🔍
Overview 5 Pillars Articles Obligations Timeline Checklist Entities Resources

NIS2 Directive at a Glance

Directive (EU) 2022/2555 — the Network and Information Security Directive. A binding EU directive that requires essential and important entities across 18 critical sectors to implement cybersecurity risk management measures, report significant incidents, and submit to supervisory oversight.

46
Total Articles
5
Core Pillars
18
Sectors in Scope
18 Oct 2024
Application Date

The Five Pillars

NIS2 is structured around five interconnected themes. These cover governance accountability, technical security measures, incident handling, supply chain resilience, and a two-tier enforcement regime.

🛡

Pillar 1: Governance & Accountability

Management bodies must approve cybersecurity measures, oversee implementation, undergo training, and can be held personally liable for non-compliance.

Article 20
🔧

Pillar 2: Cybersecurity Risk Management

Ten mandatory cybersecurity measures covering risk analysis, incident handling, BCP, supply chain, encryption, MFA, and cyber hygiene training.

Article 21
🚨

Pillar 3: Incident Reporting

Three-stage incident reporting to CSIRTs: early warning within 24 hours, notification within 72 hours, final report within one month.

Articles 23–24
🔗

Pillar 4: Supply Chain Security

Entities must address cybersecurity risks in supplier relationships. Coordinated EU-level risk assessments of critical supply chains.

Articles 21(2)(d) & 22

Pillar 5: Supervision & Enforcement

Two-tier enforcement: proactive supervision for essential entities, reactive for important ones. Fines up to EUR 10M or 2% of global turnover.

Articles 31–37

Why Should a Security Engineer Care?

It Covers Nearly Every Sector

Unlike DORA's financial-sector focus, NIS2 spans 18 sectors: energy, transport, health, digital infrastructure, public administration, and more. If you operate critical infrastructure in the EU, you're likely in scope.

It Has Real Teeth

Fines up to EUR 10 million or 2% of global turnover for essential entities. Up to EUR 7 million or 1.4% for important entities. Management bodies can be personally liable and temporarily suspended.

Board-Level Accountability

NIS2 mandates management body responsibility. Board members must approve measures, undertake cybersecurity training, and can face personal consequences for non-compliance.

24-Hour Early Warning

The 24-hour early warning requirement is shorter than most existing obligations. Your SOC needs to identify, classify, and notify a significant incident to the national CSIRT within one day.

NIS2 vs. Frameworks You Already Know

AspectNIS2DORAISO 27001NIST CSF
TypeEU Directive (transposed)EU Regulation (binding)Voluntary standardVoluntary framework
Sector18 critical sectorsFinancial servicesAnyAny
Incident Reporting24h early warning, 72h notification4h initial, 72h intermediateInternal processInternal process
Supply ChainMandatory supply chain risk assessmentDetailed contractual & oversight rulesAnnex A controlsSupply chain category
Pen TestingEncouraged but not prescribedMandatory TLPT for significant entitiesRecommendedRecommended
Board AccountabilityExplicit personal liability & suspensionExplicit personal liabilityManagement commitmentGovernance function

The Five Pillars — Deep Dive

Select a pillar from the sidebar or filter below to focus on a specific domain.

Pillar 1: Governance & Accountability (Article 20)

NIS2 places cybersecurity responsibility squarely on the management body. Board members must approve risk-management measures, oversee their implementation, and undergo regular cybersecurity training. Failure to comply can result in personal liability and temporary suspension from management functions.

Key Governance Requirements

Click any row for detailed context, obligations, and external references.

NIS2 RequirementWhat It Means for YouControls / Tools
Approve cybersecurity measures (Art. 20(1))Management body must formally approve risk-management measures adopted under Art. 21GRC platform, board reporting
Oversee implementation (Art. 20(1))Active oversight of cybersecurity implementation, not passive delegationRisk dashboards, audit reports
Board cybersecurity training (Art. 20(2))Board members must undergo training; similar training offered to all employeesTraining platform, LMS
Personal liability (Art. 20)Board members can be held liable for infringements of Art. 21 obligationsLegal/compliance framework
Security Engineer Takeaway: Your CISO now has regulatory backing to demand board engagement. NIS2 Article 20 explicitly holds the management body responsible — not just "accountable" in a framework sense, but legally liable. Frame your cybersecurity budget and programme requests around this: the board must approve measures, and they must understand what they're approving through mandatory training. Prepare concise board-level dashboards showing risk posture, open findings, and compliance gaps.

Pillar 2: Cybersecurity Risk Management (Article 21)

The operational core of NIS2. Article 21 defines ten mandatory cybersecurity measures that all essential and important entities must implement. These are proportionate to the entity's size, risk exposure, and the potential societal/economic impact of incidents.

The 10 Mandatory Cybersecurity Measures

Click any row for detailed context, obligations, and external references.

MeasureDescriptionTools / Controls
(a) Risk analysis & IS policiesPolicies on risk analysis and information system securityGRC platform, policy management
(b) Incident handlingProcedures for detecting, managing, and resolving incidentsSIEM, SOAR, IR playbooks
(c) Business continuity & crisis mgmtBCP, backup management, disaster recovery, crisis managementBCP/DR tools, backup solutions
(d) Supply chain securityAssess supplier/provider security including during procurementTPRM platforms, vendor assessments
(e) Acquisition, development & maintenanceSecurity in network and IS lifecycle including vulnerability handlingSAST/DAST, SDLC tools, vuln scanning
(f) Effectiveness assessmentPolicies to evaluate effectiveness of cybersecurity measuresPen testing, audits, KPIs
(g) Cyber hygiene & trainingBasic cyber hygiene practices and cybersecurity trainingAwareness training, phishing simulations
(h) Cryptography & encryptionPolicies and procedures for cryptographic controlsKey management, PKI, encryption tools
(i) HR security, access control, asset mgmtHuman resources security, access control, and asset managementIAM, PAM, CMDB
(j) MFA & continuous authenticationMulti-factor authentication, secured communications, emergency accessMFA providers, zero trust architecture
Security Engineer Takeaway: These 10 measures are the operational core of NIS2. If you have ISO 27001 Annex A controls in place, you have roughly 70–80% coverage. Key NIS2-specific additions: (1) explicit supply chain security requirements going beyond your own perimeter, (2) mandatory cyber hygiene training at all levels, and (3) the requirement to assess effectiveness — not just implement but prove your measures work. Start with a gap analysis mapping your existing controls to each of the 10 measures.

Pillar 3: Incident Reporting (Articles 23–24)

NIS2 establishes a three-stage incident reporting process for significant incidents. Entities must notify their national CSIRT or competent authority within strict timelines. The obligation also extends to informing affected service recipients.

Significant Incident Criteria (Art. 23(3))

An incident is "significant" if it meets either criterion:

CriterionDescription
Severe operational disruption or financial lossHas caused or is capable of causing severe operational disruption of services or financial loss for the entity
Affected natural or legal personsHas affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

Reporting Timeline

T + 24 hours
Early Warning
Notify the CSIRT or competent authority without undue delay. Must indicate if the incident is suspected to be caused by unlawful or malicious acts, and whether it could have a cross-border impact.
T + 72 hours
Incident Notification
Update with initial assessment including severity and impact, and where applicable, indicators of compromise (IoCs).
T + 1 month
Final Report
Detailed description including severity and impact, type of threat or likely root cause, applied and ongoing mitigation measures, and cross-border impact where applicable.
Security Engineer Takeaway: The 24-hour early warning is strictly about notification that something happened — it does not require root cause analysis. However, you must state whether the incident is suspected to be malicious and whether it might have cross-border impact. Build a simple "early warning triage" checklist your SOC can complete in under 30 minutes: (1) Is this significant per Art. 23(3)? (2) Suspected malicious? (3) Potential cross-border? If yes to #1, file the early warning within 24 hours. Also note: voluntary reporting of near-misses and cyber threats is encouraged under Art. 30.

Pillar 4: Supply Chain Security (Articles 21(2)(d) & 22)

NIS2 takes a risk-based approach to supply chain security. Entities must assess cybersecurity risks in their supplier relationships and consider results of coordinated EU-level risk assessments. This goes beyond traditional vendor management to encompass the full supply chain.

Key Supply Chain Obligations

Supplier Risk Assessment (Art. 21(2)(d))

All essential and important entities
  • Address cybersecurity risks in supplier and service provider relationships
  • Evaluate overall quality and resilience of supplier security practices
  • Assess vulnerabilities specific to each direct supplier
  • Consider results of coordinated security risk assessments (Art. 22)

Coordinated Risk Assessments (Art. 22)

Cooperation Group / Member States
  • Cooperation Group may carry out coordinated security risk assessments of critical supply chains
  • Takes into account technical and non-technical risk factors
  • Results shared with NIS Cooperation Group and ENISA
  • Similar to the 5G Toolbox approach

Procurement Security (Art. 21(3))

All essential and important entities
  • Take into account supplier-specific vulnerabilities during procurement
  • Assess cybersecurity practices of suppliers including secure development procedures
  • Integrate cybersecurity-related specifications into contractual arrangements

Supply Chain Incident Handling (Art. 23)

All essential and important entities
  • Report significant incidents caused by supply chain compromise
  • Include supply chain context in incident notifications
  • Coordinate with affected suppliers on response
Security Engineer Takeaway: NIS2's supply chain requirements differ from DORA's detailed contractual approach — NIS2 focuses on risk-based assessment rather than prescriptive contract clauses. You still need to: (1) Inventory your critical suppliers and their security posture. (2) Include supply chain scenarios in your risk assessments. (3) Have contractual clauses for incident notification from suppliers. (4) Monitor results of EU-level coordinated supply chain risk assessments — if your supply chain appears in one, expect heightened scrutiny.

Pillar 5: Supervision & Enforcement (Articles 31–37)

NIS2 establishes a two-tier enforcement regime. Essential entities face proactive, ex-ante supervision. Important entities face reactive, ex-post enforcement triggered by evidence of non-compliance. Both face significant fines.

Supervisory Powers

PowerEssential EntitiesImportant Entities
Supervision typeProactive (ex-ante)Reactive (ex-post)
On-site inspectionsYes (Art. 32(2)(a))Yes, when triggered (Art. 33(2)(a))
Security auditsRegular and targeted (Art. 32(2)(b))Evidence-based (Art. 33(2)(b))
Security scansBased on risk assessment (Art. 32(2)(c))When justified (Art. 33(2)(c))
Information requestsYes (Art. 32(2)(d))Yes (Art. 33(2)(d))
Access to data/docsYes (Art. 32(2)(e))Yes (Art. 33(2)(e))

Enforcement: Essential vs Important

AspectEssential EntitiesImportant Entities
Maximum fineEUR 10M or 2% of global turnoverEUR 7M or 1.4% of global turnover
Supervision modelProactive, ex-anteReactive, ex-post (evidence triggered)
Management suspensionYes — temporary ban on management functionsNot applicable
Binding instructionsYesYes (when non-compliance found)
Public namingYes (naming and shaming)Yes
Compliance ordersYes, with deadlineYes, with deadline
Security Engineer Takeaway: The two-tier system matters for how you prioritize compliance. If your entity is classified as "essential," expect proactive audits, random inspections, and no grace period. Important entities face scrutiny only when evidence of non-compliance surfaces. Either way, the fines are substantial — especially the management suspension power for essential entities (Art. 32(5)(b)). For security teams: frame your compliance programme based on entity classification and focus resources accordingly.

Article Explorer

All 46 articles of NIS2, grouped by chapter. Click to expand details, obligations, and practical security notes.

Chapter I — General Provisions

Art. 1 Subject Matter Standard

Establishes measures aimed at achieving a high common level of cybersecurity across the Union.

Key Points

  • Obligations on Member States to adopt national cybersecurity strategies and designate competent authorities and CSIRTs
  • Cybersecurity risk-management and reporting obligations for essential and important entities
  • Rules on cybersecurity information sharing
  • Supervisory and enforcement obligations for Member States
Art. 2 Scope Important

Defines who is in scope. Applies a "size-cap" rule: entities that are medium-sized or larger in sectors listed in Annex I and II.

Key Points

  • Applies to entities that qualify as medium-sized enterprises or exceed medium-size thresholds in designated sectors
  • Some entities are in scope regardless of size: DNS providers, TLD registries, qualified trust service providers, public electronic communications providers
  • Member States may extend scope to smaller entities meeting specific criteria
  • Entities subject to sector-specific EU legislation with equivalent requirements (e.g., DORA) are exempt from overlapping NIS2 obligations
Security Engineer Takeaway: The "size-cap" approach means many more entities are in scope compared to NIS1. If your organisation has 50+ employees or EUR 10M+ turnover and operates in a designated sector, you're likely covered. Check Annex I and II to confirm your sector classification.
Art. 3 Essential and Important Entities Important

Defines the two-tier classification: essential entities and important entities. The classification determines the level of supervision and maximum penalties.

Essential Entities Include

  • Annex I entities exceeding the ceiling for medium-sized enterprises
  • Qualified trust service providers, TLD registries, DNS service providers (regardless of size)
  • Public electronic communications providers (medium+)
  • Public administration entities (central government)
  • Entities specifically designated by a Member State

Important Entities

  • Annex I or Annex II entities of medium size or above that are not classified as essential
Security Engineer Takeaway: Know your classification — it drives everything. Essential entities face proactive supervision and higher fines (EUR 10M/2% turnover). Important entities face reactive supervision and lower fines (EUR 7M/1.4%). If you're borderline, expect your national authority to clarify by April 2025.
Art. 4 Sector-Specific Union Legal Acts Important

The lex specialis clause. Where sector-specific EU legislation imposes equivalent or greater cybersecurity requirements, those provisions prevail over NIS2.

Key Points

  • DORA (Regulation 2022/2554) is explicitly recognised as lex specialis for financial entities
  • Entities covered by equivalent sector-specific acts are exempt from corresponding NIS2 obligations (Art. 21 and 23)
  • The entity remains subject to NIS2 for any areas not covered by the sector-specific act
  • Commission maintains and publishes a list of sector-specific acts
Security Engineer Takeaway: If you're a financial entity subject to DORA, you're generally exempt from NIS2's risk management and incident reporting obligations. However, always check your national transposition — some Member States may layer additional NIS2 requirements beyond what DORA covers.
Art. 5 Minimum Harmonisation Standard

NIS2 sets a floor, not a ceiling. Member States may adopt or maintain provisions ensuring a higher level of cybersecurity.

Art. 6 Definitions Important

Key definitions you'll reference constantly:

Critical Definitions

  • Network and information system: Electronic communications networks, devices/programs processing digital data, and data stored/processed/retrieved by those elements
  • Security of network and information systems: The ability to resist events that compromise availability, authenticity, integrity, or confidentiality of data or services
  • Cybersecurity: Activities necessary to protect network and information systems and their users from cyber threats
  • Significant incident: An incident with severe operational disruption or financial loss, or affecting persons with considerable damage
  • Cyber threat: Any potential circumstance, event, or action that could damage, disrupt, or otherwise adversely impact network and information systems
  • Near miss: An event that could have compromised security but was prevented or did not materialise
  • ICT product, service, process: Any element or group of elements of network and information systems
Security Engineer Takeaway: The "significant incident" definition is key — it triggers your reporting obligations. Unlike DORA's multi-factor classification, NIS2 uses two simple tests: severe operational/financial disruption OR considerable damage to persons. The "near miss" definition is new and supports voluntary reporting under Art. 30.

Chapter II — Coordinated Cybersecurity Frameworks

Art. 7 National Cybersecurity Strategy Important

Each Member State must adopt a national cybersecurity strategy addressing security of network and information systems.

Must Include

  • Objectives and priorities covering sectors referred to in Annexes I and II
  • Governance framework with clear roles and responsibilities
  • Policy on coordinated vulnerability disclosure
  • Policies promoting cybersecurity education, skills, and awareness
  • Policies supporting cybersecurity research and development
  • Supply chain security policies
Art. 8–10 Competent Authorities, Single Points of Contact, and CSIRTs Standard

Member States must designate competent authorities, single points of contact, and CSIRTs for NIS2 implementation.

Key Points

  • At least one competent authority responsible for cybersecurity and supervision under NIS2
  • A single point of contact for cross-border cooperation
  • One or more CSIRTs covering all sectors in scope
  • CSIRTs must have adequate resources, technical capabilities, and staff
Art. 11–12 CSIRT Requirements and Coordinated Vulnerability Disclosure Standard

CSIRT Tasks

  • Monitor and analyse cyber threats, vulnerabilities, and incidents at national level
  • Provide early warnings, alerts, announcements, and dissemination of information
  • Respond to incidents and provide assistance
  • Collect and analyse forensic data
  • Provide dynamic risk and incident analysis

Coordinated Vulnerability Disclosure

  • Member States must designate a CSIRT as coordinator for vulnerability disclosure
  • ENISA develops and maintains a European vulnerability database
  • Researchers can report vulnerabilities to the designated coordinator
Art. 13 NIS Cooperation Group Important

A strategic cooperation group composed of Member State representatives, the Commission, and ENISA.

Tasks

  • Provide strategic guidance on NIS2 implementation
  • Exchange best practices on cybersecurity risk management and incident reporting
  • Discuss capabilities and preparedness of Member States
  • Carry out coordinated security risk assessments of critical supply chains (Art. 22)
  • Conduct peer reviews of Member State cybersecurity policies (Art. 19)

Chapter III — Cooperation

Art. 14–15 CSIRTs Network and EU-CyCLONe Standard

CSIRTs Network

  • Network of national CSIRTs and CERT-EU for operational cooperation
  • Exchange information on incidents, cyber threats, and vulnerabilities
  • Coordinate response to cross-border incidents

EU-CyCLONe (Cyber Crisis Liaison Organisation Network)

  • Supports coordinated management of large-scale cybersecurity incidents and crises at EU level
  • Ensures regular exchange of information between Member States and EU institutions
  • Assesses consequences and impact of large-scale incidents
  • Coordinates crisis management at political level when needed
Art. 16–19 Reporting, ENISA Role, Peer Reviews, and Mutual Assistance Standard

Key Points

  • ENISA produces biennial report on the state of cybersecurity in the EU
  • Peer review system for Member States' cybersecurity policies and capabilities
  • Framework for mutual assistance between competent authorities
  • ENISA supports the Cooperation Group, CSIRTs Network, and EU-CyCLONe

Chapter IV — Cybersecurity Risk-Management Measures and Reporting Obligations

Art. 20 Governance Critical

The management body (board, executive committee) bears direct responsibility for cybersecurity. This is personal and non-delegable.

Management Body Must

  • Approve the cybersecurity risk-management measures taken by the entity under Art. 21
  • Oversee the implementation of those measures
  • Can be held liable for infringements of Article 21
  • Members must follow cybersecurity training to gain sufficient knowledge and skills
  • Shall encourage the offering of similar training to employees on a regular basis
Security Engineer Takeaway: This is your biggest lever. Board members are personally liable and can be suspended (essential entities). When you need budget or priority, frame it as: "The management body is legally accountable under NIS2 Art. 20 and must demonstrate active oversight." Prepare board-level reporting that shows risk posture, compliance status, and training completion records.
References: EUR-Lex Art. 20
Art. 21 Cybersecurity Risk-Management Measures Critical

The operational core. Ten mandatory cybersecurity measures that all essential and important entities must implement, based on an all-hazards approach.

The 10 Measures

  • (a) Policies on risk analysis and information system security
  • (b) Incident handling
  • (c) Business continuity, backup management, disaster recovery, and crisis management
  • (d) Supply chain security, including security-related aspects of relationships with direct suppliers and service providers
  • (e) Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
  • (f) Policies and procedures to assess the effectiveness of cybersecurity risk-management measures
  • (g) Basic cyber hygiene practices and cybersecurity training
  • (h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption
  • (i) Human resources security, access control policies, and asset management
  • (j) Use of multi-factor authentication or continuous authentication solutions, secured voice/video/text communications, and secured emergency communication systems
Security Engineer Takeaway: Map your existing security controls to these 10 measures. If you have ISO 27001, ~70–80% is covered. Key additions: explicit supply chain assessment (d), mandatory effectiveness testing (f), cyber hygiene training for all staff (g), and MFA/secured comms (j). ENISA will publish technical guidance mapping these to recognized standards — use it for your gap analysis.
References: EUR-Lex Art. 21 ENISA NIS2 Guidance
Art. 22 Coordinated Security Risk Assessments of Critical Supply Chains Important

The Cooperation Group, in cooperation with the Commission and ENISA, may carry out coordinated security risk assessments of specific critical ICT supply chains.

Key Points

  • Risk assessments consider technical and non-technical risk factors
  • Takes into account the 5G Toolbox experience
  • Cooperation Group identifies specific supply chains to assess
  • Results shared with competent authorities and may inform supervision
Art. 23 Reporting Obligations for Significant Incidents Critical

Three-stage mandatory reporting for significant incidents. Entities must also notify service recipients without undue delay when the incident is likely to adversely affect their services.

Reporting Stages

  • Early warning (24h): Indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have a cross-border impact
  • Incident notification (72h): Update with initial assessment of severity and impact, and where applicable, indicators of compromise
  • Final report (1 month): Detailed description including severity, threat type or root cause, mitigation measures, and cross-border impact
  • Intermediate report: May be requested by CSIRT or competent authority at any time during ongoing incidents
Security Engineer Takeaway: Build three templates (early warning, notification, final report) and test them during tabletop exercises. The 24-hour early warning is simpler than a full notification — you just need to flag malicious/non-malicious and cross-border/local. Automate what you can: tie your SIEM's severity classification to NIS2 significance criteria so the clock starts as soon as the incident qualifies.
References: EUR-Lex Art. 23
Art. 24 Use of European Cybersecurity Certification Schemes Important

Member States may require essential and important entities to use certified ICT products, services, and processes under European cybersecurity certification schemes.

Key Points

  • Member States may require use of certified products/services for compliance with Art. 21
  • Promotes EU-wide harmonised certification (Cybersecurity Act framework)
  • Commission may adopt delegated acts specifying which entities must use certified products
Art. 25 Standardisation Standard

Member States shall promote the use of European and international standards and technical specifications relevant to cybersecurity risk management without imposing or favouring specific technology.

Chapter V — Jurisdiction and Registration

Art. 26 Jurisdiction Important

Entities are considered under the jurisdiction of the Member State in which they are established.

Key Points

  • DNS providers, TLD registries, cloud services, data centres, CDNs, managed service providers, online marketplaces, search engines, and social networks: jurisdiction where main establishment is located
  • If not established in the EU but offers services: must designate a representative in the EU
  • Public administration entities: jurisdiction of the Member State that established them
Art. 27–28 Register of Entities and Database of Domain Name Registration Data Standard

Entity Registration

  • ENISA creates and maintains a registry of DNS providers, TLD registries, cloud computing, data centres, CDNs, managed services, online marketplaces, search engines, and social networks
  • Member States notify ENISA of entities and their relevant information

Domain Name Registration Database

  • TLD registries and DNS registrars must maintain accurate domain name registration data (WHOIS/RDAP)
  • Must verify accuracy of registration data
  • Legitimate access seekers must receive responses within 72 hours

Chapter VI — Information Sharing

Art. 29 Cybersecurity Information-Sharing Arrangements Important

Entities may share cybersecurity information including cyber threat intelligence, indicators of compromise, and vulnerabilities within trusted communities.

Key Points

  • Entities may exchange cyber threat information on a voluntary basis
  • Including indicators of compromise (IoCs), TTPs, security alerts, and configuration tools
  • Must protect personal data, business secrets, and competition law
  • Competent authorities may facilitate information sharing arrangements
  • Member States must support the establishment of information sharing arrangements
Security Engineer Takeaway: NIS2 gives you regulatory backing to participate in ISACs and threat intel sharing communities. Set up STIX/TAXII-compatible feeds, use TLP markings when sharing, and document your participation. Competent authorities are required to facilitate these arrangements — leverage this when advocating for budget.
Art. 30 Voluntary Notification Important

Entities may notify voluntarily about significant incidents, cyber threats, and near misses, beyond mandatory reporting.

Key Points

  • Essential and important entities may voluntarily notify CSIRTs or competent authorities of near misses
  • Any entity (whether in scope or not) may notify cyber threats and near misses
  • Voluntary notifications are processed with the same procedures as mandatory ones
  • Mandatory notifications take priority over voluntary ones in terms of processing resources

Chapter VII — Supervision and Enforcement

Art. 31–32 Supervision of Essential Entities Critical

Essential entities face proactive, ex-ante supervision. Competent authorities have extensive powers including on-site inspections and targeted security audits at any time.

Supervisory Measures for Essential Entities

  • On-site inspections and off-site supervision
  • Regular and ad hoc targeted security audits by an independent body or competent authority
  • Security scans based on objective, non-discriminatory criteria
  • Requests for information, including documented cybersecurity policies
  • Requests for evidence of implementation of cybersecurity measures

Enforcement Actions

  • Issue warnings about non-compliance
  • Adopt binding instructions with implementation deadlines
  • Order the entity to remedy deficiencies or comply with requirements
  • Order entities to inform persons affected by a significant incident
  • Designate a monitoring officer for a specific period
  • Temporarily prohibit management body members from exercising management functions
Security Engineer Takeaway: If you're an essential entity, expect proactive supervision — audits and inspections can happen without being triggered by an incident. Keep your documentation audit-ready at all times: policies, risk assessments, asset inventories, incident logs, and training records. The management suspension power (Art. 32(5)(b)) is the nuclear option that gives security teams unprecedented leverage with the board.
Art. 33 Supervision of Important Entities Critical

Important entities face reactive, ex-post supervision triggered by evidence of non-compliance (e.g., from incident reports, audit findings, or complaints).

Supervisory Measures (When Triggered)

  • On-site inspections and off-site supervision
  • Targeted security audits by an independent body or competent authority
  • Security scans based on objective criteria
  • Requests for information, including cybersecurity policies and evidence of implementation

Enforcement Actions

  • Issue warnings and binding instructions
  • Order the entity to remedy deficiencies
  • Order entities to notify affected persons
  • No management body suspension power for important entities
Art. 34 General Conditions for Administrative Fines Critical

Establishes the framework for administrative fines, including maximum amounts and criteria for determining fine levels.

Maximum Fines

  • Essential entities: EUR 10,000,000 or 2% of total worldwide annual turnover (whichever is higher)
  • Important entities: EUR 7,000,000 or 1.4% of total worldwide annual turnover (whichever is higher)

Criteria for Determining Fines

  • Gravity and duration of the infringement
  • Previous infringements by the entity
  • Material or non-material damage caused
  • Intentional or negligent character of the infringement
  • Measures taken to prevent or mitigate damage
  • Degree of cooperation with competent authorities
Security Engineer Takeaway: The fine criteria reward proactive compliance. "Measures taken to prevent or mitigate" and "degree of cooperation" mean that having a mature security programme and cooperating during investigations can significantly reduce fines. Document everything — your efforts at compliance are a defence even if an incident occurs.
Art. 35–37 Infringements, Penalties, and Mutual Assistance Important

Key Points

  • When a personal data breach occurs within a significant incident, NIS2 competent authorities cooperate with GDPR supervisory authorities
  • Member States lay down rules on penalties applicable to NIS2 infringements
  • Penalties must be effective, proportionate, and dissuasive
  • Mutual assistance between competent authorities for cross-border supervision

Chapter VIII–IX — Delegated Acts, Implementing Acts, and Final Provisions

Art. 38–39 Delegated and Implementing Acts Standard

The Commission is empowered to adopt delegated acts and implementing acts to specify technical and methodological requirements for various NIS2 provisions.

Key Points

  • Commission may specify technical/methodological requirements for Art. 21 measures
  • Commission may specify cases where a sector-specific incident is considered significant
  • ENISA provides technical guidance (non-binding) on implementing the 10 cybersecurity measures
Art. 40–46 Transposition, Amendments, Review, and Final Provisions Standard

Key Dates

  • NIS2 entered into force on 16 January 2023
  • Member States must transpose by 17 October 2024
  • Measures apply from 18 October 2024
  • NIS1 Directive (2016/1148) repealed from 18 October 2024
  • Commission review by 17 October 2027

Obligation Matrix

Key obligations grouped by who is responsible and what they need to do. Mapped to specific articles.

Management Body Obligations

Approve Cybersecurity Measures

Art. 20(1) • Management Body
  • Formally approve cybersecurity risk-management measures under Art. 21
  • Oversee implementation of those measures
  • Can be held liable for infringements

Undergo Cybersecurity Training

Art. 20(2) • Board Members
  • Members must follow training to gain sufficient knowledge and skills
  • Understand cybersecurity risks and their impact on operations
  • Encourage and offer similar training to employees regularly

Designate Responsibilities

Art. 20(1) • Management Body
  • Define roles and responsibilities for cybersecurity
  • Ensure adequate resources allocated
  • Appoint or designate a security responsible person

Risk Acceptance

Art. 20(1) • Management Body
  • Accept remaining cybersecurity risks after measures are implemented
  • Document risk acceptance decisions
  • Regularly review the risk posture

Security / ICT Team Obligations

Implement 10 Security Measures

Art. 21(2) • Security Team
  • Implement all 10 measures from Art. 21(2)(a)–(j)
  • Proportionate to entity size, risk exposure, and impact
  • Take into account EU and international standards

Incident Detection & Response

Art. 21(2)(b) + Art. 23 • SOC / IR Team
  • Incident handling procedures in place and tested
  • 24h early warning to CSIRT
  • 72h incident notification, 1-month final report

Business Continuity & DR

Art. 21(2)(c) • Security / IT Ops
  • Backup management and disaster recovery plans
  • Crisis management procedures
  • Ensure operations during and after incidents

Supply Chain Assessment

Art. 21(2)(d) • Security / Procurement
  • Assess supplier security practices and vulnerabilities
  • Include cybersecurity in procurement processes
  • Monitor results of EU coordinated risk assessments

Vulnerability Management

Art. 21(2)(e) • Security Team
  • Security in acquisition, development, and maintenance of systems
  • Vulnerability handling and disclosure procedures
  • Patch management

Access Control & Authentication

Art. 21(2)(i)(j) • Security Team
  • HR security and access control policies
  • MFA and continuous authentication deployed
  • Asset management covering all critical systems

Encryption & Cryptography

Art. 21(2)(h) • Security Team
  • Policies on use of cryptography and encryption
  • Key management procedures

Training & Awareness

Art. 21(2)(g) • Security Team / All Staff
  • Basic cyber hygiene practices defined and communicated
  • Regular cybersecurity training programme
  • Security awareness for all employees

Reporting Obligations Summary

WhatTo WhomWhenArticle
Significant incident — early warningCSIRT or competent authorityWithin 24 hours of becoming awareArt. 23(4)(a)
Significant incident — notificationCSIRT or competent authorityWithin 72 hours of becoming awareArt. 23(4)(b)
Significant incident — final reportCSIRT or competent authorityWithin 1 month of notificationArt. 23(4)(d)
Intermediate report (if ongoing)CSIRT or competent authorityUpon request or status changeArt. 23(4)(c)
Customer notification (significant)Affected service recipientsWithout undue delayArt. 23(1)
Voluntary near-miss notificationCSIRT or competent authorityVoluntary, without undue delayArt. 30
Entity registrationCompetent authority / ENISABy 17 April 2025Art. 3(3)

Key Dates & Timeline

Important milestones for NIS2 implementation.

16 December 2020
Commission Proposal
European Commission publishes the proposal for the NIS2 Directive as part of the EU Cybersecurity Strategy.
13 May 2022
Political Agreement
European Parliament and Council reach provisional political agreement on the NIS2 text.
28 November 2022
Council Adoption
Council of the EU formally adopts the NIS2 Directive.
27 December 2022
Published in Official Journal
NIS2 Directive published as Directive (EU) 2022/2555 in the Official Journal of the European Union.
16 January 2023
Entry into Force
NIS2 enters into force. 21-month transposition period begins for Member States.
17 October 2024
Transposition Deadline
Member States must transpose NIS2 into national law and publish the measures. NIS1 Directive (2016/1148) is repealed.
18 October 2024
Application Date
NIS2 measures become applicable. Essential and important entities must comply with national transpositions.
17 April 2025
Entity Identification Deadline
Member States must establish their list of essential and important entities. Entities must register with competent authorities.
17 October 2027
Commission Review
European Commission reviews the functioning and impact of the NIS2 Directive and reports to the European Parliament and Council.

Compliance Checklist

Track your NIS2 compliance progress. Checkmarks are saved locally in your browser.

Pillar 1: Governance & Accountability

  • Management body formally approves cybersecurity risk-management measures
  • Board members have completed cybersecurity training (Art. 20(2))
  • Regular cybersecurity training offered to all employees
  • Roles and responsibilities for cybersecurity clearly defined and documented
  • Adequate budget allocated for cybersecurity measures
  • Risk acceptance process documented with management body sign-off
  • Regular board-level reporting on cybersecurity posture established

Pillar 2: Cybersecurity Risk Management

  • Risk analysis and information system security policies documented
  • Incident handling procedures established and tested
  • Business continuity and crisis management plans in place
  • Backup management and DR procedures documented and tested
  • Supply chain security risks assessed for all critical suppliers
  • Security integrated into acquisition, development, and maintenance lifecycle
  • Vulnerability handling and disclosure policies defined
  • Policies to assess effectiveness of cybersecurity measures established
  • Basic cyber hygiene practices defined and communicated
  • Cybersecurity training programme operational
  • Cryptography and encryption policies documented
  • Key management procedures in place
  • HR security with access control and asset management defined
  • MFA deployed for critical systems and privileged access
  • Asset management covering all critical network and information systems

Pillar 3: Incident Reporting

  • Significant incident criteria defined and aligned with Art. 23(3)
  • Escalation procedures for significant incidents documented
  • Early warning template ready (24-hour deadline)
  • Incident notification template ready (72-hour deadline)
  • Final report template ready (1-month deadline)
  • CSIRT/competent authority contact details identified and accessible to SOC
  • Customer notification process for incidents affecting service recipients
  • Near-miss voluntary reporting process considered
  • Cross-border incident notification procedures established

Pillar 4: Supply Chain Security

  • Critical suppliers and service providers identified and inventoried
  • Supplier security posture assessments conducted
  • Supply chain risk assessment documented
  • Cybersecurity requirements included in supplier contracts
  • Supplier incident notification obligations contractually agreed
  • EU coordinated supply chain risk assessment results monitored
  • Secure development practices assessed for key suppliers
  • Alternative supplier strategies evaluated for critical dependencies

Pillar 5: Supervision & Enforcement

  • Entity classification confirmed (essential vs important)
  • Registered with national competent authority
  • Prepared for supervisory inspections (documentation and evidence ready)
  • Compliance gap assessment completed against national transposition
  • Remediation roadmap with prioritised actions and deadlines

Who's In Scope — 18 Sectors

NIS2 applies to entities in 18 sectors, classified as "highly critical" (Annex I) or "other critical" (Annex II). The size-cap rule applies: generally medium-sized enterprises or larger (50+ employees or EUR 10M+ turnover).

Annex I — Sectors of High Criticality

#SectorExamplesClassificationSize Threshold
1EnergyElectricity, oil, gas, hydrogen, district heating operatorsEssentialMedium+
2TransportAir carriers, railway operators, waterway, road authoritiesEssentialMedium+
3BankingCredit institutions (see DORA lex specialis)Essential*Medium+
4Financial Market InfrastructureTrading venues, CCPs (see DORA lex specialis)Essential*Medium+
5HealthHealthcare providers, EU reference labs, pharma manufacturers, medical device mfrsEssentialMedium+
6Drinking WaterSuppliers and distributors of water for human consumptionEssentialMedium+
7Waste WaterOperators collecting, disposing, or treating urban/industrial waste waterEssentialMedium+
8Digital InfrastructureIXPs, DNS providers, TLD registries, cloud computing, data centres, CDNs, trust servicesEssentialAny size
9ICT Service Management (B2B)Managed service providers (MSPs), managed security service providers (MSSPs)Essential or ImportantMedium+
10Public AdministrationCentral government entities (excluding judiciary, parliament, central banks)EssentialN/A
11SpaceOperators of ground-based infrastructure supporting space-based servicesEssentialMedium+

Annex II — Other Critical Sectors

#SectorExamplesClassificationSize Threshold
12Postal & Courier ServicesPostal service providers including courier servicesImportantMedium+
13Waste ManagementOperators carrying out waste managementImportantMedium+
14ChemicalsManufacturers, producers, and distributors of chemicalsImportantMedium+
15FoodFood businesses engaged in distribution, production, or processingImportantMedium+
16ManufacturingMedical devices, computers/electronics, machinery, motor vehicles, transport equipmentImportantMedium+
17Digital ProvidersOnline marketplaces, online search engines, social networking platformsImportantMedium+
18ResearchResearch organisationsImportantMedium+
Note on DORA lex specialis: Financial entities (banking and financial market infrastructure — sectors 3–4) are generally subject to DORA rather than NIS2, as DORA is considered lex specialis under Art. 4. However, if your national NIS2 transposition includes additional requirements not covered by DORA, those may still apply. Always check your national implementation.

Implementing Acts & ENISA Guidance

NIS2 uses Commission implementing acts and ENISA technical guidance (rather than ESA RTS/ITS as used in DORA). These provide the detailed requirements for compliance.

Commission Implementing Acts

Implementing Regulation on Cybersecurity Measures

Art. 21(5) • Commission Implementing Regulation (EU) 2024/2690
  • Technical and methodological requirements for the 10 cybersecurity measures
  • Applicable to: DNS providers, TLD registries, cloud providers, data centres, CDNs, managed services, online marketplaces, search engines, social networks, trust services
  • Provides specific criteria for when an incident is considered significant

Implementing Act on Significant Incidents

Art. 23(11) • Commission
  • Specifies when an incident is to be considered significant
  • Specific thresholds for different entity types
  • Format and procedure for notifications

Delegated Act on Entity Identification

Art. 3 • Commission
  • Criteria for identifying essential and important entities
  • Size thresholds and sector-specific rules
  • Guidance on classification borderline cases

ENISA Technical Guidance

Technical Guidance on NIS2 Cybersecurity Measures

Art. 21(5) • ENISA (non-binding)
  • Guidance on implementing the 10 cybersecurity measures
  • Mapping to international standards (ISO 27001, IEC 62443)
  • Sector-specific considerations

Incident Reporting Guidelines

Art. 23 • ENISA
  • Guidance on incident reporting formats and procedures
  • Taxonomy of significant incidents
  • Cross-border incident coordination guidance

Supply Chain Security Guidance

Art. 22 • ENISA / Cooperation Group
  • Methodology for coordinated supply chain risk assessments
  • Best practices for supply chain security
  • Lessons from 5G Toolbox approach

EU Vulnerability Database

Art. 12 • ENISA
  • European vulnerability database maintained by ENISA
  • Standardised vulnerability information
  • Coordinated vulnerability disclosure support

Enforcement & Penalties

NIS2 establishes a GDPR-style enforcement framework with turnover-based fines and strong supervisory powers.

Essential Entity Enforcement (Art. 32–34)

Competent Authorities
  • Proactive supervision: random audits, on-site inspections, security scans
  • Issue binding instructions with implementation deadlines
  • Order implementation of recommendations from security audits
  • Designate a monitoring officer for a specific period
  • Temporarily suspend or ban management body members from exercising functions
  • Administrative fines: up to EUR 10M or 2% of global annual turnover (whichever is higher)

Important Entity Enforcement (Art. 33–34)

Competent Authorities (reactive)
  • Supervision triggered by evidence of non-compliance
  • On-site inspections and ex-post supervisory measures
  • Issue binding instructions and compliance orders
  • Administrative fines: up to EUR 7M or 1.4% of global annual turnover (whichever is higher)
  • No management body suspension power

Member State Penalties (Art. 36)

Defined at national level
  • Member States lay down rules on penalties for NIS2 infringements
  • Must be effective, proportionate, and dissuasive
  • Some Member States may include criminal sanctions
  • Personal liability for management body members (Art. 20)
  • Penalties notified to the Commission
Security Engineer Takeaway: NIS2's penalties are GDPR-like with explicit turnover-based caps. The biggest risk for essential entities is the management body suspension power (Art. 32(5)(b)) — board members can be temporarily barred from management functions. For security teams, this is powerful leverage: non-compliance is not just an organisational risk, it's a personal risk for the individuals who approve (or fail to approve) your security measures. The fine criteria also reward proactive compliance — documented mitigation efforts and cooperation reduce penalties.

External Resources & References

Curated links to official documents, technical guidance, and tools. All links open in a new tab.

Official Legislation

Official

Directive (EU) 2022/2555 — NIS2 Full Text

The complete NIS2 Directive on EUR-Lex. The authoritative legal source. Available in all EU languages.

Primary Source
Official

Directive (EU) 2016/1148 — NIS1 (repealed)

The original NIS Directive, repealed by NIS2 on 18 October 2024. Useful for understanding the evolution and identifying changes.

Legacy Reference
Official

Commission Implementing Regulation (EU) 2024/2690

Implementing regulation laying down technical and methodological requirements for cybersecurity risk-management measures under NIS2.

Implementing Act
Official

European Commission — NIS2 Policy Page

Commission's central page for NIS2 with policy context, FAQs, and links to implementing measures.

Policy Context

Authority Guidance

Authority

ENISA — NIS Directive Resources

ENISA's central hub for NIS2 guidance, technical reports, and implementation support.

ENISA Hub All Pillars
Authority

ENISA — NIS Investments Report

Annual analysis of how much entities invest in NIS compliance. Useful for benchmarking your cybersecurity budget.

Benchmarking
Authority

ENISA — Incident Reporting Resources

Guidance on incident classification and reporting procedures. Useful for aligning NIS2 reporting with other regimes.

Pillar 3 Incidents
Authority

ENISA — Threat Landscape Reports

Annual EU threat landscape analysis. Essential input for risk assessments under Art. 21(2)(a).

Pillar 2 Threat Intel

Related Frameworks & Practical Guidance

Guidance

ISO/IEC 27001 — Information Security Management

Many NIS2 Art. 21 measures map to ISO 27001 Annex A controls. Use as a foundation for compliance gap analysis.

Pillar 2 Framework
Guidance

NIST Cybersecurity Framework (CSF)

NIST CSF maps well to NIS2's all-hazards approach. Useful for building a crosswalk between your controls and the 10 measures.

Pillar 2 Framework
Guidance

DORA — Regulation (EU) 2022/2554

DORA is lex specialis for financial entities. Understand the overlap and where NIS2 applies vs where DORA takes precedence.

Lex Specialis Financial
Guidance

CER Directive (EU) 2022/2557 — Critical Entities Resilience

Companion directive addressing physical resilience of critical entities. Works alongside NIS2 for holistic resilience.

Companion Physical
Guidance

Cyber Resilience Act (CRA)

Related EU legislation on cybersecurity of products with digital elements. Affects your supply chain and product security posture.

Related Products
Guidance

NIS2 National Transposition Tracker

Track which Member States have transposed NIS2 into national law and access national implementation details.

Transposition National

Tools & Practical Resources

Tool

OpenCRE — Common Requirements Enumeration

Map NIS2 requirements to other standards (ISO 27001, NIST, CIS Controls). Excellent for gap analysis.

Mapping All Pillars
Tool

STIX/TAXII — Threat Intelligence Sharing Standards

Standard protocols for sharing threat intelligence. Needed for information sharing arrangements under Art. 29.

Info Sharing CTI
Tool

MISP — Malware Information Sharing Platform

Open-source threat intelligence platform. Supports STIX/TAXII, IoC sharing, and community integration.

Info Sharing Open Source
Tool

MITRE ATT&CK Framework

Map detection capabilities and incident scenarios to the ATT&CK matrix. Essential for structured incident analysis.

Pillar 2-3 Detection
Tool

TLP — Traffic Light Protocol

Standard marking system for information sharing. Use TLP when participating in sharing communities under Art. 29.

Info Sharing

Community & Industry Bodies

Community

ENISA — EU Agency for Cybersecurity

The EU's cybersecurity agency. Key role in NIS2 implementation: technical guidance, threat landscapes, coordinated vulnerability disclosure, and EU vulnerability database.

Core Agency All Pillars
Community

CERT-EU — Computer Emergency Response Team for EU Institutions

CERT for EU institutions, bodies, and agencies. Part of the CSIRTs Network. Publishes advisories and threat reports.

CSIRT EU
Community

FIRST — Forum of Incident Response and Security Teams

Global forum for incident response teams. Membership provides access to trusted incident response communities and sharing networks.

Incident Response Global
Community

Europol EC3 — European Cybercrime Centre

EU-level support for cybercrime investigations. Relevant when significant incidents are suspected to be malicious (Art. 23 early warning).

Law Enforcement Cybercrime
Tip: NIS2 is a directive — always check your national transposition for specific local requirements, which may go beyond the directive's minimum standards. Links to authority websites may change as NIS2 implementation evolves. The EUR-Lex legal text is the most stable reference.

Title