NIS2 Directive — Network and Information Security 2
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union’s updated and significantly expanded framework for cybersecurity across critical infrastructure. It replaces the original NIS Directive (2016/1148) with a broader scope, stricter requirements, and harsher penalties — making it the most consequential cybersecurity directive in EU history.
Key Facts
| Detail | Information |
|---|---|
| Full name | Directive (EU) 2022/2555 on measures for a high common level of cybersecurity |
| Replaces | NIS Directive (2016/1148) |
| Transposition deadline | 17 October 2024 |
| Registration deadline | 28 February 2025 |
| Scope | ~160,000 entities across 18 sectors in the EU |
| Maximum fine | €10 million or 2% of global annual turnover (essential entities) |
| Management liability | Personal liability for C-level executives |
What Changed from NIS to NIS2?
| Aspect | NIS (2016) | NIS2 (2022) |
|---|---|---|
| Sectors covered | 7 sectors | 18 sectors |
| Entity classification | Operators of Essential Services (OES) | Essential + Important entities |
| Supply chain security | Not addressed | Mandatory risk assessment |
| Incident reporting | 72 hours | 24h early warning + 72h full report |
| Penalties | Variable by member state | Harmonized: up to €10M / 2% turnover |
| Management accountability | None specified | Personal C-level liability |
| Enforcement | Reactive | Proactive audits and inspections |
Who Must Comply?
NIS2 applies to essential entities (large organizations in critical sectors) and important entities (medium-sized organizations in important sectors):
Essential Entities (Stricter Regime)
- Energy (electricity, oil, gas, hydrogen, district heating)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health (hospitals, medical device manufacturers, pharmaceuticals)
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs)
- Public administration
- Space
Important Entities
- Postal and courier services
- Waste management
- Chemical manufacturing and distribution
- Food production and distribution
- Manufacturing (medical devices, electronics, machinery, motor vehicles)
- Digital providers (online marketplaces, search engines, social networks)
- Research organizations
Core Requirements
1. Risk Management Measures (Article 21)
Organizations must implement at minimum:
- Risk analysis and information system security policies
- Incident handling — detection, response, and recovery
- Business continuity and crisis management — including backup and disaster recovery
- Supply chain security — risk assessment of direct suppliers and service providers
- Security in network and systems acquisition — including vulnerability handling and disclosure
- Cybersecurity training — including for management
- Cryptography and encryption policies
- Human resources security — access control, asset management
- Multi-factor authentication (MFA) and secured communications
2. Incident Reporting (Article 23)
Organizations must report significant incidents to national authorities:
| Step | Deadline | Content |
|---|---|---|
| Early warning | 24 hours | Suspected cause, cross-border impact |
| Incident notification | 72 hours | Assessment of severity, impact, indicators of compromise |
| Final report | 1 month | Root cause, mitigation, cross-border impact analysis |
3. Supply Chain Security
NIS2 explicitly requires entities to assess and manage cybersecurity risks in their supply chain — including hardware suppliers, software vendors, and managed service providers. This means hardware manufacturers supplying to NIS2-regulated entities must demonstrate security practices.
NIS2 vs. CRA — Different but Complementary
| Aspect | NIS2 | CRA |
|---|---|---|
| Target | Organizations | Products |
| Focus | Organizational cybersecurity posture | Product security throughout lifecycle |
| Who complies | Essential and important entities | Manufacturers, importers, distributors |
| Key obligation | Risk management + incident reporting | Security by design + vulnerability management |
NIS2 secures organizations. CRA secures the products they build. Together, they create a comprehensive EU cybersecurity framework.
Related Terms
- EU Cyber Resilience Act (CRA) — Complementary regulation securing products.
- Secure Boot — Technical measure supporting NIS2 compliance.
- IoT — Connected devices within NIS2-regulated supply chains.