01 What is NIS2?

The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's landmark cybersecurity regulation โ€” a comprehensive overhaul of the original NIS Directive from 2016. Published in the Official Journal of the EU on 27 December 2022, NIS2 establishes a unified legal framework requiring organizations across 18 critical sectors to implement robust cybersecurity risk management measures and report significant incidents.

NIS2 represents a fundamental shift in how the EU approaches cybersecurity. While the original NIS Directive left significant discretion to Member States โ€” resulting in fragmented implementation โ€” NIS2 harmonizes requirements, introduces stricter oversight mechanisms, and dramatically expands the scope of entities that must comply.

18
Sectors Covered
~160K
Entities Affected
โ‚ฌ10M
Max Fine (Essential)
27
EU Member States

Timeline & Key Dates

16 December 2020
European Commission proposes the NIS2 Directive
13 May 2022
EU co-legislators reach political agreement on the text
27 December 2022
NIS2 published in the Official Journal of the EU
16 January 2023
NIS2 enters into force
17 October 2024
Transposition deadline: Member States must adopt national implementing measures
17 April 2025
Member States must establish lists of essential and important entities
20 January 2026
European Commission proposes targeted amendments for simplification
17 October 2027
Commission reviews the functioning of the Directive

๐Ÿ’ก Why NIS2 Matters Now

As of early 2026, NIS2 is no longer a future concern โ€” it's an active legal obligation. The European Commission has initiated infringement proceedings against Member States that missed the October 2024 transposition deadline. National authorities are beginning supervision activities, and organizations that haven't started their compliance journey are already behind.

02 Who Must Comply?

NIS2 takes a fundamentally different approach to scope than its predecessor. Instead of allowing each Member State to designate operators, NIS2 uses a size-cap mechanism combined with sector-based criteria. This means any medium-sized or large entity operating in a covered sector automatically falls within scope โ€” no individual designation needed.

Entities are classified into two categories based on their sector and size: essential entities (subject to stricter supervision) and important entities (lighter-touch, ex-post supervision).

Sectors of High Criticality โ€” Essential Entities

Annex I of NIS2 lists 11 sectors of high criticality. Large entities in these sectors are classified as essential:

โšก
EnergyElectricity, district heating/cooling, oil, gas, hydrogen
๐Ÿš‚
TransportAir, rail, water, road
๐Ÿฆ
BankingCredit institutions
๐Ÿ“ˆ
Financial Market InfrastructureTrading venues, central counterparties
๐Ÿฅ
HealthHospitals, labs, pharma, medical devices
๐Ÿ’ง
Drinking WaterWater supply and distribution
๐Ÿšฐ
Waste WaterCollection, disposal, treatment
๐ŸŒ
Digital InfrastructureIXPs, DNS, TLD registries, cloud, data centres, CDNs, trust services, telecom
๐Ÿ’ป
ICT Service Management (B2B)Managed service & managed security service providers
๐Ÿ›๏ธ
Public AdministrationCentral government entities (optional: regional/local)
๐Ÿš€
SpaceOperators of ground-based infrastructure

Other Critical Sectors โ€” Important Entities

Annex II lists 7 additional sectors. Medium-sized and large entities in these sectors are classified as important:

๐Ÿ“ฎ
Postal & Courier ServicesIncluding parcel delivery services
๐Ÿ—‘๏ธ
Waste ManagementCollection, treatment, disposal
โš—๏ธ
ChemicalsProduction, manufacture, distribution
๐Ÿ•
FoodProduction, processing, distribution (wholesale)
๐Ÿญ
ManufacturingMedical devices, computers, electronics, machinery, motor vehicles, transport equipment
๐Ÿ”Œ
Digital ProvidersOnline marketplaces, search engines, social networking platforms
๐Ÿ”ฌ
ResearchResearch organisations (where results are exploited commercially)

Size Thresholds

Category Employees Annual Turnover Balance Sheet NIS2 Classification
Large entity 250+ > โ‚ฌ50 million > โ‚ฌ43 million Essential (Annex I) or Important (Annex II)
Medium entity 50โ€“249 โ‚ฌ10M โ€“ โ‚ฌ50M โ‚ฌ10M โ€“ โ‚ฌ43M Important (or Essential if Annex I)
Small / Micro < 50 < โ‚ฌ10 million < โ‚ฌ10 million Generally exempt (with exceptions)

โš ๏ธ Size Exceptions โ€” Small Entities That Must Still Comply

Regardless of size, the following entities always fall under NIS2:

  • Qualified trust service providers
  • Top-level domain (TLD) name registries
  • DNS service providers
  • Providers of public electronic communications networks or services
  • Public administration entities at central government level
  • Entities identified as critical under the CER Directive (EU) 2022/2557
  • Entities that are the sole provider of a critical service in a Member State
  • Entities whose disruption could have significant systemic impact

03 Country-by-Country Implementation Status

The transposition deadline was 17 October 2024. As of early 2026, implementation progress varies significantly across the EU. The European Commission launched infringement proceedings against 23 Member States in November 2024 for failing to fully transpose the directive on time. Here is the current status:

Country Status Notes
๐Ÿ‡ฆ๐Ÿ‡น AustriaTransposedNISG 2024 adopted, in force since Q2 2025
๐Ÿ‡ง๐Ÿ‡ช BelgiumTransposedNIS2 law (Loi NIS2) adopted April 2024, one of the first to complete
๐Ÿ‡ง๐Ÿ‡ฌ BulgariaIn ProgressDraft law in parliamentary procedure, expected adoption Q1 2026
๐Ÿ‡ญ๐Ÿ‡ท CroatiaTransposedCybersecurity Act adopted and in force
๐Ÿ‡จ๐Ÿ‡พ CyprusIn ProgressDraft legislation under review
๐Ÿ‡จ๐Ÿ‡ฟ Czech RepublicTransposedNew Cybersecurity Act adopted mid-2025
๐Ÿ‡ฉ๐Ÿ‡ฐ DenmarkTransposedNIS2 implementation across multiple sectoral acts
๐Ÿ‡ช๐Ÿ‡ช EstoniaTransposedCybersecurity Act updated, in force
๐Ÿ‡ซ๐Ÿ‡ฎ FinlandTransposedCybersecurity Act (Kyberturvallisuuslaki) adopted
๐Ÿ‡ซ๐Ÿ‡ท FranceIn ProgressProjet de loi rรฉsilience includes NIS2 transposition, expected adoption 2026
๐Ÿ‡ฉ๐Ÿ‡ช GermanyIn ProgressNIS2UmsuCG stalled in 2024 due to government collapse; new draft expected under new coalition by mid-2026
๐Ÿ‡ฌ๐Ÿ‡ท GreeceTransposedLaw adopted and published
๐Ÿ‡ญ๐Ÿ‡บ HungaryTransposedAct adopted early, one of the first Member States
๐Ÿ‡ฎ๐Ÿ‡ช IrelandIn ProgressHeads of Bill published, legislation progressing through Oireachtas
๐Ÿ‡ฎ๐Ÿ‡น ItalyTransposedLegislative Decree adopted October 2024, effective from early 2025
๐Ÿ‡ฑ๐Ÿ‡ป LatviaTransposedAmendments to National Cyber Security Law in force
๐Ÿ‡ฑ๐Ÿ‡น LithuaniaTransposedUpdated Cyber Security Law adopted
๐Ÿ‡ฑ๐Ÿ‡บ LuxembourgIn ProgressDraft legislation deposited, under parliamentary review
๐Ÿ‡ฒ๐Ÿ‡น MaltaIn ProgressLegal notice in preparation
๐Ÿ‡ณ๐Ÿ‡ฑ NetherlandsIn ProgressCyberbeveiligingswet (Cbw) submitted to parliament, adoption expected mid-2026
๐Ÿ‡ต๐Ÿ‡ฑ PolandIn ProgressDraft amendment to KSC Act in advanced parliamentary stage
๐Ÿ‡ต๐Ÿ‡น PortugalIn ProgressTransposition legislation under development
๐Ÿ‡ท๐Ÿ‡ด RomaniaIn ProgressDraft law published for consultation
๐Ÿ‡ธ๐Ÿ‡ฐ SlovakiaTransposedCybersecurity Act amendment adopted
๐Ÿ‡ธ๐Ÿ‡ฎ SloveniaTransposedInformation Security Act updated
๐Ÿ‡ช๐Ÿ‡ธ SpainIn ProgressAnteproyecto de ley under government review
๐Ÿ‡ธ๐Ÿ‡ช SwedenTransposedNew Cybersecurity Act in force from Q1 2025

๐Ÿ“Š Implementation Summary (as of March 2026)

16
Fully Transposed
11
In Progress

Note: Status may change rapidly. The European Commission's January 2026 simplification proposal may also affect transposition approaches. Germany is a notable case โ€” the NIS2UmsuCG (NIS2 Implementation and Cybersecurity Strengthening Act) was derailed by the 2024 government collapse and is being reintroduced under the new coalition formed in early 2026.

04 Key Requirements

NIS2's requirements can be grouped into three pillars: cybersecurity risk management measures (Article 21), governance obligations, and incident reporting (Article 23). All essential and important entities must comply with the same substantive requirements โ€” the difference lies primarily in supervision intensity.

Article 21: The 10 Minimum Security Measures

Article 21 is the heart of NIS2. It mandates that entities take "appropriate and proportionate technical, operational and organisational measures" to manage cybersecurity risks. The directive specifies 10 minimum measures that must be addressed as a baseline:

๐Ÿ“‹

1. Risk Analysis & IS Security Policies

Establish and maintain comprehensive policies on risk analysis and information system security. This includes regular risk assessments and documented security policies aligned with business objectives.

๐Ÿšจ

2. Incident Handling

Implement procedures for preventing, detecting, and responding to cybersecurity incidents. This covers the entire incident lifecycle from preparation through lessons learned.

๐Ÿ”„

3. Business Continuity & Crisis Management

Ensure business continuity through backup management, disaster recovery, and crisis management. Operations must be maintainable during and after cybersecurity incidents.

๐Ÿ”—

4. Supply Chain Security

Address security aspects of relationships with direct suppliers and service providers. Assess vulnerabilities of each supplier, product quality, and cybersecurity practices of the supply chain.

๐Ÿ›ก๏ธ

5. Security in Acquisition, Development & Maintenance

Embed security in the procurement, development, and maintenance of network and information systems, including vulnerability handling and disclosure.

๐Ÿ“Š

6. Effectiveness Assessment

Implement policies and procedures to assess the effectiveness of cybersecurity risk-management measures. This includes regular testing, audits, and reviews.

๐Ÿงน

7. Cyber Hygiene & Training

Establish basic cyber hygiene practices and provide regular cybersecurity awareness training for all staff, including management bodies.

๐Ÿ”

8. Cryptography & Encryption

Define and implement policies on the use of cryptography and, where appropriate, encryption to protect data confidentiality, integrity, and authenticity.

๐Ÿ‘ค

9. HR Security & Access Control

Address human resources security, access control policies, and asset management. This covers the full employee lifecycle and the principle of least privilege.

๐Ÿ”‘

10. Multi-Factor Authentication & Secured Communications

Deploy multi-factor authentication (MFA) or continuous authentication solutions, along with secured voice, video, and text communications, and secured emergency communication systems.

โš™๏ธ The "Proportionality" Principle

NIS2 doesn't mandate specific technologies or solutions. Instead, measures must be "appropriate and proportionate" โ€” taking into account the entity's size, exposure to risks, the likelihood and severity of incidents, and their societal and economic impact. A hospital's requirements will differ from a courier service's, even if both must address the same 10 areas.

Governance Obligations

NIS2 brings cybersecurity firmly into the boardroom. Article 20 establishes that:

  • Management bodies must approve the cybersecurity risk-management measures taken under Article 21
  • Management must oversee the implementation of these measures and can be held liable for infringements
  • Members of management bodies are required to undergo cybersecurity training and must encourage their employees to do the same
  • For essential entities, Member States may impose temporary bans on managerial functions for individuals found responsible for non-compliance

This is a paradigm shift. Under NIS1, cybersecurity was often delegated entirely to IT departments. NIS2 makes it a board-level responsibility with personal consequences.

Incident Reporting (Article 23)

NIS2 introduces a mandatory, multi-stage incident reporting process for significant incidents:

Within 24 hours
Early Warning: Notify the competent authority or CSIRT. Indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact.
Within 72 hours
Incident Notification: Submit a full notification with an initial assessment of the incident, including its severity and impact, and indicators of compromise (IoCs) where available.
Upon request
Intermediate Report: Provide status updates on the incident handling if requested by the competent authority or CSIRT.
Within 1 month
Final Report: Submit a detailed report including root cause analysis, mitigation measures applied and ongoing, and cross-border impact assessment if applicable.

โš ๏ธ What Counts as a "Significant Incident"?

An incident is considered significant if it:

  • Has caused or is capable of causing severe operational disruption of the services or financial losses for the entity
  • Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

Member States' competent authorities will provide further guidance on thresholds within their national implementing legislation.

05 Penalties & Enforcement

NIS2 significantly ramps up penalties compared to the original directive. The fines are designed to be effective, proportionate, and dissuasive โ€” and they distinguish between essential and important entities:

Aspect Essential Entities Important Entities
Maximum Administrative Fine โ‚ฌ10,000,000 or 2% of total annual worldwide turnover (whichever is higher) โ‚ฌ7,000,000 or 1.4% of total annual worldwide turnover (whichever is higher)
Supervision Type Ex-ante and ex-post (proactive) Ex-post only (reactive, when evidence of non-compliance)
Supervisory Measures On-site inspections, security audits, targeted audits, security scans, ad hoc audits after incidents Same measures but triggered ex-post
Management Liability Personal liability; temporary management bans possible Personal liability
Binding Instructions Authorities can issue binding instructions and compliance orders Authorities can issue binding instructions

๐Ÿ‘” Management Liability โ€” A Game Changer

Perhaps the most impactful change: NIS2 allows Member States to hold natural persons in management positions personally liable for failures to comply with cybersecurity obligations. For essential entities, this can include temporary bans from exercising managerial functions. This provision is designed to ensure that cybersecurity receives genuine C-level attention rather than being treated as a purely technical issue.

06 NIS2 vs NIS1 โ€” What Changed?

The original NIS Directive (NIS1, 2016) was groundbreaking as the EU's first cybersecurity legislation, but it had significant shortcomings. NIS2 addresses these directly:

Aspect NIS1 (2016) NIS2 (2022)
Sectors Covered 7 sectors (energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure) 18 sectors โ€” adds wastewater, public administration, space, ICT services, postal, waste, chemicals, food, manufacturing, digital providers, research
Entity Identification Member States designate individual OES (Operators of Essential Services) Automatic size-cap: all medium/large entities in scope sectors automatically covered
Security Requirements High-level, left to Member State discretion 10 harmonized minimum measures specified in Article 21
Incident Reporting "Without undue delay" Strict timelines: 24h early warning, 72h full notification, 1-month final report
Penalties No harmonized fines; varied widely by Member State Harmonized: up to โ‚ฌ10M / 2% turnover (essential) or โ‚ฌ7M / 1.4% (important)
Management Liability None specified Explicit management body accountability with personal liability provisions
Supply Chain Not addressed Explicit supply chain security requirements in Article 21(2)(d)
Supervision Minimal harmonization Comprehensive supervision framework with defined powers for authorities
Entities Covered (est.) ~15,000 across the EU ~160,000 across the EU
Peer Reviews Limited Voluntary peer reviews introduced for mutual trust and learning

07 NIS2 vs DORA vs EU AI Act

NIS2 doesn't exist in isolation. Two other major EU regulations overlap in important ways: DORA (Digital Operational Resilience Act) for the financial sector and the EU AI Act for artificial intelligence systems. Understanding their interplay is crucial for compliance planning.

Aspect NIS2 DORA EU AI Act
Legal Instrument Directive (requires transposition) Regulation (directly applicable) Regulation (directly applicable)
Effective Date Transposition by Oct 2024 Applies from 17 Jan 2025 Phased: Feb 2025 โ€“ Aug 2027
Scope 18 critical sectors, ~160K entities Financial sector (banks, insurers, investment firms, crypto-asset service providers, ICT third-party providers) Any AI system placed on the EU market or used in the EU
Primary Focus Cybersecurity risk management across critical infrastructure Digital operational resilience of financial entities Safety, transparency, and fundamental rights in AI
Key Requirements 10 minimum security measures, incident reporting, governance ICT risk management, incident reporting, resilience testing (TLPT), third-party risk management Risk classification, conformity assessments, transparency obligations, prohibited practices
Incident Reporting 24h / 72h / 1 month Similar multi-stage (initial, intermediate, final) Not primarily focused on incident reporting; relies on sector-specific rules
Max Penalties โ‚ฌ10M / 2% turnover Varies; up to 1% of average daily worldwide turnover (for financial entities), periodic penalty payments possible Up to โ‚ฌ35M / 7% of global turnover for prohibited practices
Relationship to NIS2 โ€” Lex specialis: DORA takes precedence for financial entities where its provisions are at least equivalent Complementary; AI systems in critical infrastructure may need to comply with both
Testing Requirements Effectiveness assessment (Art. 21) Advanced: Threat-Led Penetration Testing (TLPT) for systemically important entities Conformity assessments for high-risk AI

๐Ÿ”€ The Lex Specialis Principle

Where sector-specific EU legislation (like DORA) imposes cybersecurity obligations that are at least equivalent to NIS2 requirements, the sector-specific legislation takes precedence. For financial entities, this means DORA compliance generally satisfies NIS2 requirements. However, entities should verify that all NIS2 areas are covered, as some DORA requirements may differ in scope or detail.

08 NIS2 Compliance Checklist

Use this interactive checklist to track your NIS2 compliance journey. Click on items to mark them as complete. Your progress is saved locally in your browser.

0 / 20

Phase 1: Assessment & Governance

  • Determine if your organisation is in scopeAssess against size thresholds and the 18 sectors listed in Annexes I and II
  • Classify as essential or important entityDetermines supervision regime, penalty levels, and reporting expectations
  • Establish board-level cybersecurity governanceAssign accountability, get management body approval for security measures (Art. 20)
  • Provide cybersecurity training for managementMandatory under Article 20 โ€” all management body members must undergo training
  • Conduct comprehensive risk assessmentCover all network and information systems, identify threats, vulnerabilities, and impacts

Phase 2: Technical & Operational Measures

  • Develop and document IS security policiesRisk analysis framework, asset inventory, access control policies (Art. 21(2)(a))
  • Implement incident handling proceduresDetection, analysis, containment, eradication, and recovery processes (Art. 21(2)(b))
  • Establish business continuity & disaster recoveryBackup management, crisis management, recovery objectives (Art. 21(2)(c))
  • Assess and secure your supply chainEvaluate direct suppliers' cybersecurity practices, contractual requirements (Art. 21(2)(d))
  • Integrate security into SDLC and procurementVulnerability handling and disclosure, secure development practices (Art. 21(2)(e))
  • Deploy vulnerability testing & effectiveness assessmentRegular penetration testing, security audits, continuous monitoring (Art. 21(2)(f))
  • Roll out cyber hygiene & awareness trainingOrganization-wide training programme, phishing simulations, best practices (Art. 21(2)(g))
  • Implement cryptography & encryption policiesData-at-rest and data-in-transit encryption, key management (Art. 21(2)(h))
  • Enforce access control & HR securityPrinciple of least privilege, role-based access, onboarding/offboarding procedures (Art. 21(2)(i))
  • Deploy MFA and secure communicationsMulti-factor authentication everywhere possible, secure email/messaging/voice (Art. 21(2)(j))

Phase 3: Reporting & Continuous Improvement

  • Set up incident reporting workflowsEstablish processes for 24h/72h/1-month reporting to competent authority and CSIRT
  • Register with national competent authorityEntities in scope must register and may need to submit information (Art. 3)
  • Establish continuous monitoring & review cycleRegular reviews of security measures, threat landscape updates, policy revisions
  • Document compliance evidenceMaintain records for supervisory authorities: policies, assessments, training logs, test results
  • Plan for ongoing penetration testing & auditsSchedule regular external assessments, automate where possible for continuous assurance

09 How KENSAI Helps with NIS2 Compliance

Meeting NIS2's Article 21 requirements demands more than one-off assessments. The directive emphasises continuous, proportionate measures โ€” making automated, AI-driven security testing a natural fit. KENSAI addresses several Article 21 requirements directly:

๐Ÿ”

Vulnerability Handling & Disclosure (Art. 21(2)(e))

KENSAI's AI-powered penetration testing continuously discovers vulnerabilities across your attack surface โ€” from web applications to network infrastructure. Automated testing means vulnerabilities are found before attackers exploit them, directly satisfying the "vulnerability handling and disclosure" requirement.

๐Ÿ“Š

Effectiveness Assessment (Art. 21(2)(f))

NIS2 requires policies to assess the effectiveness of your cybersecurity measures. KENSAI provides continuous validation that your defences actually work โ€” not just annual point-in-time checks, but ongoing assurance with detailed reporting suitable for board-level governance reviews.

๐Ÿ”—

Supply Chain Security (Art. 21(2)(d))

Assess the security posture of your digital supply chain through automated external surface analysis. KENSAI helps identify third-party components, exposed services, and potential supply chain risks โ€” critical for NIS2's supply chain security requirements.

๐Ÿ“‹

Risk Analysis Support (Art. 21(2)(a))

Feed real-world vulnerability data into your risk analysis. KENSAI's findings provide concrete, evidence-based input for risk assessments โ€” moving beyond theoretical threat modelling to actual security posture measurement.

Start Your NIS2 Compliance Journey

Automated penetration testing with KENSAI gives you continuous security assurance โ€” exactly what NIS2 demands. See how AI-driven security testing maps to your Article 21 obligations.

Explore KENSAI โ†’

10 Frequently Asked Questions

What is the NIS2 Directive? โ–พ

The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation, replacing the original NIS Directive from 2016. It establishes a unified legal framework requiring organizations across 18 critical sectors to implement robust cybersecurity risk management measures and report significant incidents to national authorities.

When does NIS2 take effect? โ–พ

NIS2 entered into force on 16 January 2023. EU Member States had until 17 October 2024 to transpose it into national law. As of early 2026, most Member States have completed or are finalizing their transposition, with enforcement actively underway in countries that have adopted national implementing legislation.

Who must comply with NIS2? โ–พ

NIS2 applies to medium-sized and large entities (50+ employees or โ‚ฌ10M+ annual turnover) operating in 18 designated sectors. These include energy, transport, banking, health, digital infrastructure, public administration, and more. Some entities โ€” like DNS providers, TLD registries, and telecom operators โ€” must comply regardless of their size.

What are the penalties for NIS2 non-compliance? โ–พ

Essential entities face fines up to โ‚ฌ10 million or 2% of global annual turnover (whichever is higher). Important entities face fines up to โ‚ฌ7 million or 1.4% of global annual turnover. Additionally, senior management can be held personally liable, and for essential entities, temporary management bans are possible.

What is the difference between essential and important entities? โ–พ

Essential entities operate in sectors of high criticality (Annex I: energy, transport, banking, health, water, digital infrastructure, ICT services, public administration, space) and face proactive (ex-ante) supervision with higher penalties. Important entities operate in other critical sectors (Annex II: postal, waste, chemicals, food, manufacturing, digital providers, research) and face reactive (ex-post) supervision with somewhat lower penalty caps. Both must implement the same Article 21 security measures.

Does NIS2 apply to companies outside the EU? โ–พ

Yes. NIS2 can apply to non-EU companies if they provide services within the EU in scope sectors. Such entities must designate a representative in one of the Member States where they operate. This extraterritorial reach is similar in concept to the GDPR's approach.

What are the NIS2 incident reporting requirements? โ–พ

NIS2 requires a multi-stage reporting process for significant incidents: (1) an early warning within 24 hours of awareness, (2) a full incident notification within 72 hours with severity assessment and IoCs, (3) intermediate reports upon request, and (4) a comprehensive final report within one month including root cause analysis and mitigation measures.

What are the 10 minimum security measures under Article 21? โ–พ

Article 21 mandates: (1) risk analysis and IS security policies, (2) incident handling, (3) business continuity and crisis management, (4) supply chain security, (5) security in acquisition/development/maintenance including vulnerability handling, (6) effectiveness assessment, (7) cyber hygiene and training, (8) cryptography and encryption, (9) HR security and access control, (10) multi-factor authentication and secured communications.

How is NIS2 different from NIS1? โ–พ

NIS2 dramatically expands scope from 7 to 18 sectors (covering ~160K vs ~15K entities), introduces harmonized penalties (up to โ‚ฌ10M/2% turnover), specifies 10 minimum security measures, adds strict incident reporting timelines (24h/72h/1 month), introduces management liability, requires supply chain security, and uses automatic size-based scoping instead of individual designation.

How does NIS2 relate to DORA? โ–พ

DORA (Digital Operational Resilience Act) is sector-specific regulation for financial entities. Under the lex specialis principle, DORA takes precedence over NIS2 for financial entities where DORA requirements are at least equivalent. Financial entities primarily comply with DORA; NIS2 acts as a fallback for areas not covered by DORA.

Do small companies need to comply with NIS2? โ–พ

Generally, NIS2 applies to medium-sized (50+ employees) and large entities. However, certain entities must comply regardless of size: qualified trust service providers, TLD registries, DNS service providers, telecom providers, public administration entities, sole providers of critical services, and entities identified as critical under the CER Directive.

What is the role of management under NIS2? โ–พ

NIS2 requires management bodies to approve cybersecurity risk management measures, oversee their implementation, undergo cybersecurity training, and encourage employee training. Management can be held personally liable for infringements, and for essential entities, temporary bans on managerial functions are possible.

What happens if my country hasn't transposed NIS2 yet? โ–พ

Even without national transposition, you should prepare. The European Commission has launched infringement proceedings against late states. The directive's requirements represent cybersecurity best practices regardless. In some jurisdictions, courts may apply directive principles directly (direct effect) for sufficiently clear and unconditional provisions. Most importantly, once transposition occurs, there may be short grace periods or immediate enforcement.

How can automated penetration testing help with NIS2? โ–พ

Automated pentesting directly addresses multiple Article 21 requirements: vulnerability handling and disclosure (measure 5), effectiveness assessment (measure 6), supply chain security testing (measure 4), and risk analysis input (measure 1). Continuous automated testing aligns perfectly with NIS2's emphasis on ongoing โ€” not one-off โ€” security assessment. Tools like KENSAI provide this continuous assurance.

Is NIS2 compliance a one-time effort? โ–พ

No. NIS2 requires ongoing compliance. Organizations must continuously assess and update security measures, regularly test their effectiveness, maintain incident response capabilities, keep supply chain assessments current, and ensure staff training is up to date. The directive explicitly calls for measures that are "maintained and updated where appropriate" โ€” compliance is a continuous process.

How does NIS2 handle supply chain security? โ–พ

Article 21(2)(d) explicitly requires addressing supply chain security. This includes assessing vulnerabilities specific to each direct supplier, evaluating the overall quality and cybersecurity practices of suppliers (including their secure development procedures), and considering the results of coordinated security risk assessments of critical supply chains carried out at EU level under Article 22.

Ready to Tackle NIS2?

Compliance starts with understanding your security posture. KENSAI's AI-powered penetration testing gives you continuous, automated security assessment โ€” the kind NIS2 demands.

Get Started with KENSAI โ†’

Disclaimer: This guide is provided for informational purposes only and does not constitute legal advice. NIS2 implementation varies by Member State, and organizations should consult with qualified legal and cybersecurity professionals for specific compliance requirements. Information is current as of March 2026 and subject to change as Member States complete transposition and the European Commission's January 2026 simplification proposals progress.