← Back to Blog
RESEARCH 12 min read

NIS2 Directive: The Complete Guide for European Businesses

Everything you need to know about the NIS2 Directive: who it applies to, requirements, penalties up to €10M, deadlines, and how to prepare your organization for compliance.


NIS2 Directive: The Complete Guide for European Businesses

The NIS2 Directive (Directive (EU) 2022/2555) represents the most significant overhaul of EU cybersecurity regulation in a decade. If your organization operates in Europe, this legislation will fundamentally change how you approach cybersecurity — and the penalties for non-compliance are severe.

This guide covers everything you need to know: what NIS2 is, who it applies to, the specific requirements, deadlines, penalties, and a clear roadmap to achieve compliance.

What Is the NIS2 Directive?

The NIS2 Directive is the European Union's updated framework for ensuring a high common level of cybersecurity across all member states. It replaces the original NIS Directive (2016/1148), which was widely criticized for inconsistent implementation and a scope too narrow for today's threat landscape.

Adopted by the European Parliament on November 28, 2022, NIS2 dramatically expands the number of organizations that fall under mandatory cybersecurity obligations. The European Commission estimated that the original NIS Directive covered approximately 15,000 entities across the EU. Under NIS2, that number jumps to over 160,000 organizations — a tenfold increase.

Why Was NIS2 Necessary?

The original NIS Directive left too many gaps:

NIS2 addresses all of these shortcomings with harmonized requirements, expanded scope, and enforcement mechanisms with real teeth.

Who Does NIS2 Apply To?

NIS2 uses a size-cap rule combined with sector-based classification. Organizations are categorized as either Essential Entities or Important Entities.

Essential Entities (Annex I — "Highly Critical Sectors")

These sectors are considered vital to the functioning of society and the economy:

Important Entities (Annex II — "Other Critical Sectors")

The Size-Cap Rule

NIS2 applies to organizations in the above sectors that meet at least one of these thresholds:

Important exceptions: Certain entities are covered regardless of size, including: - DNS service providers - TLD name registries - Providers of public electronic communications networks - Trust service providers - Sole providers of a service in a member state that is essential for societal/economic activities

Supply Chain Implications

Even if your organization doesn't directly fall under NIS2, you may be affected through supply chain requirements. Essential and Important entities must implement cybersecurity risk management measures for their supply chains, which means they'll push compliance requirements downstream to vendors and partners.

NIS2 Requirements: What You Must Do

NIS2 Article 21 outlines ten minimum cybersecurity risk management measures that all covered entities must implement:

1. Risk Analysis and Information System Security Policies

Establish comprehensive policies for risk analysis and information system security. This includes regular risk assessments, documented security policies, and a governance framework for cybersecurity.

2. Incident Handling

Implement procedures for preventing, detecting, and responding to cybersecurity incidents. This includes: - Incident response plans - Incident detection capabilities - Communication procedures during incidents

3. Business Continuity and Crisis Management

Ensure operational resilience through: - Backup management - Disaster recovery plans - Crisis management procedures - Regular testing of continuity plans

4. Supply Chain Security

Address security risks in relationships with direct suppliers and service providers. Conduct due diligence on supplier cybersecurity practices and include security requirements in contracts.

5. Security in Network and Information Systems

Implement security measures covering the acquisition, development, and maintenance of network and information systems, including vulnerability handling and disclosure.

6. Cybersecurity Risk Management Assessment

Establish policies and procedures to assess the effectiveness of cybersecurity risk management measures. Regular audits and assessments are required.

7. Basic Cyber Hygiene Practices and Training

Implement cyber hygiene practices and provide regular cybersecurity awareness training for all staff, including management.

8. Cryptography and Encryption

Establish policies and procedures regarding the use of cryptography and, where appropriate, encryption to protect data in transit and at rest.

9. Human Resources Security and Access Control

Implement proper access control policies, asset management procedures, and multi-factor authentication or continuous authentication solutions.

10. Secure Communications

Use secured voice, video, and text communications, and secured emergency communication systems within the organization.

Incident Reporting Requirements

NIS2 introduces a multi-stage incident reporting obligation that is significantly more demanding than its predecessor:

Stage Deadline Requirement
Early warning Within 24 hours Notify the CSIRT or competent authority of a significant incident
Incident notification Within 72 hours Provide an initial assessment including severity, impact, and indicators of compromise
Intermediate report Upon request Status update on the incident and response measures
Final report Within 1 month Detailed description, root cause, mitigation measures, and cross-border impact

A significant incident is defined as one that: - Has caused or is capable of causing severe operational disruption or financial loss - Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

Penalties and Enforcement

NIS2's enforcement provisions represent a step change from the original directive:

For Essential Entities:

For Important Entities:

Management Accountability

One of the most consequential provisions of NIS2 is Article 20, which requires: - Management bodies to approve cybersecurity risk management measures - Management bodies to oversee the implementation of these measures - Members of management bodies to undergo training in cybersecurity - Management can be held personally liable for infringements

This means cybersecurity is no longer something that can be delegated entirely to the IT department. Board members and C-suite executives carry direct responsibility.

NIS2 Transposition Timeline

The directive entered into force on January 16, 2023, and member states were required to transpose it into national law by October 17, 2024.

Transposition Status Across Key Markets

Germany — The NIS2-Umsetzungsgesetz (NIS2UmsuCG) was delayed but is expected to take effect in 2025. It will affect an estimated 29,000 organizations in Germany alone — up from roughly 2,000 under the original KRITIS regulation. The German implementation goes beyond the directive's minimum requirements in several areas.

Austria — The NISG 2024 (Netz- und Informationssystemsicherheitsgesetz) is in advanced stages. Austria is expected to cover approximately 4,000 organizations.

Switzerland — While not an EU member, Switzerland is aligning its cybersecurity framework with NIS2 principles. The revised Informationssicherheitsgesetz (ISG) incorporates similar requirements, and Swiss companies doing business in the EU must comply with NIS2 directly.

France — France transposed the directive largely on time, building on its already robust ANSSI framework.

The Netherlands — The Wet beveiliging netwerk- en informatiesystemen 2 (Wbni 2) is being finalized, extending coverage to approximately 10,000 Dutch organizations.

How to Prepare for NIS2 Compliance

Step 1: Determine If You're In Scope

Use the sector lists and size-cap thresholds above to assess whether your organization qualifies as an Essential or Important entity. Don't forget to consider supply chain obligations — even if you're not directly in scope, your customers may require NIS2-aligned security practices.

Step 2: Conduct a Gap Analysis

Compare your current cybersecurity posture against the ten minimum measures in Article 21. Identify gaps in: - Risk management processes - Incident detection and response capabilities - Business continuity planning - Supply chain security practices - Employee training and awareness

Step 3: Assess Your Attack Surface

You can't protect what you don't know about. Conduct a thorough assessment of your external attack surface, including: - Web applications and APIs - Cloud services and infrastructure - Third-party integrations - Legacy systems with internet exposure

KENSAI provides automated, AI-powered attack surface scanning that maps your entire external footprint and identifies vulnerabilities before attackers do. Unlike traditional point-in-time assessments, KENSAI delivers continuous scanning that aligns with NIS2's requirement for ongoing risk management.

Step 4: Implement Technical Controls

Based on your gap analysis, deploy the necessary technical controls: - Network segmentation and monitoring - Endpoint detection and response (EDR) - Multi-factor authentication - Encryption for data in transit and at rest - Vulnerability management with regular scanning - Web application firewalls and API security

Step 5: Establish Governance and Documentation

NIS2 requires documented policies and procedures. At minimum, you need: - Information security policy - Risk assessment methodology and reports - Incident response plan - Business continuity and disaster recovery plans - Supply chain security policy - Training records

Step 6: Prepare Incident Response Capabilities

The 24-hour early warning requirement means you need: - 24/7 monitoring capabilities (or outsourced SOC services) - Pre-defined incident classification criteria - Communication templates for CSIRT notification - Designated incident response team with clear roles

Step 7: Train Your People

NIS2 mandates cybersecurity training for management bodies and staff. Implement: - Regular security awareness training for all employees - Specific training for management on their oversight responsibilities - Technical training for IT and security staff - Phishing simulations and security exercises

Step 8: Engage Your Supply Chain

Review your supplier relationships and: - Assess the cybersecurity posture of critical suppliers - Include security requirements in procurement criteria and contracts - Establish information-sharing mechanisms with key suppliers - Monitor supplier security on an ongoing basis

NIS2 and Automated Security Testing

One of the most effective ways to meet NIS2's continuous risk management requirements is through automated security testing. The directive explicitly requires vulnerability handling and regular assessment of cybersecurity measures — manual, annual penetration tests are no longer sufficient.

KENSAI's automated vulnerability scanning platform enables organizations to:

For organizations preparing for NIS2, automated scanning isn't optional — it's essential for demonstrating the "appropriate and proportionate" technical measures the directive requires.

Frequently Asked Questions

Does NIS2 apply to non-EU companies?

Yes. If your organization provides services within the EU or to EU-based entities in covered sectors, NIS2 applies. Non-EU companies must designate a representative in the EU.

What's the relationship between NIS2 and GDPR?

NIS2 and GDPR are complementary. GDPR focuses on personal data protection; NIS2 focuses on cybersecurity of network and information systems. A data breach can trigger obligations under both regulations. NIS2 even specifies that GDPR fines should be considered when assessing NIS2 penalties.

Can we use existing ISO 27001 certification for NIS2 compliance?

ISO 27001 provides a strong foundation, but it doesn't automatically mean NIS2 compliance. NIS2 has specific requirements (like the 24-hour incident reporting) that go beyond ISO 27001. However, organizations with ISO 27001 certification will find the transition significantly easier.

What if our member state hasn't transposed NIS2 yet?

Even if national transposition is delayed, the directive's requirements are clear. Organizations should begin preparing now. Once national law takes effect, enforcement can begin immediately — there may not be a grace period.

How does NIS2 interact with sector-specific regulations?

NIS2 includes a lex specialis provision: where sector-specific EU legislation imposes cybersecurity requirements that are at least equivalent to NIS2, the sector-specific rules take precedence. Examples include DORA for the financial sector.

The Bottom Line

NIS2 is not a distant regulatory threat — it's here, and enforcement is ramping up across Europe. Organizations that delay preparation risk not only regulatory fines but also the reputational and operational damage that comes from inadequate cybersecurity.

The directive's requirements are comprehensive but achievable, especially with the right tools and approach. Start with understanding your scope, assess your gaps, and implement systematic, continuous security measures.


Start Your NIS2 Compliance Journey Today

Don't wait for enforcement actions to begin. KENSAI's AI-powered security platform helps you identify vulnerabilities, assess your attack surface, and demonstrate the continuous security monitoring that NIS2 demands.

👉 Get your free security scan at kensai.app/free-scan — see your exposure in minutes, not months.

Try KENSAI Free

Scan your infrastructure for vulnerabilities in minutes — no credit card required.

Start Free Scan →

Published by KENSAI Security Research — AI-Powered Cybersecurity Platform

🛡️ Is your website secure?

Discover vulnerabilities before attackers do.

Scan your website for free →