The Network and Information Security Directive 2 (NIS2) marked a fundamental shift in European cybersecurity regulation. Where NIS1 was largely advisory and applied to a narrow set of critical sectors, NIS2 dramatically expanded the scope of binding obligations. As of 2025, companies that operated comfortably outside regulatory purview are now subject to severe penalties—up to €10 million or 2% of global revenue for essential entities. The compliance landscape has shifted from “nice to have” to mandatory, with personal liability for executives now a concrete reality.
This guide cuts through the complexity. We’ve worked with dozens of organizations navigating NIS2 across Europe, and the questions are always the same: Does this apply to us? What exactly must we do? When does this take effect in our member state? What happens if we don’t comply?
This guide answers those questions with the specificity and clarity you need to act with confidence.
What Is NIS2? The Upgrade from NIS1
NIS1, adopted in 2016, was the European Union’s first continent-wide cybersecurity law. It applied primarily to “operators of essential services” in narrowly defined sectors: energy, water, transport, health, and digital infrastructure. Many organizations outside these sectors remained entirely unregulated. Compliance was important but not existential.
NIS2 is fundamentally different. Adopted in December 2022 and effective from October 2024, NIS2 expands the scope to include a much broader range of organizations and tightens technical requirements significantly. Rather than applying only to critical sectors, NIS2 creates two entity categories—essential and important—and covers sectors from manufacturing to chemicals to food production to public administration.
The directive also reflects a decade of lessons learned from ransomware attacks, supply chain compromises, and nation-state activity. Its requirements are more prescriptive. It mandates incident reporting timelines that are tighter. It holds boards and executive leadership personally accountable. It harmonizes rules across all 27 EU member states, eliminating the fragmentation that previously allowed companies to cherry-pick where to invest in security.
For non-EU companies, NIS2 is equally relevant if you do business in Europe, process data of Europeans, or operate digital infrastructure that Europeans depend on. The reach is genuinely extraterritorial.
Who Does NIS2 Apply To? Essential vs. Important Entities
One of the most critical questions is whether NIS2 applies to your organization at all. The answer lies in the entity classification system, which is based on sector, size, and criticality.
Essential Entities
Essential entities face the strictest NIS2 requirements. An organization is classified as essential if it operates in one of the designated sectors AND meets certain scale or importance thresholds:
– Energy : electricity production, transmission, distribution; oil and gas infrastructure; renewable energy operators
– Transport : rail, road (vehicle manufacturers and logistics operators), air, water transport, port management
– Banking and financial markets : credit institutions, payment services, securities trading, central infrastructure
– Water and wastewater : supply and distribution operators
– Healthcare : hospitals, medical devices, e-health services
– Digital infrastructure and services : data centers, DNS services, TLDs, cloud services, content delivery networks, trust services
– Public administration : national and local government bodies (often automatically essential)
– Manufacturing of critical products : semiconductors, medical devices, aviation, chemicals
– Waste management and recycling : operators handling significant volumes
– Postal and courier services : universal service providers
– Chemicals and food production : operators above certain production thresholds
Within these sectors, size matters. An essential entity is one that:
– Employs 250+ people or has annual turnover above €50 million (or balance sheet total above €25 million), or
– Is designated as essential by its member state due to its role in critical infrastructure
Important Entities
Important entities also fall within NIS2 scope but face slightly less stringent obligations than essential entities. An organization is important if:
– It operates in designated NIS2 sectors (same list as above)
– It employs 50–249 people or has annual turnover of €10–50 million (or balance sheet total of €5–25 million), or
– It is designated as important by its member state
The distinction matters operationally. Essential entities must implement extensive risk management measures, establish incident response capabilities, and report incidents within tight timelines. Important entities face similar requirements but with somewhat more flexibility on specifics.
Critically, if you don’t meet the size thresholds but operate in a critical sector—say, you’re a small water utility or a boutique healthcare provider—your member state may still designate you as essential or important. Many countries are conservative in these designations.
Non-EU Companies and Extraterritorial Reach
If your company is headquartered outside the EU but has any of the following, NIS2 likely applies to you:
– Subsidiaries or branch offices in an EU member state operating in covered sectors
– Customers (essential or important entities) that rely on your services
– A role in EU critical infrastructure (cloud providers, DNS operators, CDN providers, etc.)
– Processing of personal data of EU residents in ways connected to critical infrastructure
NIS2 enforcement is managed by national competent authorities in each member state, which creates operational complexity for multinational firms. A company providing cloud services to European banks, for instance, may be subject to NIS2 requirements even if its headquarters are in the US.
NIS2 Requirements: What You Must Actually Do
NIS2 compliance isn’t a box-checking exercise. The directive mandates a comprehensive security posture organized around core domains. Here’s what essential and important entities must establish:
Risk Management Measures
The foundation of NIS2 is a structured approach to identifying, analyzing, and mitigating risks to your network and information systems. This includes:
Risk assessments: You must conduct regular, documented assessments of risks to your information systems, networks, and the services you provide. These assessments must consider both internal and external threats, including nation-state activity, organized crime, and unintentional failures. The assessment must be updated at least annually and whenever material changes occur to your infrastructure or threat landscape.
Security-by-design and security-by-default: Any systems you develop or procure must be designed with security embedded from the outset, not bolted on afterward. This applies to both in-house development and vendor selection. Systems must default to secure configurations rather than requiring lengthy hardening.
Cryptography: You must identify systems using weak or outdated cryptography and have a plan to migrate to strong, well-vetted algorithms. Post-quantum cryptography considerations may also be relevant for systems with long data sensitivity lifespans.
Access controls and identity management: Administrative access must be restricted to named individuals with documented business need. Multi-factor authentication is mandatory for administrative and privileged access. Deprovisioning of users and access rights must be timely and complete.
Segmentation and network architecture: Your networks must be segmented such that compromise of one system doesn’t automatically propagate to all others. Critical systems must be logically or physically isolated from general networks.
Data protection and backup: Sensitive data must be encrypted in transit and at rest. Backups must be tested regularly, stored separately from primary systems, and protected to the same standard as the systems they back up.
Incident detection and response: You must deploy monitoring systems that can detect intrusions, anomalies, and unauthorized access. Logs must be retained and protected. You must have a documented incident response plan, tested at least annually.
Incident Reporting: The Timeline That Matters
One of NIS2’s most consequential requirements is the mandatory incident reporting framework. This is where many organizations stumble.
Early warning (24 hours): If you identify a significant incident, you must provide an early warning to your national competent authority within 24 hours of discovery. This is brief—essentially, “we had an incident, here’s what happened and what we’re doing.” Detailed forensics are not required at this stage.
Detailed notification (72 hours): Within 72 hours of discovering the incident, you must submit a full incident report including: what was compromised, when it likely started, the impact (data exfiltrated, systems down, etc.), what you’ve done to contain it, and your investigation findings so far.
Final report: Once investigation is complete, you must submit a final report with full forensic findings, root cause analysis, and remediation steps.
For important entities, these timelines are slightly looser (48-hour early warning for some situations), but the expectation of speed is non-negotiable. This requires internal processes that allow rapid identification and reporting—no waiting for board approvals or lengthy reviews.
The reports go to your national competent authority and potentially to sector-specific authorities. In some cases, affected customers must also be notified. Unlike GDPR breach notifications, which require notification only if there’s risk to personal data, NIS2 incident reporting is about infrastructure and service continuity more broadly.
Business Continuity and Disaster Recovery
You must establish plans to maintain critical services even in the event of significant incidents. This includes:
– Documented recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems
– Regular testing of recovery capabilities (at least annually, and more frequently for essential entities)
– Alternative processing sites or cloud recovery capability
– Supply chain continuity planning—what happens if a critical vendor fails?
Boards and senior management must be involved in setting and approving these targets. They are not purely technical decisions.
Supply Chain Security
If you rely on external vendors—cloud providers, managed security services, software vendors, hosting providers—you are responsible for ensuring they meet appropriate security standards. This doesn’t mean you audit every vendor exhaustively, but it does mean:
– Contractual clauses requiring them to meet security obligations consistent with NIS2
– The right to audit their security controls (and conducting audits for critical vendors)
– Incident notification requirements: vendors must inform you of security incidents that affect your systems
– Clauses allowing you to terminate relationships if security posture becomes inadequate
Many organizations have dozens or hundreds of vendors. NIS2 typically requires more formalized management of the highest-risk ones (cloud providers, connectivity providers, payment processors, etc.).
Management Accountability
Directors and board members are now personally liable for cybersecurity. This is not theoretical. NIS2 requires:
– Board-level oversight of cybersecurity governance
– Executive-level “competent persons” responsible for security matters (your CSO or equivalent)
– Regular reporting to the board on security posture, incidents, and risks
– Board involvement in major incident response decisions
Some member states (Germany, for example) have explicitly extended criminal liability to executives who knowingly neglect security obligations. The message is clear: cybersecurity is now a board-level governance issue, not just an IT department matter.
NIS2 Penalties: What’s at Stake
Regulatory penalties under NIS2 are among the most severe in European law. Here’s the structure:
For essential entities: Up to €10 million or 2% of global annual revenue (whichever is higher) for failing to meet core security and reporting obligations.
For important entities: Up to €7 million or 1.4% of global annual revenue for equivalent violations.
For high-impact incidents: If an incident causes significant economic damage or affects critical services for a large population, penalties can extend beyond these caps.
For false or misleading reporting: Submitting inaccurate incident reports can result in fines of up to €5 million or 1% of revenue.
Personal liability: Directors and board members can face personal fines of up to €300,000 or imprisonment in some member states if they knowingly tolerate non-compliance.
These are not “negotiable fines” in the GDPR sense. They are calculated harshly and enforced. Regulators in Germany, France, and the Netherlands have made clear their intention to pursue significant cases aggressively.
Beyond financial penalties, regulatory action can result in:
– Mandatory security assessments conducted by government-appointed auditors
– Restrictions on operations (e.g., being barred from processing certain types of data)
– Enhanced oversight and ongoing reporting obligations
– Reputational damage and loss of customer confidence
NIS2 Implementation Status Across EU Member States (2025)
NIS2 entered into force in October 2024, but member states had a two-year window to transpose the directive into national law. As of early 2025, transposition is at various stages:
Completed or near-complete (Germany, France, Netherlands, Belgium, Denmark): These countries have already published national legislation or near-final versions. Organizations in these states should assume full NIS2 enforcement is underway.
In progress (most other EU states): Many member states are still finalizing national legislation. However, this does not provide an exemption from NIS2 requirements. The directive itself is binding even before transposition is complete.
Key variations by member state: While NIS2 is harmonized, member states retain some discretion in how they implement it. Some are establishing more stringent requirements for certain sectors (e.g., Germany for manufacturing). Others are being more lenient on timelines for smaller important entities. It’s worth understanding your member state’s specific approach.
Non-EU countries: If you operate in Switzerland, the UK, or other non-EU countries, your government may introduce NIS2-like laws independently. The UK is developing its own cybersecurity regulations. Switzerland is monitoring NIS2 closely. Plan accordingly.
The practical implication: Don’t wait for your member state’s transposition to be fully complete. Begin implementing NIS2 now. By the time rules are finalized, enforcement will likely already be underway.
NIS2 vs. ISO 27001: How They Relate and Whether ISO 27001 Helps
ISO 27001 is an international standard for information security management. NIS2 is a regulatory requirement specific to the EU. They are complementary but distinct.
What ISO 27001 provides: A structured framework for identifying assets, assessing risks, implementing controls, and continuously improving your security posture. It’s focused on “confidentiality, integrity, and availability” of information systems.
What NIS2 adds: Regulatory obligations specific to critical infrastructure, sector-specific requirements, mandatory incident reporting, board accountability, and defined penalties. NIS2 is narrower in scope (only certain sectors and entities) but deeper in prescription.
The relationship: If you’re certified to ISO 27001, you have a strong foundation for NIS2 compliance. Many of the security controls NIS2 requires align with ISO 27001 Annex A controls. However, ISO 27001 certification alone does not guarantee NIS2 compliance because:
– ISO 27001 doesn’t address incident reporting timelines
– ISO 27001 is agnostic on supply chain security; NIS2 is explicit
– ISO 27001 doesn’t mandate board-level governance in the same way
– ISO 27001 doesn’t include NIS2’s specific controls around cryptography, network segmentation, etc.
For essential entities: You likely need both. Start with a gap analysis against NIS2 requirements, use your ISO 27001 program as a foundation, and add NIS2-specific controls on top.
For important entities: Many organizations achieve NIS2 compliance by enhancing an existing ISO 27001 program. The incremental effort is typically modest if your baseline is strong.
We recommend ISO 27001 as a maturity baseline and NIS2 as the regulatory floor. Aiming for both gives you the rigor of a recognized standard plus the legal safety of meeting regulatory requirements.
NIS2 and DORA: Understanding the Overlap
If your organization is in financial services, you may be subject to both NIS2 and the Digital Operational Resilience Act (DORA). Understanding the distinction is critical because they impose different requirements in overlapping areas.
The short version: DORA is lex specialis—special law—for financial services. Where DORA and NIS2 both apply, DORA is typically the more specific requirement. However, NIS2 may impose additional obligations (e.g., on supply chain risk management) that DORA doesn’t explicitly cover.
For example:
– Both require incident reporting, but DORA has different timelines (4-hour initial notification vs. NIS2’s 24-hour early warning)
– Both require risk management frameworks, but DORA’s framework is more granular on ICT risk
– NIS2 requires risk assessments; DORA requires ICT risk assessments
The practical approach: If you’re in financial services, map your obligations to both frameworks. You’ll likely find that a DORA-compliant program covers most NIS2 requirements, but gaps remain.
NIS2 Compliance Checklist: Step-by-Step
Here’s a practical roadmap for organizations beginning their NIS2 journey:
Month 1-2: Determine scope and baseline
– Confirm whether your organization meets the essential or important entity threshold
– If uncertain, request guidance from your national competent authority
– Conduct a gap analysis against NIS2 requirements
– Assess current security posture relative to what NIS2 requires
Month 2-3: Governance and leadership alignment
– Ensure board-level understanding of NIS2 obligations and penalties
– Appoint a senior executive responsible for cybersecurity (CISO or equivalent)
– Establish a cross-functional steering committee (IT, compliance, legal, business)
– Document policies and procedures required by NIS2
Month 3-6: Risk management program
– Conduct comprehensive risk assessments
– Document risk management procedures
– Identify critical systems and data
– Develop a roadmap for remediation of identified gaps
Month 6-9: Technical controls
– Implement or enhance access controls and identity management
– Review and upgrade cryptography
– Implement network segmentation where gaps exist
– Deploy or enhance intrusion detection capabilities
– Establish backup and disaster recovery procedures
Month 9-12: Incident response and supply chain
– Develop formal incident response procedures with defined timelines
– Establish processes for early warning (24-hour reporting to authorities)
– Identify critical vendors and suppliers
– Develop and formalize supply chain risk management procedures
– Conduct security reviews of critical vendors
Ongoing: Testing and continuous improvement
– Conduct annual risk assessments
– Test incident response procedures (tabletop exercises and simulations)
– Test disaster recovery and business continuity plans
– Update policies based on lessons learned and regulatory guidance
– Monitor regulatory developments and adjust procedures as needed
This timeline assumes your organization has a baseline security program. If you’re starting from a weaker foundation, extend the timeline appropriately.
How Soter Advisory Can Help
Navigating NIS2 is complex, and the stakes are real. We work with organizations at every stage—from initial gap assessment and compliance roadmapping to full implementation support and ongoing compliance management.
Our approach is practical. We don’t create theoretical compliance documentation gathering dust on a shelf. We work with your teams to understand your specific context—your sector, your size, your existing security posture, your regulatory maturity—and develop a compliance program that genuinely improves your security while meeting NIS2 requirements.
We help you with:
– Scope determination and regulatory classification
– Gap analysis and compliance roadmapping
– Board-level governance setup
– Incident response procedure development
– Supply chain security assessments
– Testing and validation of compliance measures
If you’re facing NIS2 deadlines and unsure where to start, or if you’re mid-implementation and want expert guidance, we’re here to help.
Conclusion
NIS2 represents a fundamental shift in how Europe regulates cybersecurity. It’s no longer confined to critical infrastructure operators and a handful of designated sectors. It’s broader in scope, more prescriptive in requirements, and far more consequential in penalties.
For essential and important entities, NIS2 compliance is now a regulatory imperative. The question isn’t whether to comply; it’s how quickly you can build a program that genuinely improves your security posture while meeting legal obligations.
The organizations that move fastest are those that treat NIS2 not as a compliance checkbox but as an opportunity to systematize and strengthen their security practices. Your board has a role to play. Your incident response procedures must be air-tight. Your vendor relationships must be formalized and monitored. Your teams must understand that cybersecurity is not a one-time project but an ongoing discipline.
Need help navigating NIS2? Soter Advisory works with companies at every stage—from initial gap assessment to full implementation and ongoing support. Book a free consultation