TOPICS·CYBERSECURITY

NIS2 Directive

EU directive on cybersecurity requirements for essential and important entities.

EUUpdated May 2026

IN A NUTSHELL

What

EU directive strengthening cybersecurity requirements for essential and important entities across critical sectors.

Who

Medium and large organisations in 18 sectors including energy, transport, health, digital infrastructure, manufacturing, and public administration.

When

Member States were required to transpose by 17 October 2024. National laws are now taking effect across the EU.

Penalty

Up to EUR 10 million or 2% of global turnover for essential entities; EUR 7 million or 1.4% for important entities.

OVERVIEW

Building on the original 2016 NIS Directive, the NIS2 Directive significantly expands the scope and depth of cybersecurity obligations across the European Union. Adopted in January 2023, Member States were required to transpose it into national law by 17 October 2024. NIS2 addresses the rapidly evolving cyber threat landscape by broadening the range of sectors and entities covered, strengthening security requirements, and tightening incident reporting rules.

NIS2 replaces the original distinction between operators of essential services and digital service providers with two new categories: essential entities and important entities. Essential entities include organisations in sectors such as energy, transport, banking, health, water supply, digital infrastructure, and public administration. Important entities cover sectors like postal services, waste management, food production, manufacturing, and digital providers. The directive applies to medium and large enterprises in these sectors, though Member States may extend coverage to smaller entities in critical areas.

Core obligations require covered entities to implement appropriate and proportionate technical, operational, and organisational cybersecurity measures. These include risk analysis policies, incident handling procedures, business continuity planning, supply chain security measures, and vulnerability management. Entities must report significant cybersecurity incidents to their national Computer Security Incident Response Team within 24 hours for an early warning, followed by a detailed notification within 72 hours. Management bodies must approve cybersecurity risk measures and undergo training, creating personal accountability at the leadership level.

Enforcement under NIS2 is considerably strengthened compared to its predecessor. Essential entities face fines of up to 10 million euros or 2% of global annual turnover, while important entities face up to 7 million euros or 1.4% of turnover. National authorities have broad supervisory powers, including on-site inspections, security audits, and the ability to issue binding instructions.

NIS2 operates alongside the Digital Operational Resilience Act (DORA), which applies specific cybersecurity rules to the financial sector, and the Cyber Resilience Act (CRA), which targets product-level cybersecurity for hardware and software. Together, these instruments form a layered EU cybersecurity framework. For businesses, NIS2 compliance requires not only technical investment but also governance reforms, supply chain assessments, and incident response capabilities that demonstrate organisational readiness against cyber threats.

KEY MILESTONES

May 28, 2026

YOU ARE HERE

WHO DOES THIS AFFECT?

Select your company type for tailored compliance guidance.

KEY OBLIGATIONS

☐Implement comprehensive cybersecurity risk management measures

☐Report significant incidents to national CSIRT within 24 hours (early warning) and 72 hours (full notification)

☐Ensure supply chain security for all third-party software components

☐Conduct regular vulnerability assessments and penetration testing

☐Ensure management bodies approve and oversee cybersecurity measures

YOUR FIRST STEP

Determine whether your organisation qualifies as an essential or important entity under NIS2 sector definitions and size thresholds

KEY COMPLIANCE REQUIREMENTS

Cybersecurity risk management

Implement appropriate technical, operational, and organisational measures to manage risks to network and information systems.

Incident reporting

Submit an early warning to your national CSIRT within 24 hours and a full incident notification within 72 hours of a significant incident.

Supply chain security

Assess and manage cybersecurity risks in your supply chain, including direct suppliers and service providers.

Management accountability

Ensure management bodies approve cybersecurity measures, undergo training, and bear personal accountability for compliance.

Business continuity

Develop and test business continuity and disaster recovery plans to ensure resilience against cyber disruptions.

Vulnerability management

Establish processes for vulnerability discovery, disclosure, and remediation across all critical systems.

Access control and encryption

Implement multi-factor authentication, access management policies, and encryption for data at rest and in transit.

KEY INTERPRETATIONS & FAQ