Everything you need to know about the NIS2 Directive: who it applies to, requirements, penalties up to €10M, deadlines, and how to prepare your organization for compliance.
The NIS2 Directive (Directive (EU) 2022/2555) represents the most significant overhaul of EU cybersecurity regulation in a decade. If your organization operates in Europe, this legislation will fundamentally change how you approach cybersecurity — and the penalties for non-compliance are severe.
This guide covers everything you need to know: what NIS2 is, who it applies to, the specific requirements, deadlines, penalties, and a clear roadmap to achieve compliance.
The NIS2 Directive is the European Union's updated framework for ensuring a high common level of cybersecurity across all member states. It replaces the original NIS Directive (2016/1148), which was widely criticized for inconsistent implementation and a scope too narrow for today's threat landscape.
Adopted by the European Parliament on November 28, 2022, NIS2 dramatically expands the number of organizations that fall under mandatory cybersecurity obligations. The European Commission estimated that the original NIS Directive covered approximately 15,000 entities across the EU. Under NIS2, that number jumps to over 160,000 organizations — a tenfold increase.
The original NIS Directive left too many gaps:
NIS2 addresses all of these shortcomings with harmonized requirements, expanded scope, and enforcement mechanisms with real teeth.
NIS2 uses a size-cap rule combined with sector-based classification. Organizations are categorized as either Essential Entities or Important Entities.
These sectors are considered vital to the functioning of society and the economy:
NIS2 applies to organizations in the above sectors that meet at least one of these thresholds:
Important exceptions: Certain entities are covered regardless of size, including: - DNS service providers - TLD name registries - Providers of public electronic communications networks - Trust service providers - Sole providers of a service in a member state that is essential for societal/economic activities
Even if your organization doesn't directly fall under NIS2, you may be affected through supply chain requirements. Essential and Important entities must implement cybersecurity risk management measures for their supply chains, which means they'll push compliance requirements downstream to vendors and partners.
NIS2 Article 21 outlines ten minimum cybersecurity risk management measures that all covered entities must implement:
Establish comprehensive policies for risk analysis and information system security. This includes regular risk assessments, documented security policies, and a governance framework for cybersecurity.
Implement procedures for preventing, detecting, and responding to cybersecurity incidents. This includes: - Incident response plans - Incident detection capabilities - Communication procedures during incidents
Ensure operational resilience through: - Backup management - Disaster recovery plans - Crisis management procedures - Regular testing of continuity plans
Address security risks in relationships with direct suppliers and service providers. Conduct due diligence on supplier cybersecurity practices and include security requirements in contracts.
Implement security measures covering the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure.
Establish policies and procedures to assess the effectiveness of cybersecurity risk management measures. Regular audits and assessments are required.
Implement cyber hygiene practices and provide regular cybersecurity awareness training for all staff, including management.
Establish policies and procedures regarding the use of cryptography and, where appropriate, encryption to protect data in transit and at rest.
Implement proper access control policies, asset management procedures, and multi-factor authentication or continuous authentication solutions.
Use secured voice, video, and text communications, and secured emergency communication systems within the organization.
NIS2 introduces a multi-stage incident reporting obligation that is significantly more demanding than its predecessor:
| Stage | Deadline | Requirement |
|---|---|---|
| Early warning | Within 24 hours | Notify the CSIRT or competent authority of a significant incident |
| Incident notification | Within 72 hours | Provide an initial assessment including severity, impact, and indicators of compromise |
| Intermediate report | Upon request | Status update on the incident and response measures |
| Final report | Within 1 month | Detailed description, root cause, mitigation measures, and cross-border impact |
A significant incident is defined as one that: - Has caused or is capable of causing severe operational disruption or financial loss - Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage
NIS2's enforcement provisions represent a step change from the original directive:
One of the most consequential provisions of NIS2 is Article 20, which requires: - Management bodies to approve cybersecurity risk management measures - Management bodies to oversee the implementation of these measures - Members of management bodies to undergo training in cybersecurity - Management can be held personally liable for infringements
This means cybersecurity is no longer something that can be delegated entirely to the IT department. Board members and C-suite executives carry direct responsibility.
The directive entered into force on January 16, 2023, and member states were required to transpose it into national law by October 17, 2024.
Germany — The NIS2-Umsetzungsgesetz (NIS2UmsuCG) was delayed but is expected to take effect in 2025. It will affect an estimated 29,000 organizations in Germany alone — up from roughly 2,000 under the original KRITIS regulation. The German implementation goes beyond the directive's minimum requirements in several areas.
Austria — The NISG 2024 (Netz- und Informationssystemsicherheitsgesetz) is in advanced stages. Austria is expected to cover approximately 4,000 organizations.
Switzerland — While not an EU member, Switzerland is aligning its cybersecurity framework with NIS2 principles. The revised Informationssicherheitsgesetz (ISG) incorporates similar requirements, and Swiss companies doing business in the EU must comply with NIS2 directly.
France — France transposed the directive largely on time, building on its already robust ANSSI framework.
The Netherlands — The Wet beveiliging netwerk- en informatiesystemen 2 (Wbni 2) is being finalized, extending coverage to approximately 10,000 Dutch organizations.
Use the sector lists and size-cap thresholds above to assess whether your organization qualifies as an Essential or Important entity. Don't forget to consider supply chain obligations — even if you're not directly in scope, your customers may require NIS2-aligned security practices.
Compare your current cybersecurity posture against the ten minimum measures in Article 21. Identify gaps in: - Risk management processes - Incident detection and response capabilities - Business continuity planning - Supply chain security practices - Employee training and awareness
You can't protect what you don't know about. Conduct a thorough assessment of your external attack surface, including: - Web applications and APIs - Cloud services and infrastructure - Third-party integrations - Legacy systems with internet exposure
KENSAI provides automated, AI-powered attack surface scanning that maps your entire external footprint and identifies vulnerabilities before attackers do. Unlike traditional point-in-time assessments, KENSAI delivers continuous scanning that aligns with NIS2's requirement for ongoing risk management.
Based on your gap analysis, deploy the necessary technical controls: - Network segmentation and monitoring - Endpoint detection and response (EDR) - Multi-factor authentication - Encryption for data in transit and at rest - Vulnerability management with regular scanning - Web application firewalls and API security
NIS2 requires documented policies and procedures. At minimum, you need: - Information security policy - Risk assessment methodology and reports - Incident response plan - Business continuity and disaster recovery plans - Supply chain security policy - Training records
The 24-hour early warning requirement means you need: - 24/7 monitoring capabilities (or outsourced SOC services) - Pre-defined incident classification criteria - Communication templates for CSIRT notification - Designated incident response team with clear roles
NIS2 mandates cybersecurity training for management bodies and staff. Implement: - Regular security awareness training for all employees - Specific training for management on their oversight responsibilities - Technical training for IT and security staff - Phishing simulations and security exercises
Review your supplier relationships and: - Assess the cybersecurity posture of critical suppliers - Include security requirements in procurement criteria and contracts - Establish information-sharing mechanisms with key suppliers - Monitor supplier security on an ongoing basis
One of the most effective ways to meet NIS2's continuous risk management requirements is through automated security testing. The directive explicitly requires vulnerability handling and regular assessment of cybersecurity measures — manual, annual penetration tests are no longer sufficient.
KENSAI's automated vulnerability scanning platform enables organizations to:
For organizations preparing for NIS2, automated scanning isn't optional — it's essential for demonstrating the "appropriate and proportionate" technical measures the directive requires.
Yes. If your organization provides services within the EU or to EU-based entities in covered sectors, NIS2 applies. Non-EU companies must designate a representative in the EU.
NIS2 and GDPR are complementary. GDPR focuses on personal data protection; NIS2 focuses on cybersecurity of network and information systems. A data breach can trigger obligations under both regulations. NIS2 even specifies that GDPR fines should be considered when assessing NIS2 penalties.
ISO 27001 provides a strong foundation, but it doesn't automatically mean NIS2 compliance. NIS2 has specific requirements (like the 24-hour incident reporting) that go beyond ISO 27001. However, organizations with ISO 27001 certification will find the transition significantly easier.
Even if national transposition is delayed, the directive's requirements are clear. Organizations should begin preparing now. Once national law takes effect, enforcement can begin immediately — there may not be a grace period.
NIS2 includes a lex specialis provision: where sector-specific EU legislation imposes cybersecurity requirements that are at least equivalent to NIS2, the sector-specific rules take precedence. Examples include DORA for the financial sector.
NIS2 is not a distant regulatory threat — it's here, and enforcement is ramping up across Europe. Organizations that delay preparation risk not only regulatory fines but also the reputational and operational damage that comes from inadequate cybersecurity.
The directive's requirements are comprehensive but achievable, especially with the right tools and approach. Start with understanding your scope, assess your gaps, and implement systematic, continuous security measures.
Don't wait for enforcement actions to begin. KENSAI's AI-powered security platform helps you identify vulnerabilities, assess your attack surface, and demonstrate the continuous security monitoring that NIS2 demands.
👉 Get your free security scan at kensai.app/free-scan — see your exposure in minutes, not months.
Scan your infrastructure for vulnerabilities in minutes — no credit card required.
Start Free Scan →Published by KENSAI Security Research — AI-Powered Cybersecurity Platform