NIS2 Explained: Everything Organizations Need to Know

What is NIS2?

NIS2 is the European Union's revised Network and Information Security Directive, adopted in December 2022 and transposed into national law across EU member states. It replaces the original NIS Directive (2016) and dramatically expands the range of organizations required to meet cybersecurity standards.

Where NIS1 targeted a limited set of "operators of essential services," NIS2 casts a much wider net. Tens of thousands of additional organizations across Europe now fall under its scope, including mid-sized companies in sectors previously not covered.

The directive has three core objectives: improve the overall cybersecurity posture of EU member states, increase incident reporting, and ensure greater accountability at the executive level.

Which Sectors and Organizations Fall Under NIS2?

NIS2 distinguishes between "essential entities" (subject to stricter supervision) and "important entities" (subject to lighter-touch supervision). The sectors covered:

The size threshold is generally: organizations with 50 or more employees OR an annual turnover exceeding €10 million. Smaller organizations in critical sectors may also be included.

Key Obligations Under NIS2

NIS2 requires covered organizations to implement a range of cybersecurity measures, including:

• Risk management: Conduct and document cybersecurity risk assessments, and implement appropriate technical and organizational measures.
• Incident reporting: Report significant incidents to the national competent authority within 24 hours (early warning), 72 hours (initial notification), and 30 days (final report).
• Supply chain security: Assess and manage cybersecurity risks in your supply chain and from ICT service providers.
• Business continuity: Have plans and procedures in place for backup management, disaster recovery, and crisis management.
• Encryption and access control: Use encryption where appropriate and implement robust access management, including multi-factor authentication.
• Security testing: Regularly test the effectiveness of your security measures, including penetration testing.
• Security awareness training: Train employees and management on cybersecurity risks and hygiene.

Board Liability Under NIS2

One of the most significant changes in NIS2 is the explicit personal liability of senior management. Board members and executives can be held personally accountable for cybersecurity failures. Specifically, NIS2 allows national authorities to:

• Publicly name management responsible for non-compliance
• Temporarily ban individuals from management roles following serious incidents
• Hold management liable for damages caused by security failures

This means cybersecurity is no longer just an IT topic; it is a boardroom responsibility. Executives are required to approve cybersecurity risk management measures and oversee their implementation.

NIS2 Fines and Penalties

Non-compliance with NIS2 can result in significant administrative fines:

• Essential entities: up to €10 million or 2% of total global annual turnover (whichever is higher)
• Important entities: up to €7 million or 1.4% of total global annual turnover (whichever is higher)

Beyond fines, supervisory authorities can issue binding instructions, order remediation, and require organizations to inform customers about security incidents.

NIS2 vs ISO 27001 vs DORA

Understanding how NIS2 relates to other frameworks helps organizations build an efficient compliance strategy:

ISO 27001 certification is not a substitute for NIS2 compliance, but it provides a solid foundation. Organizations already certified to ISO 27001 have a significant head start on NIS2 requirements.

How to Prepare for NIS2: Key Steps

1. Determine whether you are in scope. Check your sector and size against the NIS2 thresholds. When in doubt, consult your national authority or a specialist.
2. Conduct a gap assessment. Compare your current security measures against NIS2 requirements to identify what needs to change.
3. Engage the board. Present NIS2 risks and obligations at board level. Document management's approval of the cybersecurity risk management plan.
4. Implement and document measures. Address gaps in risk management, incident response, supply chain security, and employee awareness.
5. Register with national authorities. Many member states require covered organizations to formally register with the competent authority.
6. Test your measures. Run penetration tests and tabletop exercises to validate that your controls actually work.

Frequently Asked Questions About NIS2

Does NIS2 apply to my organization outside the EU?

If your organization provides services to entities in EU member states and falls within a covered sector, NIS2 may apply to you even if you are headquartered outside the EU. Consult legal counsel if you are uncertain about your jurisdiction.

What counts as a "significant incident" under NIS2?

An incident is significant if it causes or could cause serious operational disruption, financial loss, physical damage, or reputational harm. Examples include ransomware attacks, data breaches affecting large numbers of people, and prolonged service outages.

Is ISO 27001 certification sufficient for NIS2?

No. ISO 27001 certification demonstrates strong security management practices and will help with NIS2 compliance, but it does not automatically fulfill all NIS2 obligations. Specific requirements around incident reporting timelines, board accountability, and supply chain security go beyond ISO 27001's scope.

Who enforces NIS2?

Each EU member state designates national competent authorities (NCAs) to supervise and enforce NIS2. In the Netherlands, this is the NCSC and sector-specific supervisors. In Spain, the CCN-CERT and sector regulators carry out enforcement.

What is the difference between essential and important entities under NIS2?

Essential entities are subject to proactive, regular supervision and the highest fines. Important entities are subject to reactive supervision (typically triggered by an incident or complaint) and slightly lower maximum fines. Both categories must implement the same security measures.

How does NIS2 affect supply chain security?

NIS2 explicitly requires organizations to assess and manage cybersecurity risks from their direct suppliers and service providers. You must ensure that critical ICT suppliers meet appropriate security standards. Many organizations are now cascading NIS2 requirements down to their vendors via contractual clauses.