01 What is NIS2?
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's landmark cybersecurity regulation โ a comprehensive overhaul of the original NIS Directive from 2016. Published in the Official Journal of the EU on 27 December 2022, NIS2 establishes a unified legal framework requiring organizations across 18 critical sectors to implement robust cybersecurity risk management measures and report significant incidents.
NIS2 represents a fundamental shift in how the EU approaches cybersecurity. While the original NIS Directive left significant discretion to Member States โ resulting in fragmented implementation โ NIS2 harmonizes requirements, introduces stricter oversight mechanisms, and dramatically expands the scope of entities that must comply.
Timeline & Key Dates
๐ก Why NIS2 Matters Now
As of early 2026, NIS2 is no longer a future concern โ it's an active legal obligation. The European Commission has initiated infringement proceedings against Member States that missed the October 2024 transposition deadline. National authorities are beginning supervision activities, and organizations that haven't started their compliance journey are already behind.
02 Who Must Comply?
NIS2 takes a fundamentally different approach to scope than its predecessor. Instead of allowing each Member State to designate operators, NIS2 uses a size-cap mechanism combined with sector-based criteria. This means any medium-sized or large entity operating in a covered sector automatically falls within scope โ no individual designation needed.
Entities are classified into two categories based on their sector and size: essential entities (subject to stricter supervision) and important entities (lighter-touch, ex-post supervision).
Sectors of High Criticality โ Essential Entities
Annex I of NIS2 lists 11 sectors of high criticality. Large entities in these sectors are classified as essential:
Other Critical Sectors โ Important Entities
Annex II lists 7 additional sectors. Medium-sized and large entities in these sectors are classified as important:
Size Thresholds
| Category | Employees | Annual Turnover | Balance Sheet | NIS2 Classification |
|---|---|---|---|---|
| Large entity | 250+ | > โฌ50 million | > โฌ43 million | Essential (Annex I) or Important (Annex II) |
| Medium entity | 50โ249 | โฌ10M โ โฌ50M | โฌ10M โ โฌ43M | Important (or Essential if Annex I) |
| Small / Micro | < 50 | < โฌ10 million | < โฌ10 million | Generally exempt (with exceptions) |
โ ๏ธ Size Exceptions โ Small Entities That Must Still Comply
Regardless of size, the following entities always fall under NIS2:
- Qualified trust service providers
- Top-level domain (TLD) name registries
- DNS service providers
- Providers of public electronic communications networks or services
- Public administration entities at central government level
- Entities identified as critical under the CER Directive (EU) 2022/2557
- Entities that are the sole provider of a critical service in a Member State
- Entities whose disruption could have significant systemic impact
03 Country-by-Country Implementation Status
The transposition deadline was 17 October 2024. As of early 2026, implementation progress varies significantly across the EU. The European Commission launched infringement proceedings against 23 Member States in November 2024 for failing to fully transpose the directive on time. Here is the current status:
| Country | Status | Notes |
|---|---|---|
| ๐ฆ๐น Austria | Transposed | NISG 2024 adopted, in force since Q2 2025 |
| ๐ง๐ช Belgium | Transposed | NIS2 law (Loi NIS2) adopted April 2024, one of the first to complete |
| ๐ง๐ฌ Bulgaria | In Progress | Draft law in parliamentary procedure, expected adoption Q1 2026 |
| ๐ญ๐ท Croatia | Transposed | Cybersecurity Act adopted and in force |
| ๐จ๐พ Cyprus | In Progress | Draft legislation under review |
| ๐จ๐ฟ Czech Republic | Transposed | New Cybersecurity Act adopted mid-2025 |
| ๐ฉ๐ฐ Denmark | Transposed | NIS2 implementation across multiple sectoral acts |
| ๐ช๐ช Estonia | Transposed | Cybersecurity Act updated, in force |
| ๐ซ๐ฎ Finland | Transposed | Cybersecurity Act (Kyberturvallisuuslaki) adopted |
| ๐ซ๐ท France | In Progress | Projet de loi rรฉsilience includes NIS2 transposition, expected adoption 2026 |
| ๐ฉ๐ช Germany | In Progress | NIS2UmsuCG stalled in 2024 due to government collapse; new draft expected under new coalition by mid-2026 |
| ๐ฌ๐ท Greece | Transposed | Law adopted and published |
| ๐ญ๐บ Hungary | Transposed | Act adopted early, one of the first Member States |
| ๐ฎ๐ช Ireland | In Progress | Heads of Bill published, legislation progressing through Oireachtas |
| ๐ฎ๐น Italy | Transposed | Legislative Decree adopted October 2024, effective from early 2025 |
| ๐ฑ๐ป Latvia | Transposed | Amendments to National Cyber Security Law in force |
| ๐ฑ๐น Lithuania | Transposed | Updated Cyber Security Law adopted |
| ๐ฑ๐บ Luxembourg | In Progress | Draft legislation deposited, under parliamentary review |
| ๐ฒ๐น Malta | In Progress | Legal notice in preparation |
| ๐ณ๐ฑ Netherlands | In Progress | Cyberbeveiligingswet (Cbw) submitted to parliament, adoption expected mid-2026 |
| ๐ต๐ฑ Poland | In Progress | Draft amendment to KSC Act in advanced parliamentary stage |
| ๐ต๐น Portugal | In Progress | Transposition legislation under development |
| ๐ท๐ด Romania | In Progress | Draft law published for consultation |
| ๐ธ๐ฐ Slovakia | Transposed | Cybersecurity Act amendment adopted |
| ๐ธ๐ฎ Slovenia | Transposed | Information Security Act updated |
| ๐ช๐ธ Spain | In Progress | Anteproyecto de ley under government review |
| ๐ธ๐ช Sweden | Transposed | New Cybersecurity Act in force from Q1 2025 |
๐ Implementation Summary (as of March 2026)
Note: Status may change rapidly. The European Commission's January 2026 simplification proposal may also affect transposition approaches. Germany is a notable case โ the NIS2UmsuCG (NIS2 Implementation and Cybersecurity Strengthening Act) was derailed by the 2024 government collapse and is being reintroduced under the new coalition formed in early 2026.
04 Key Requirements
NIS2's requirements can be grouped into three pillars: cybersecurity risk management measures (Article 21), governance obligations, and incident reporting (Article 23). All essential and important entities must comply with the same substantive requirements โ the difference lies primarily in supervision intensity.
Article 21: The 10 Minimum Security Measures
Article 21 is the heart of NIS2. It mandates that entities take "appropriate and proportionate technical, operational and organisational measures" to manage cybersecurity risks. The directive specifies 10 minimum measures that must be addressed as a baseline:
1. Risk Analysis & IS Security Policies
Establish and maintain comprehensive policies on risk analysis and information system security. This includes regular risk assessments and documented security policies aligned with business objectives.
2. Incident Handling
Implement procedures for preventing, detecting, and responding to cybersecurity incidents. This covers the entire incident lifecycle from preparation through lessons learned.
3. Business Continuity & Crisis Management
Ensure business continuity through backup management, disaster recovery, and crisis management. Operations must be maintainable during and after cybersecurity incidents.
4. Supply Chain Security
Address security aspects of relationships with direct suppliers and service providers. Assess vulnerabilities of each supplier, product quality, and cybersecurity practices of the supply chain.
5. Security in Acquisition, Development & Maintenance
Embed security in the procurement, development, and maintenance of network and information systems, including vulnerability handling and disclosure.
6. Effectiveness Assessment
Implement policies and procedures to assess the effectiveness of cybersecurity risk-management measures. This includes regular testing, audits, and reviews.
7. Cyber Hygiene & Training
Establish basic cyber hygiene practices and provide regular cybersecurity awareness training for all staff, including management bodies.
8. Cryptography & Encryption
Define and implement policies on the use of cryptography and, where appropriate, encryption to protect data confidentiality, integrity, and authenticity.
9. HR Security & Access Control
Address human resources security, access control policies, and asset management. This covers the full employee lifecycle and the principle of least privilege.
10. Multi-Factor Authentication & Secured Communications
Deploy multi-factor authentication (MFA) or continuous authentication solutions, along with secured voice, video, and text communications, and secured emergency communication systems.
โ๏ธ The "Proportionality" Principle
NIS2 doesn't mandate specific technologies or solutions. Instead, measures must be "appropriate and proportionate" โ taking into account the entity's size, exposure to risks, the likelihood and severity of incidents, and their societal and economic impact. A hospital's requirements will differ from a courier service's, even if both must address the same 10 areas.
Governance Obligations
NIS2 brings cybersecurity firmly into the boardroom. Article 20 establishes that:
- Management bodies must approve the cybersecurity risk-management measures taken under Article 21
- Management must oversee the implementation of these measures and can be held liable for infringements
- Members of management bodies are required to undergo cybersecurity training and must encourage their employees to do the same
- For essential entities, Member States may impose temporary bans on managerial functions for individuals found responsible for non-compliance
This is a paradigm shift. Under NIS1, cybersecurity was often delegated entirely to IT departments. NIS2 makes it a board-level responsibility with personal consequences.
Incident Reporting (Article 23)
NIS2 introduces a mandatory, multi-stage incident reporting process for significant incidents:
โ ๏ธ What Counts as a "Significant Incident"?
An incident is considered significant if it:
- Has caused or is capable of causing severe operational disruption of the services or financial losses for the entity
- Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage
Member States' competent authorities will provide further guidance on thresholds within their national implementing legislation.
05 Penalties & Enforcement
NIS2 significantly ramps up penalties compared to the original directive. The fines are designed to be effective, proportionate, and dissuasive โ and they distinguish between essential and important entities:
| Aspect | Essential Entities | Important Entities |
|---|---|---|
| Maximum Administrative Fine | โฌ10,000,000 or 2% of total annual worldwide turnover (whichever is higher) | โฌ7,000,000 or 1.4% of total annual worldwide turnover (whichever is higher) |
| Supervision Type | Ex-ante and ex-post (proactive) | Ex-post only (reactive, when evidence of non-compliance) |
| Supervisory Measures | On-site inspections, security audits, targeted audits, security scans, ad hoc audits after incidents | Same measures but triggered ex-post |
| Management Liability | Personal liability; temporary management bans possible | Personal liability |
| Binding Instructions | Authorities can issue binding instructions and compliance orders | Authorities can issue binding instructions |
๐ Management Liability โ A Game Changer
Perhaps the most impactful change: NIS2 allows Member States to hold natural persons in management positions personally liable for failures to comply with cybersecurity obligations. For essential entities, this can include temporary bans from exercising managerial functions. This provision is designed to ensure that cybersecurity receives genuine C-level attention rather than being treated as a purely technical issue.
06 NIS2 vs NIS1 โ What Changed?
The original NIS Directive (NIS1, 2016) was groundbreaking as the EU's first cybersecurity legislation, but it had significant shortcomings. NIS2 addresses these directly:
| Aspect | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Sectors Covered | 7 sectors (energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure) | 18 sectors โ adds wastewater, public administration, space, ICT services, postal, waste, chemicals, food, manufacturing, digital providers, research |
| Entity Identification | Member States designate individual OES (Operators of Essential Services) | Automatic size-cap: all medium/large entities in scope sectors automatically covered |
| Security Requirements | High-level, left to Member State discretion | 10 harmonized minimum measures specified in Article 21 |
| Incident Reporting | "Without undue delay" | Strict timelines: 24h early warning, 72h full notification, 1-month final report |
| Penalties | No harmonized fines; varied widely by Member State | Harmonized: up to โฌ10M / 2% turnover (essential) or โฌ7M / 1.4% (important) |
| Management Liability | None specified | Explicit management body accountability with personal liability provisions |
| Supply Chain | Not addressed | Explicit supply chain security requirements in Article 21(2)(d) |
| Supervision | Minimal harmonization | Comprehensive supervision framework with defined powers for authorities |
| Entities Covered (est.) | ~15,000 across the EU | ~160,000 across the EU |
| Peer Reviews | Limited | Voluntary peer reviews introduced for mutual trust and learning |
07 NIS2 vs DORA vs EU AI Act
NIS2 doesn't exist in isolation. Two other major EU regulations overlap in important ways: DORA (Digital Operational Resilience Act) for the financial sector and the EU AI Act for artificial intelligence systems. Understanding their interplay is crucial for compliance planning.
| Aspect | NIS2 | DORA | EU AI Act |
|---|---|---|---|
| Legal Instrument | Directive (requires transposition) | Regulation (directly applicable) | Regulation (directly applicable) |
| Effective Date | Transposition by Oct 2024 | Applies from 17 Jan 2025 | Phased: Feb 2025 โ Aug 2027 |
| Scope | 18 critical sectors, ~160K entities | Financial sector (banks, insurers, investment firms, crypto-asset service providers, ICT third-party providers) | Any AI system placed on the EU market or used in the EU |
| Primary Focus | Cybersecurity risk management across critical infrastructure | Digital operational resilience of financial entities | Safety, transparency, and fundamental rights in AI |
| Key Requirements | 10 minimum security measures, incident reporting, governance | ICT risk management, incident reporting, resilience testing (TLPT), third-party risk management | Risk classification, conformity assessments, transparency obligations, prohibited practices |
| Incident Reporting | 24h / 72h / 1 month | Similar multi-stage (initial, intermediate, final) | Not primarily focused on incident reporting; relies on sector-specific rules |
| Max Penalties | โฌ10M / 2% turnover | Varies; up to 1% of average daily worldwide turnover (for financial entities), periodic penalty payments possible | Up to โฌ35M / 7% of global turnover for prohibited practices |
| Relationship to NIS2 | โ | Lex specialis: DORA takes precedence for financial entities where its provisions are at least equivalent | Complementary; AI systems in critical infrastructure may need to comply with both |
| Testing Requirements | Effectiveness assessment (Art. 21) | Advanced: Threat-Led Penetration Testing (TLPT) for systemically important entities | Conformity assessments for high-risk AI |
๐ The Lex Specialis Principle
Where sector-specific EU legislation (like DORA) imposes cybersecurity obligations that are at least equivalent to NIS2 requirements, the sector-specific legislation takes precedence. For financial entities, this means DORA compliance generally satisfies NIS2 requirements. However, entities should verify that all NIS2 areas are covered, as some DORA requirements may differ in scope or detail.
08 NIS2 Compliance Checklist
Use this interactive checklist to track your NIS2 compliance journey. Click on items to mark them as complete. Your progress is saved locally in your browser.
Phase 1: Assessment & Governance
- Determine if your organisation is in scopeAssess against size thresholds and the 18 sectors listed in Annexes I and II
- Classify as essential or important entityDetermines supervision regime, penalty levels, and reporting expectations
- Establish board-level cybersecurity governanceAssign accountability, get management body approval for security measures (Art. 20)
- Provide cybersecurity training for managementMandatory under Article 20 โ all management body members must undergo training
- Conduct comprehensive risk assessmentCover all network and information systems, identify threats, vulnerabilities, and impacts
Phase 2: Technical & Operational Measures
- Develop and document IS security policiesRisk analysis framework, asset inventory, access control policies (Art. 21(2)(a))
- Implement incident handling proceduresDetection, analysis, containment, eradication, and recovery processes (Art. 21(2)(b))
- Establish business continuity & disaster recoveryBackup management, crisis management, recovery objectives (Art. 21(2)(c))
- Assess and secure your supply chainEvaluate direct suppliers' cybersecurity practices, contractual requirements (Art. 21(2)(d))
- Integrate security into SDLC and procurementVulnerability handling and disclosure, secure development practices (Art. 21(2)(e))
- Deploy vulnerability testing & effectiveness assessmentRegular penetration testing, security audits, continuous monitoring (Art. 21(2)(f))
- Roll out cyber hygiene & awareness trainingOrganization-wide training programme, phishing simulations, best practices (Art. 21(2)(g))
- Implement cryptography & encryption policiesData-at-rest and data-in-transit encryption, key management (Art. 21(2)(h))
- Enforce access control & HR securityPrinciple of least privilege, role-based access, onboarding/offboarding procedures (Art. 21(2)(i))
- Deploy MFA and secure communicationsMulti-factor authentication everywhere possible, secure email/messaging/voice (Art. 21(2)(j))
Phase 3: Reporting & Continuous Improvement
- Set up incident reporting workflowsEstablish processes for 24h/72h/1-month reporting to competent authority and CSIRT
- Register with national competent authorityEntities in scope must register and may need to submit information (Art. 3)
- Establish continuous monitoring & review cycleRegular reviews of security measures, threat landscape updates, policy revisions
- Document compliance evidenceMaintain records for supervisory authorities: policies, assessments, training logs, test results
- Plan for ongoing penetration testing & auditsSchedule regular external assessments, automate where possible for continuous assurance
09 How KENSAI Helps with NIS2 Compliance
Meeting NIS2's Article 21 requirements demands more than one-off assessments. The directive emphasises continuous, proportionate measures โ making automated, AI-driven security testing a natural fit. KENSAI addresses several Article 21 requirements directly:
Vulnerability Handling & Disclosure (Art. 21(2)(e))
KENSAI's AI-powered penetration testing continuously discovers vulnerabilities across your attack surface โ from web applications to network infrastructure. Automated testing means vulnerabilities are found before attackers exploit them, directly satisfying the "vulnerability handling and disclosure" requirement.
Effectiveness Assessment (Art. 21(2)(f))
NIS2 requires policies to assess the effectiveness of your cybersecurity measures. KENSAI provides continuous validation that your defences actually work โ not just annual point-in-time checks, but ongoing assurance with detailed reporting suitable for board-level governance reviews.
Supply Chain Security (Art. 21(2)(d))
Assess the security posture of your digital supply chain through automated external surface analysis. KENSAI helps identify third-party components, exposed services, and potential supply chain risks โ critical for NIS2's supply chain security requirements.
Risk Analysis Support (Art. 21(2)(a))
Feed real-world vulnerability data into your risk analysis. KENSAI's findings provide concrete, evidence-based input for risk assessments โ moving beyond theoretical threat modelling to actual security posture measurement.
Start Your NIS2 Compliance Journey
Automated penetration testing with KENSAI gives you continuous security assurance โ exactly what NIS2 demands. See how AI-driven security testing maps to your Article 21 obligations.
Explore KENSAI โ10 Frequently Asked Questions
The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation, replacing the original NIS Directive from 2016. It establishes a unified legal framework requiring organizations across 18 critical sectors to implement robust cybersecurity risk management measures and report significant incidents to national authorities.
NIS2 entered into force on 16 January 2023. EU Member States had until 17 October 2024 to transpose it into national law. As of early 2026, most Member States have completed or are finalizing their transposition, with enforcement actively underway in countries that have adopted national implementing legislation.
NIS2 applies to medium-sized and large entities (50+ employees or โฌ10M+ annual turnover) operating in 18 designated sectors. These include energy, transport, banking, health, digital infrastructure, public administration, and more. Some entities โ like DNS providers, TLD registries, and telecom operators โ must comply regardless of their size.
Essential entities face fines up to โฌ10 million or 2% of global annual turnover (whichever is higher). Important entities face fines up to โฌ7 million or 1.4% of global annual turnover. Additionally, senior management can be held personally liable, and for essential entities, temporary management bans are possible.
Essential entities operate in sectors of high criticality (Annex I: energy, transport, banking, health, water, digital infrastructure, ICT services, public administration, space) and face proactive (ex-ante) supervision with higher penalties. Important entities operate in other critical sectors (Annex II: postal, waste, chemicals, food, manufacturing, digital providers, research) and face reactive (ex-post) supervision with somewhat lower penalty caps. Both must implement the same Article 21 security measures.
Yes. NIS2 can apply to non-EU companies if they provide services within the EU in scope sectors. Such entities must designate a representative in one of the Member States where they operate. This extraterritorial reach is similar in concept to the GDPR's approach.
NIS2 requires a multi-stage reporting process for significant incidents: (1) an early warning within 24 hours of awareness, (2) a full incident notification within 72 hours with severity assessment and IoCs, (3) intermediate reports upon request, and (4) a comprehensive final report within one month including root cause analysis and mitigation measures.
Article 21 mandates: (1) risk analysis and IS security policies, (2) incident handling, (3) business continuity and crisis management, (4) supply chain security, (5) security in acquisition/development/maintenance including vulnerability handling, (6) effectiveness assessment, (7) cyber hygiene and training, (8) cryptography and encryption, (9) HR security and access control, (10) multi-factor authentication and secured communications.
NIS2 dramatically expands scope from 7 to 18 sectors (covering ~160K vs ~15K entities), introduces harmonized penalties (up to โฌ10M/2% turnover), specifies 10 minimum security measures, adds strict incident reporting timelines (24h/72h/1 month), introduces management liability, requires supply chain security, and uses automatic size-based scoping instead of individual designation.
DORA (Digital Operational Resilience Act) is sector-specific regulation for financial entities. Under the lex specialis principle, DORA takes precedence over NIS2 for financial entities where DORA requirements are at least equivalent. Financial entities primarily comply with DORA; NIS2 acts as a fallback for areas not covered by DORA.
Generally, NIS2 applies to medium-sized (50+ employees) and large entities. However, certain entities must comply regardless of size: qualified trust service providers, TLD registries, DNS service providers, telecom providers, public administration entities, sole providers of critical services, and entities identified as critical under the CER Directive.
NIS2 requires management bodies to approve cybersecurity risk management measures, oversee their implementation, undergo cybersecurity training, and encourage employee training. Management can be held personally liable for infringements, and for essential entities, temporary bans on managerial functions are possible.
Even without national transposition, you should prepare. The European Commission has launched infringement proceedings against late states. The directive's requirements represent cybersecurity best practices regardless. In some jurisdictions, courts may apply directive principles directly (direct effect) for sufficiently clear and unconditional provisions. Most importantly, once transposition occurs, there may be short grace periods or immediate enforcement.
Automated pentesting directly addresses multiple Article 21 requirements: vulnerability handling and disclosure (measure 5), effectiveness assessment (measure 6), supply chain security testing (measure 4), and risk analysis input (measure 1). Continuous automated testing aligns perfectly with NIS2's emphasis on ongoing โ not one-off โ security assessment. Tools like KENSAI provide this continuous assurance.
No. NIS2 requires ongoing compliance. Organizations must continuously assess and update security measures, regularly test their effectiveness, maintain incident response capabilities, keep supply chain assessments current, and ensure staff training is up to date. The directive explicitly calls for measures that are "maintained and updated where appropriate" โ compliance is a continuous process.
Article 21(2)(d) explicitly requires addressing supply chain security. This includes assessing vulnerabilities specific to each direct supplier, evaluating the overall quality and cybersecurity practices of suppliers (including their secure development procedures), and considering the results of coordinated security risk assessments of critical supply chains carried out at EU level under Article 22.
Ready to Tackle NIS2?
Compliance starts with understanding your security posture. KENSAI's AI-powered penetration testing gives you continuous, automated security assessment โ the kind NIS2 demands.
Get Started with KENSAI โDisclaimer: This guide is provided for informational purposes only and does not constitute legal advice. NIS2 implementation varies by Member State, and organizations should consult with qualified legal and cybersecurity professionals for specific compliance requirements. Information is current as of March 2026 and subject to change as Member States complete transposition and the European Commission's January 2026 simplification proposals progress.