NIS2 is the European Union's updated cybersecurity law, formally Directive (EU) 2022/2555. It repealed and replaced the original 2016 NIS Directive, widening the range of sectors and organisations covered, tightening security and incident-reporting obligations, and introducing direct accountability for senior management. Its core aim is a high common level of cybersecurity across the Union.

Because NIS2 is a directive, it is not directly binding on organisations. Each EU Member State had to transpose it into national law by 17 October 2024; the detailed rules that apply to any given entity are found in that country's implementing legislation, which can vary. Organisations should confirm their obligations against the national law of each Member State in which they operate.

What is NIS2 and what does it replace?

NIS2 (Directive (EU) 2022/2555) is the EU's framework for network and information security. It repeals the first NIS Directive ((EU) 2016/1148) and entered into force on 16 January 2023, with a transposition deadline of 17 October 2024.

Key changes from NIS1:

  • A much broader range of sectors and entities in scope.
  • A size-based scope rule, reducing the discretion Member States previously had to designate covered operators.
  • Harmonised security and incident-reporting requirements.
  • Explicit management-body accountability and stronger enforcement, including administrative fines.

Who does NIS2 apply to (essential vs important entities)?

NIS2 covers public and private organisations that provide services in the listed sectors and meet a size threshold. In-scope organisations are classified into two tiers:

  • Essential entities — generally large enterprises (250+ employees, or annual turnover above €50 million and balance sheet above €43 million) operating in Annex I sectors. They are subject to proactive (ex-ante) supervision.
  • Important entities — generally medium-sized enterprises (50+ employees, or turnover/balance sheet above €10 million) in Annex I or Annex II sectors, and large entities in Annex II sectors. They are subject to reactive (ex-post) supervision.

Size thresholds reference the EU SME definition in Recommendation 2003/361/EC. Certain entities are in scope regardless of size — for example, providers of public electronic communications networks/services, trust service providers, top-level domain name registries and DNS service providers, and some public administration and sole-provider cases. Member States may also designate additional entities.

Which sectors are in scope?

NIS2 lists sectors in two annexes:

Annex I — sectors of high criticality:

  • Energy; transport; banking; financial market infrastructures; health; drinking water; waste water; digital infrastructure; ICT service management (B2B); public administration; space.

Annex II — other critical sectors:

  • Postal and courier services; waste management; manufacture, production and distribution of chemicals; production, processing and distribution of food; manufacturing (e.g. medical devices, computer/electronic/optical products, electrical equipment, machinery, motor vehicles and other transport equipment); digital providers (online marketplaces, search engines, social networking platforms); research organisations.

Annex I entities are more likely to be classified as essential; Annex II entities are generally important.

What are the cybersecurity and governance obligations?

In-scope entities must take appropriate and proportionate technical, operational and organisational measures to manage risks to their network and information systems (Article 21). The directive sets a baseline of measures including:

  • Risk analysis and information system security policies.
  • Incident handling.
  • Business continuity and crisis management (e.g. backups, disaster recovery).
  • Supply-chain security.
  • Security in acquisition, development and maintenance of systems, including vulnerability handling and disclosure.
  • Policies to assess the effectiveness of measures.
  • Basic cyber hygiene and security training.
  • Cryptography and encryption.
  • Human resources security, access control, and asset management.
  • Use of multi-factor authentication and secured communications where appropriate.

Entities must also register with the relevant national authority; national registration deadlines vary.

What are the incident-reporting timelines?

For a significant incident, NIS2 (Article 23) sets a staged reporting process to the relevant CSIRT or competent authority:

  • Early warning — within 24 hours of becoming aware of the incident (e.g. whether it may be caused by unlawful/malicious acts or could have cross-border impact).
  • Incident notification — within 72 hours, with an initial assessment including severity, impact and any indicators of compromise.
  • Intermediate report — on request by the authority, providing status updates.
  • Final report — within one month of the incident notification, covering a detailed description, root cause, mitigation, and any cross-border impact.

An incident is significant if it has caused or is capable of causing severe operational disruption of services or financial loss, or has affected or is capable of affecting other persons by causing considerable material or non-material damage. Trust service providers face shorter, sector-specific notification timelines.

Are managers personally liable, and what are the penalties?

Yes. Management bodies must approve and oversee the entity's cybersecurity risk-management measures and can be held liable for infringements (Article 20). Members of management bodies are also required to follow cybersecurity training.

Enforcement and fines (Articles 32–34):

  • Essential entities: administrative fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher.
  • Important entities: up to €7 million or 1.4% of total worldwide annual turnover, whichever is higher.

For essential entities, authorities may, in cases of persistent non-compliance, temporarily suspend authorisations or seek a temporary ban on management responsibilities for individuals at C-level. Exact penalty levels and procedures are set by each Member State's transposing law.

What is the timeline and implementation status?

  • 16 January 2023 — NIS2 entered into force.
  • 17 October 2024 — deadline for Member States to transpose NIS2 into national law.
  • 17 April 2025 — Member States were to establish their first list of essential and important entities (with periodic review thereafter).

Many Member States missed the transposition deadline. In November 2024 the European Commission opened infringement proceedings against numerous Member States for failing to fully transpose NIS2 on time. As a result, national rules have come into effect on different dates, and organisations must check the status and content of the law in each relevant country.

Frequently asked questions

Is NIS2 a regulation or a directive?

NIS2 is a directive (Directive (EU) 2022/2555). Unlike a regulation, it is not directly applicable; each EU Member State must transpose it into national law, and the specific rules can differ by country. The transposition deadline was 17 October 2024.

When did NIS2 take effect?

NIS2 entered into force on 16 January 2023. Member States had until 17 October 2024 to transpose it into national law. Actual application depends on each country's implementing legislation, several of which were delayed past the deadline.

How is my organisation classified as essential or important?

Classification depends on (1) the sector you operate in — Annex I (high criticality) or Annex II (other critical) — and (2) your size. Broadly, large entities in Annex I sectors are essential, while medium-sized entities and Annex II entities are important. Some entity types (e.g. DNS providers, trust service providers, electronic communications providers) are in scope regardless of size.

What are the incident-reporting deadlines under NIS2?

For a significant incident: an early warning within 24 hours, a fuller incident notification within 72 hours, an intermediate report on request, and a final report within one month of the notification. Trust service providers have shorter sector-specific deadlines.

Can senior managers be held personally liable under NIS2?

Yes. Management bodies must approve and supervise cybersecurity risk-management measures and can be held liable for breaches. For essential entities, authorities may, for persistent non-compliance, seek a temporary ban on individuals holding management responsibilities. Managers must also undertake cybersecurity training.

What fines can be imposed for non-compliance?

Essential entities can face administrative fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher. Important entities can face up to €7 million or 1.4% of total worldwide annual turnover. Final amounts and procedures are set by national law.

Official sources