium and large organizations operating in covered sectors. Specifically, it uses a size-based threshold rather than the previous operator-by-operator designation model. Moreover, the old distinction between Operators of Essential Services (OES) and Digital Service Providers (DSPs) no longer exists. Instead, organizations fall into two categories based on their sector and societal importance.
In practice, the two categories work as follows:
- Essential Entities: sectors critical to society and the economy, including energy, transport, healthcare, water, and public administration. These entities face closer supervision, including possible audits and inspections
- Important Entities: other key economic sectors such as manufacturing, postal services, waste management, and digital service providers. Enforcement here is mainly reactive, following incidents or violations
What cybersecurity measures does the NIS 2 Directive require?
Organizations must implement appropriate and proportionate technical, operational, and organizational measures. Specifically, the framework uses an all-hazards approach, meaning protection against both cyber and physical risks. Moreover, authorities expect organizations to demonstrate effective operational security, not just documented policies.
In practice, minimum measures include:
- The ability to prevent, detect, and respond to incidents
- Business continuity and disaster recovery planning
- Supply chain and third-party risk management
- A formal vulnerability handling and disclosure process
- Strong authentication mechanisms, including multi-factor authentication (MFA)
How quickly must you report a cybersecurity incident under NIS 2?
The NIS 2 Directive introduces three legally binding reporting timelines. Specifically, reporting is mandatory even when the technical root cause is not yet fully known. Moreover, late or incomplete notifications can result in penalties. As a result, organizations need incident response plans that include pre-built notification workflows before any incident occurs.
In practice, the three deadlines are:
- Early Warning (within 24 hours): alert authorities as soon as a significant incident is detected, including whether it may be malicious or cross-border
- Incident Notification (within 72 hours): submit an initial assessment covering severity, likely cause, and potential consequences
- Final Report (within 1 month): provide a complete incident report including lessons learned and corrective actions taken
What penalties apply for non-compliance with NIS 2?
The NIS 2 Directive introduces harmonized financial penalties across the EU to ensure cybersecurity becomes a board-level responsibility. Specifically, fines scale with the category of the entity. Moreover, personal liability for senior managers is explicitly included for serious failures in governance or oversight where risks were known and ignored.
In practice, financial penalties can reach:
- Essential Entities: up to €10 million or 2% of global annual turnover, whichever is higher
- Important Entities: up to €7 million or 1.4% of global annual turnover, whichever is higher
Furthermore, authorities may impose corrective orders and increased supervision in addition to financial penalties.
How does NIS 2 interact with DORA and the CER Directive?
NIS 2 forms part of an integrated European resilience framework. Specifically, it works alongside two other major EU instruments that organizations in regulated sectors must understand to avoid duplication or gaps in their compliance programs.
In practice, two interaction rules apply:
- CER Directive: applies to physical security. Organizations classified as critical under CER automatically fall under NIS 2 for cybersecurity requirements, so the two frameworks work in parallel
- DORA Regulation: applies to the financial sector. Because DORA is a sector-specific law (lex specialis), its cybersecurity requirements replace NIS 2 for regulated financial institutions rather than adding to them
