Who must comply with the NIS2 Directive?

NIS2 applies to medium and large organizations in 18 critical sectors including energy, transport, healthcare, digital infrastructure, ICT service management, public administration, and manufacturing. Medium entities (50+ employees or €10M+ turnover) in these sectors are automatically in scope. Some entities - DNS providers, TLD registries, and qualified trust services - fall under NIS2 regardless of size. Member states can also designate smaller entities if they are critical to national security.

What is the difference between NIS2 essential and important entities?

Essential entities operate in high-criticality sectors (energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, space) and face proactive regulatory supervision, on-site audits, and fines up to €10 million or 2% of global turnover. Important entities are in other critical sectors (postal services, waste management, chemicals, food, manufacturing, digital providers, research) and face reactive supervision - regulators investigate only after an incident - with fines up to €7 million or 1.4% of turnover.

What are the NIS2 incident reporting deadlines?

NIS2 requires a three-stage incident reporting process: an early warning within 24 hours of becoming aware of a significant incident, a detailed incident notification within 72 hours with an initial assessment of severity and impact, and a final report within one month covering root cause analysis, mitigation measures, and cross-border impact. For incidents affecting service delivery, an intermediate progress report may also be required.

How does NIS2 overlap with ISO 27001?

NIS2 and ISO 27001 share approximately 70-80% of their requirements. Both mandate risk assessments, access controls, incident management, business continuity planning, and supply chain security. Organizations already ISO 27001 certified have most NIS2 technical requirements covered. The main gaps are NIS2-specific obligations: mandatory incident reporting timelines (24h/72h/1mo), management body personal liability, supply chain security requirements, and specific vulnerability disclosure processes.

What are the penalties for NIS2 non-compliance?

NIS2 introduces significant penalties: essential entities face fines up to €10 million or 2% of global annual turnover (whichever is higher), while important entities face up to €7 million or 1.4% of turnover. Beyond financial penalties, NIS2 introduces personal liability for management - board members and C-level executives can be held personally accountable and temporarily banned from management roles if the organization fails to comply.

NIS2 Directive Explained - Requirements, Deadlines, and How to Comply

If you work in IT or cybersecurity within the European Union, NIS2 has probably come up in your meetings repeatedly over the past year. The directive entered into force on January 16, 2023, and EU member states had until October 17, 2024 to transpose it into national law. Some countries met that deadline. Many didn’t. But regardless of where your national legislation stands, the requirements are clear and the clock is ticking.

The NIS2 Directive (Network and Information Security Directive 2) is the EU’s updated cybersecurity framework for member states. It replaces the original NIS Directive from 2016, expanding scope from a few hundred organizations per country to thousands - potentially tens of thousands - across the EU. Requirements are tighter, and the penalties are real.

This guide covers what NIS2 actually requires, who falls under it, how it overlaps with ISO 27001, and what practical steps you can take today to start building compliance. If you want to see how NIS2 compliance mapping works in practice, our live CISO Assistant demo has the NIS2 framework pre-loaded.

Who must comply with NIS2?

NIS2 covers far more organizations than the original directive. The question isn’t just what sector you’re in - it’s also how big your organization is.

Entity classification

NIS2 divides organizations into two categories, each with different supervision regimes:

Essential entities face stricter supervision, including proactive inspections and audits. These include:

Energy (electricity, oil, gas, district heating, hydrogen)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Healthcare (hospitals, laboratories, medical device manufacturers)
Drinking water and wastewater
Digital infrastructure (DNS, TLD registries, cloud providers, data centers, CDNs, trust services)
ICT service management (managed service providers, managed security service providers)
Public administration (central government)
Space

Important entities face lighter, reactive supervision - typically investigated only after an incident or evidence of non-compliance:

Postal and courier services
Waste management
Chemical manufacturing, production, and distribution
Food production, processing, and distribution
Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)
Digital providers (online marketplaces, search engines, social networking platforms)
Research organizations

Size thresholds

Within these sectors, NIS2 generally applies to organizations that are:

Medium-sized or larger: 50+ employees, or €10M+ annual turnover, or €10M+ balance sheet total
Some entities are covered regardless of size - DNS providers, TLD registries, trust service providers, and certain digital infrastructure operators

If your company operates in one of these sectors and meets the size threshold, NIS2 applies to you. There’s no registration or opt-in - it’s automatic.

What NIS2 requires

Article 21 is the heart of NIS2’s technical requirements. It mandates that essential and important entities implement appropriate and proportionate cybersecurity risk management measures. In practice, that breaks down into ten areas.

Risk management measures (Article 21)

NIS2 requires at minimum these cybersecurity measures:

Risk analysis and information system security policies - documented policies governing how you assess and manage cyber risk
Incident handling - processes for detecting, managing, and reporting incidents
Business continuity and crisis management - backup management, disaster recovery, and crisis response plans
Supply chain security - security measures covering your relationships with direct suppliers and service providers, including vulnerability management
Security in network and information systems acquisition, development, and maintenance - including vulnerability handling and disclosure
Policies and procedures to assess the effectiveness of cybersecurity risk management measures - essentially, auditing yourself
Basic cyber hygiene practices and cybersecurity training - security awareness for all staff
Policies on the use of cryptography and encryption - where appropriate
Human resources security, access control policies, and asset management - who has access to what, and inventory of critical assets
Multi-factor authentication (MFA) or continuous authentication solutions, secured communications, and secured emergency communication systems

If this list looks familiar, it should. Most of these requirements map directly to ISO 27001 controls. We’ll cover the exact overlap later in this article.

Incident reporting obligations (Article 23)

NIS2 introduces a mandatory, multi-stage incident reporting regime. Most organizations I work with aren’t set up for this out of the box:

Timeline	Requirement	What to include
24 hours	Early warning to CSIRT/competent authority	Whether the incident is suspected to be caused by unlawful or malicious acts, whether it could have cross-border impact
72 hours	Incident notification	Initial assessment of severity and impact, indicators of compromise where applicable
1 month	Final report	Detailed description of the incident, root cause analysis, mitigation measures applied, cross-border impact if any

These timelines start from when the entity becomes aware of the significant incident. A “significant incident” is one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other persons by causing considerable material or non-material damage.

For essential entities, this isn’t optional. Missing the 24-hour early warning window alone can trigger supervisory action.

Supply chain security

Supply chain requirements deserve special attention because they’re often the hardest to implement. NIS2 requires you to:

Assess the cybersecurity practices of your direct suppliers and service providers
Consider the overall quality of products and services, including embedded cybersecurity features
Account for vulnerabilities specific to each supplier and the results of cybersecurity audits
Identify and manage risk from the supply chain as a whole, not just individual vendors

This means your vendor security management process needs to be formalized, documented, and actively maintained. A spreadsheet of vendor names won’t cut it - you need structured assessments with tracked remediation.

Governance and management liability

This is where NIS2 gets teeth. Article 20 makes management bodies directly responsible for cybersecurity:

Management must approve the cybersecurity risk management measures
Management must oversee their implementation
Management members must undergo cybersecurity training
Management can be held personally liable for non-compliance

Under NIS1, cybersecurity was often delegated entirely to IT teams. NIS2 makes it a board-level responsibility. If your CEO hasn’t been briefed on your NIS2 compliance status, close that gap now.

NIS2 vs ISO 27001: how they overlap

If your organization already holds ISO 27001 certification or is working toward it, you’re well positioned for NIS2. The overlap is substantial - roughly 70-80% of NIS2 requirements map to existing ISO 27001 controls.

Overlap matrix

NIS2 requirement (Article 21)	ISO 27001 Annex A controls	Coverage
Risk analysis and security policies	A.5.1, A.5.2, A.6.1	Full
Incident handling	A.5.24, A.5.25, A.5.26, A.6.8	Partial (NIS2 adds strict timelines)
Business continuity	A.5.29, A.5.30, A.8.13, A.8.14	Full
Supply chain security	A.5.19, A.5.20, A.5.21, A.5.22, A.5.23	Full
Network and system security	A.8.8, A.8.9, A.8.20, A.8.21	Full
Effectiveness assessment	A.5.35, A.5.36 (monitoring, compliance)	Full
Cyber hygiene and training	A.6.3, A.7.2	Full
Cryptography	A.8.24	Full
HR security and access control	A.6.1-6.7, A.8.2-8.5	Full
MFA and secure communications	A.8.5, A.8.20	Partial (NIS2 is more specific)

Where NIS2 goes beyond ISO 27001

Despite the overlap, NIS2 adds requirements that ISO 27001 alone doesn’t cover:

Mandatory incident reporting with fixed timelines (24h/72h/1 month) - ISO 27001 requires incident management but doesn’t mandate reporting to authorities within specific timeframes
Deeper supply chain security - NIS2 expects more granular vendor assessment than ISO 27001’s supplier relationship controls
Management body liability - ISO 27001 requires management commitment, but NIS2 introduces personal liability
Sector-specific requirements that may be layered on top by national transposition laws
Cross-border coordination - obligation to consider and report incidents with potential cross-border impact

The practical takeaway

If you’re ISO 27001 certified, you’re not starting from zero. Your ISMS covers the majority of NIS2 requirements. The gaps are primarily around incident reporting procedures (adding the 24h/72h timelines), deepening your supply chain assessments, formalizing management oversight, and ensuring your incident classification considers the NIS2 “significant incident” threshold. For a detailed control-by-control mapping with specific Annex A references, see our guide on implementing NIS2 using your existing ISO 27001 controls.

If you’re not yet ISO 27001 certified, implementing NIS2 and ISO 27001 simultaneously makes sense - the work largely overlaps, and having the ISO certification demonstrates compliance maturity to regulators.

Timeline and national transposition status

Here’s where things stand across the EU as of early 2026:

Milestone	Date	Status
NIS2 entered into force	January 16, 2023	Done
Transposition deadline	October 17, 2024	Passed
Member states expected to have national laws	October 17, 2024	Many delayed
ENISA guidance and implementing acts	Throughout 2025	Ongoing
Full enforcement expected	2025-2026	Varies by country

National transposition reality

Several EU member states missed the October 2024 deadline. As of early 2026:

Germany - The NIS2 Implementation Act (NIS2UmsuCG) went through multiple drafts and was adopted in 2025. BSI (Federal Office for Information Security) is the primary supervisory authority.
France - ANSSI oversees implementation. France was among the more prepared member states.
Poland - The amendment to the National Cybersecurity System Act (KSC) implementing NIS2 was adopted, with NASK and sector-specific CSIRTs as responsible bodies. Polish organizations should pay particular attention to the national-level specifics.
Netherlands - Adopted the Cybersecurity Act (Cbw) transposing NIS2.
Italy - Transposed NIS2 in 2024, with ACN (National Cybersecurity Agency) as the competent authority.

Even in countries where transposition was delayed, organizations should be implementing NIS2 requirements now. The directive’s requirements are clear regardless of national legislation details, and retroactive enforcement from the transposition deadline is possible.

Penalties for non-compliance

NIS2 introduces penalties on a scale similar to GDPR:

Entity type	Maximum fine
Essential entities	€10,000,000 or 2% of total worldwide annual turnover (whichever is higher)
Important entities	€7,000,000 or 1.4% of total worldwide annual turnover (whichever is higher)

Beyond financial penalties, supervisory authorities can:

Issue binding instructions and orders
Order the implementation of security audit recommendations
Order measures to bring entities into compliance within a deadline
Impose periodic penalty payments until compliance is achieved
Temporarily suspend certifications or authorizations for essential entities
Temporarily ban individuals from exercising managerial functions at essential entities

That last point matters most in practice - NIS2 gives authorities the power to temporarily bar C-suite executives from their roles for serious non-compliance. Combined with the management liability provisions, this makes NIS2 compliance a personal concern for every board member.

How to implement NIS2 with CISO Assistant

CISO Assistant ships with the NIS2 framework pre-loaded, including all Article 21 requirements mapped to assessable controls.

NIS2 framework mapping

When you create a new compliance assessment in CISO Assistant and select the NIS2 framework, you’ll see all requirements organized by article and topic. Each requirement can be assessed as compliant, partially compliant, non-compliant, or not applicable (with justification).

The platform tracks your overall compliance percentage and highlights areas that need attention. If you’re also running ISO 27001, CISO Assistant’s cross-framework mapping shows you which NIS2 requirements your existing ISO 27001 controls already satisfy - so you’re not doing the same work twice.

Risk assessment aligned to NIS2

NIS2 Article 21 starts with risk analysis for a reason. In CISO Assistant, you can build a risk assessment that directly feeds into your NIS2 compliance:

Identify assets - network infrastructure, information systems, and data within scope
Map threats using the built-in threat catalog or your own
Assess risks - probability and impact, linked to NIS2-relevant scenarios
Apply controls - map mitigating controls to both your risk scenarios and NIS2 requirements simultaneously

This creates a single source of truth where risk treatment decisions are directly linked to NIS2 compliance evidence.

Incident management workflow

CISO Assistant doesn’t have a dedicated incident management module, but you can use the platform to:

Document your incident classification criteria aligned to NIS2’s “significant incident” definition
Map your incident response procedures to NIS2 Article 23 reporting timelines
Track evidence of incident response capability through compliance assessments
Link incident management controls to both NIS2 and ISO 27001 requirements

For actual incident ticketing and workflow, integrate with your existing ITSM or SIEM tools. CISO Assistant’s API makes this straightforward.

Supply chain management

Use CISO Assistant’s third-party risk management capabilities to address NIS2’s supply chain requirements:

Register all direct suppliers and service providers
Conduct structured security assessments per vendor
Rate vendor criticality based on access to your systems and data
Track remediation of identified risks
Generate reports demonstrating ongoing supply chain oversight

Practical first steps for companies starting today

If you haven’t started NIS2 compliance yet, here’s a realistic action plan:

Step 1: Determine if NIS2 applies to you (week 1)

Check your sector against the essential/important entity lists. Check your size against the thresholds (50+ employees or €10M+ turnover). If either applies, you’re in scope. If you’re unsure, err on the side of assuming NIS2 applies - the requirements are good security practice regardless.

Step 2: Conduct a gap analysis (weeks 2-4)

Map your current cybersecurity measures against NIS2 Article 21 requirements. CISO Assistant makes this straightforward - load the NIS2 framework, assess each requirement honestly, and you’ll have a clear picture of where you stand. Our compliance mapping guide walks through this process.

Step 3: Prioritize and plan (week 5)

Based on your gap analysis, create a remediation roadmap. Focus on:

Quick wins - formalizing existing practices that aren’t documented (you probably do more than you think)
High-risk gaps - incident reporting procedures, supply chain assessments, management briefings
Foundational work - risk assessment methodology, asset inventory, access control policies

Step 4: Implement (months 2-6)

Work through your roadmap. The deliverables that matter most:

Documented cybersecurity risk management policy (approved by management)
Incident response plan with NIS2-compliant timelines (24h/72h/1 month)
Supplier security assessment program
Business continuity and disaster recovery plans
Evidence of management training and oversight
MFA deployed across critical systems

Step 5: Validate and maintain (ongoing)

Conduct regular internal assessments against NIS2 requirements
Test incident response procedures (tabletop exercises)
Review and update supplier assessments annually
Keep management informed and engaged
Monitor national transposition developments for additional requirements

What to take away

NIS2 is not optional. If your organization meets the sector and size criteria, compliance is mandatory. National transposition delays don’t change the underlying requirements.

ISO 27001 gets you most of the way there. If you’re already certified or implementing, roughly 70-80% of NIS2 requirements are covered. Focus your NIS2-specific efforts on incident reporting timelines, supply chain depth, and management liability.

Management is personally accountable. This is the biggest shift NIS2 introduces. Board members and C-suite executives must approve, oversee, and be trained on cybersecurity risk management. I’ve seen this catch organizations off-guard more than any other requirement.

Start with a gap analysis. You can’t plan what you don’t measure. Our free NIS2 Readiness Assessment lets you score your readiness across all nine NIS2 domains in 15 minutes - no signup required. For a deeper dive, load the NIS2 framework in CISO Assistant, assess your current state, and build your roadmap from there.

The penalties are real. Up to €10M or 2% of global turnover, plus potential suspension of certifications and temporary bans on executives. This isn’t guidance - it’s regulation with enforcement behind it.

Getting started

If you want to explore NIS2 compliance mapping hands-on, our live CISO Assistant demo has the NIS2 framework pre-loaded and ready to assess. For a self-hosted deployment with NIS2, ISO 27001, and DORA frameworks configured for your organization, that’s what we do. And if you need help building a compliance roadmap that covers NIS2 alongside your existing ISO 27001 program, get in touch - we’ve helped organizations across Europe navigate exactly this challenge.

For a detailed article-by-article breakdown of what NIS2 requires, see our NIS2 requirements checklist covering Articles 20-25 with practical checklists for each. For practical implementation, see how organizations are building public trust portals to demonstrate compliance transparency, or compare your options in our open-source GRC tools comparison. Our ISO 27001 implementation guide covers the foundational framework that overlaps heavily with NIS2 requirements.