What is NIS2? Everything Your Business Needs to Know

The NIS2 Directive (Directive (EU) 2022/2555) is the European Union’s most comprehensive cybersecurity law to date. It replaces the original NIS Directive (2016) and significantly expands both the scope and obligations for organizations that provide essential or important services.

In short: NIS2 sets baseline cybersecurity and incident reporting requirements for a broad range of sectors — from energy and healthcare to finance, manufacturing, and digital infrastructure. Compliance is not optional; penalties for violations can reach €10 million or 2% of global turnover, whichever is higher.

Background: Why NIS2 Exists

The original NIS Directive of 2016 was the EU’s first attempt at harmonizing cybersecurity requirements across member states. While it improved coordination, it had key weaknesses:

  • Limited scope – Too few sectors were covered, leaving many critical industries outside its reach.
  • Inconsistent enforcement – Different member states had widely varying requirements.
  • Evolving threats – Ransomware, supply chain attacks, and state-sponsored cyber operations have grown more sophisticated.

High-profile incidents such as the Colonial Pipeline attack in the US, ransomware on German hospitals, and supply chain breaches like SolarWinds made clear that critical sectors needed stronger, uniform protection across Europe.

Who Must Comply with NIS2?

Under NIS2, organizations are categorized as:

CategoryExamplesSupervisory ApproachPenalty Cap
Essential EntitiesElectricity grid operators, large hospitals, major transport hubs, central banksProactive audits, strict oversight€10M or 2% of global turnover
Important EntitiesCloud hosting providers, medical device manufacturers, food production plants, manufacturing suppliersReactive oversight (after incidents or complaints)€7M or 1.4% of global turnover

Size Threshold: Applies to medium and large enterprises (50+ employees or €10M+ turnover), but micro-enterprises can still be included if their services are critical — for example, a 20-person water treatment supplier in a rural region.

Sectors Covered

NIS2 applies to 18 sectors, split into high criticality and other critical sectors.

High Criticality Sectors include:

  • Energy (electricity, gas, oil, hydrogen)
  • Transport (air, rail, water, road)
  • Banking & Financial Market Infrastructure
  • Health (hospitals, private clinics, laboratories)
  • Drinking water and wastewater
  • Digital Infrastructure (DNS, TLD registries, data centres, cloud computing)

Other Critical Sectors include:

  • Postal and courier services
  • Waste management
  • Chemicals manufacturing
  • Food production, processing, and distribution
  • Manufacturing of critical products (medical devices, electronics, machinery)

Example: A Dutch company producing medical-grade oxygen would be covered under both manufacturing and healthcare supply chain rules.

Key Requirements of NIS2

Every covered entity must:

  1. Implement robust risk management measures
     Examples include: segmenting operational networks from corporate IT, enforcing strict password rotation policies, encrypting data at rest, and adopting zero-trust principles.
  2. Report significant incidents quickly
    • Initial notification within 24 hours of awareness
    • Incident update within 72 hours
    • Final report within one month
      Example: If a ransomware attack halts operations at a logistics hub, the first report must be sent to the national authority before recovery is complete.
  3. Manage supply chain risks
    • Vet suppliers and contractors
    • Include cybersecurity clauses in contracts
    • Require regular compliance attestations
  4. Ensure board-level oversight
     Senior management must approve cybersecurity measures and can be held personally liable for negligence.
  5. Be ready for audits
     Supervisory authorities can demand access logs, security policies, and incident documentation at any time.

Detailed Incident Reporting Workflow

To meet the strict reporting timelines, businesses should follow a structured process:

Step 1 – Detection: Incident detected by monitoring tools or staff.
Step 2 – Initial Assessment: Confirm scope, impact, and whether it meets the “significant incident” threshold.
Step 3 – First Notification: Within 24 hours, send an initial report to the competent national authority (e.g., BSI in Germany, ANSSI in France).
Step 4 – Containment & Recovery: Isolate affected systems, begin restoration.
Step 5 – Update Report: Within 72 hours, provide details on cause, mitigation steps, and potential cross-border impact.
Step 6 – Final Report: Within one month, submit full forensic findings and improvement measures.

Pro Tip: Automated incident templates, like those in GetNistra, cut reporting time dramatically.

Country-by-Country Compliance Timelines

While the EU-level deadline for transposition was October 17, 2024, each country has its own enforcement framework:

  • Germany – Implemented via the IT-Sicherheitsgesetz 3.0 (IT-SiG 3.0); supervised by BSI; first audits expected early 2025.
  • France – National decrees under ANSSI; sector-specific guidance published 2024; inspections start Q4 2025.
  • Italy – Legislative Decree No. 138/2024; overseen by ACN; phased implementation, risk assessments due mid-2025.
  • NetherlandsWet beveiliging netwerk- en informatiesystemen updated; enforced by NCSC-NL; compliance reviews from late 2025.

Common Compliance Challenges

  • Board awareness – Many executives still see cybersecurity as purely an IT issue.
  • Supply chain complexity – SMEs may rely on dozens of small vendors.
  • Incident readiness – Without automation, 24-hour reporting is difficult.
  • Cross-border operations – Different supervisory authorities may require different formats.

NIS2 vs. ISO 27001: How They Relate

NIS2 RequirementISO 27001 Equivalent
Risk management measuresAnnex A controls
Incident reportingA.16 (Incident Management)
Supply chain securityA.15 (Supplier Relationships)
Board-level accountabilityLeadership clauses
Audit readinessISMS monitoring & review

Key takeaway: ISO 27001 certification is a strong foundation but not a guarantee of NIS2 compliance.

Misconceptions About NIS2

  1. “Only big companies are affected” – False. Smaller entities in critical supply chains can be included.
  2. “It’s just an IT project” – Wrong. It’s an organization-wide governance requirement.
  3. “If we have ISO 27001, we’re already compliant” – Not necessarily; NIS2 adds incident reporting and board accountability requirements.
  4. “We can wait until enforcement begins” – Dangerous; some measures require months to implement.

Integration With Other EU Regulations

NIS2 overlaps with several other regulations:

  • GDPR – Incident reporting obligations may overlap, but NIS2 focuses on system security, not personal data.
  • DORA – Applies to the financial sector, with complementary ICT resilience rules.
  • CER Directive – Covers physical resilience of critical entities, often alongside NIS2 measures.

An integrated compliance approach reduces duplication of effort.

Penalties for Non-Compliance

  • Essential Entities – up to €10M or 2% of global turnover
  • Important Entities – up to €7M or 1.4% of global turnover
  • Possible bans on executives, public disclosure of violations, and contractual exclusion from public tenders.

Global Context

NIS2 is part of a global trend toward stricter cybersecurity regulation:

  • United States – CISA directives require reporting for critical infrastructure within 72 hours.
  • United Kingdom – NCSC oversees similar rules for Operators of Essential Services.

This makes NIS2 compliance not just a legal obligation, but an advantage for international competitiveness.

Practical Steps to Start Today

  1. Identify if your organization is classified as Essential or Important.
  2. Map your current controls to NIS2 requirements.
  3. Establish an incident response process capable of meeting the 24-hour deadline.
  4. Review contracts for supplier cybersecurity obligations.
  5. Schedule board-level briefings on personal liability.

Frequently Asked Questions (FAQs)

Q: Does NIS2 apply to small businesses?
 Yes, if they provide critical services or products in a covered supply chain.

Q: How soon should we start preparing?
 Immediately — audits can happen with little notice once the directive is enforced.

Q: Can we outsource compliance?
 You can outsource processes, but not responsibility.

How GetNistra Helps You Comply Faster

Manual compliance is costly and time-consuming. GetNistra’s AI-powered platform automates up to 70% of the process:

  • Gap analysis against NIS2 and ISO 27001 controls.
  • Automated policy generation tailored to your sector and size.
  • Incident reporting templates aligned with ENISA guidelines.
  • Vendor risk tracking across your supply chain.
Assess Your Security Posture

Request your free AI-generated NIS2 Roadmap today and see how quickly you can close compliance gaps.

References:
 Directive (EU) 2022/2555 – Official Text
 ENISA – NIS2 Guidelines
 BSI – German IT Security Act
 ANSSI – NIS2 Implementation in France
 ACN – Agenzia per la Cybersicurezza Nazionale
 NCSC-NL – NIS2 Guidance

Related Posts

The Official NIS2 Directive Hub

NIS2

The Official NIS2 Directive Hub (Country-Specific Guides for Germany, France, Italy, and Netherlands) The cybersecurity landscape is constantly evolving, and […]