Glossary · EU Cybersecurity

NIS2 (Network and Information Security Directive 2)

EU cybersecurity directive applying to essential and important entities in 18+ sectors, with national transposition deadline October 2024.

## What NIS2 actually does NIS2 (Directive (EU) 2022/2555) is the European cybersecurity directive that replaced the original NIS Directive of 2016. It significantly expands the scope of cybersecurity obligations and harmonizes requirements across EU member states. The directive entered into force in January 2023 with a national transposition deadline of October 17, 2024. Implementation across member states has been uneven — some on time, others significantly delayed. ## Who NIS2 applies to NIS2 dramatically expanded scope versus its predecessor. It applies to: **Essential entities** (high-criticality sectors): - Energy (electricity, oil, gas, hydrogen, district heating) - Transport (air, rail, water, road) - Banking and financial market infrastructures - Health (healthcare, pharmaceutical) - Drinking water and wastewater - Digital infrastructure (cloud providers, data centres, DNS, content delivery) - ICT service management (B2B) - Public administration - Space **Important entities** (other critical sectors): - Postal and courier services - Waste management - Manufacturing of certain critical products (chemicals, medical devices, electronics, machinery, vehicles) - Food production, processing, and distribution - Digital providers (online marketplaces, search engines, social networks) - Research Size thresholds apply: medium-sized (50+ employees, €10M+ turnover) and large entities are typically in scope; small/micro entities generally excluded. ## Core requirements Organizations under NIS2 must implement: **1. Risk management measures** — at least 10 specific categories: - Risk analysis and information system security policies - Incident handling procedures - Business continuity (backups, disaster recovery, crisis management) - Supply chain security - Network/information system security in acquisition, development, maintenance - Policies for assessing the effectiveness of cybersecurity measures - Cyber hygiene and training - Cryptography policies (including encryption) - HR security, access controls, asset management - Multi-factor authentication, secure communications **2. Incident reporting** — significant incidents must be reported: - **Early warning** within 24 hours - **Incident notification** within 72 hours - **Final report** within one month **3. Supply chain security** — entities must assess and manage cybersecurity risks from their suppliers and service providers. **4. Management accountability** — senior management is personally responsible for compliance, including approval of measures and supervision of implementation. ## Penalty structure NIS2 introduces significant penalties: - **Essential entities**: up to €10 million or 2% of global annual turnover (whichever is higher) - **Important entities**: up to €7 million or 1.4% of turnover Member states can impose additional penalties on management for non-compliance. ## What this means for tool choice NIS2's supply chain security requirements specifically affect technology vendor selection. Organizations under NIS2 must assess their suppliers' cybersecurity posture and document that assessment. For European organizations, this creates pressure to: **1. Choose suppliers with strong cybersecurity certifications.** ISO 27001, SOC 2, BSI C5, or equivalent. Most major EU cloud providers (Hetzner, Scaleway, OVHcloud, Infomaniak) have these certifications. **2. Prefer EU-resident providers.** NIS2 reporting obligations and incident response coordination work better when suppliers are subject to EU regulatory frameworks. US-based providers can comply but require additional contractual mechanisms. **3. Document the supplier evaluation.** NIS2 requires demonstrating that cybersecurity considerations entered procurement decisions, not just whether they did. **4. For digital infrastructure providers themselves:** if your business is a cloud provider, data centre, DNS provider, or content delivery network, you're directly in scope as an essential entity. ## Why NIS2 matters beyond formal compliance Even for organizations not formally in scope, NIS2 sets the de facto European cybersecurity baseline. Insurance providers reference NIS2 for cyber coverage. Procurement teams increasingly use NIS2 categories in vendor assessments. EU member state cybersecurity agencies use NIS2 as their reference framework. For European businesses planning long-term cybersecurity investment, treating NIS2 as the baseline rather than just compliance ceiling is operationally sound. ## Implementation status (as of 2026) Implementation has been uneven across member states: - **On-time implementation**: Most Nordic countries, Germany, France - **Delayed implementation**: Several southern and eastern European states transposed late 2024 or 2025 - **Active enforcement**: Generally beginning 2025-2026 as national authorities ramp up The European Commission has launched infringement proceedings against member states with significantly delayed implementation. Expect active NIS2 enforcement to be a defining cybersecurity story through 2026-2027. ## Related EU cybersecurity frameworks NIS2 is part of a broader European cybersecurity legal landscape: - **Cyber Resilience Act (CRA)** — covers cybersecurity of products with digital elements, in force 2024 - **DORA** — operational resilience for financial services, in force from January 2025 - **eIDAS 2.0** — digital identity and trust services - **GDPR** — data protection, complementary to but distinct from cybersecurity For organizations navigating multiple frameworks, mapping overlaps and unique requirements is essential. NIS2 sets the cybersecurity baseline; sector-specific regulations (DORA, CRA) build on it.

Related EU alternatives on BetterInEurope

Related glossary terms

← Back to glossary