1. What is NIS2?
The NIS2 Directive (2022/2555), in force since 17 October 2024 (Article 41, Directive 2022/2555), extends cybersecurity obligations to over 160,000 entities across 18 sectors in the EU. It replaces NIS1 with fines up to EUR 10 million or 2% of global annual turnover.
The original NIS Directive (Network and Information Security), adopted in 2016, was the European Union's first binding legislation on cybersecurity. It required Member States to designate competent national authorities and establish minimum security requirements for operators of essential services and digital service providers. While it laid the groundwork for a common approach, its uneven implementation across countries exposed significant gaps in harmonisation.
In response to rapidly evolving cyber threats and persistent fragmentation between Member States, the European Commission published the NIS2 Directive (2022/2555) on 27 December 2022. This legislation comprehensively overhauled the previous framework: it substantially broadened the scope of covered entities — over 160,000 entities (Article 2, Directive 2022/2555) —, strengthened security obligations, increased sanctions, and mandated enhanced cooperation between national authorities. The Directive entered into force on 17 October 2024 (Article 41, Directive 2022/2555), the deadline by which Member States were required to transpose its provisions into national law.
In the United Kingdom, which is no longer bound by EU directives post-Brexit, the government has introduced the Cyber Security and Resilience Bill as its own equivalent framework, overseen by the National Cyber Security Centre (NCSC). UK businesses operating in the EU or supplying EU-regulated entities remain directly subject to NIS2 obligations in relevant Member States. It is advisable to monitor both frameworks and align security practices accordingly.
2. Who is affected?
NIS2 classifies organisations into Essential Entities (over 250 employees or EUR 50 million turnover) and Important Entities (over 50 employees or EUR 10 million turnover) across 18 sectors covered by Annexes I and II of Directive 2022/2555, including energy, health, transport and digital infrastructure.
Essential Entities vs Important Entities
NIS2 distinguishes between two categories of entities subject to obligations: Essential Entities (EE) and Important Entities (IE). This distinction determines the level of supervisory oversight and the applicable sanctions. Essential Entities are large organisations (more than 250 employees or more than EUR 50 million annual turnover) (Article 2, Directive 2022/2555) operating in the highly critical sectors of Annex I. Important Entities cover medium-sized organisations (more than 50 employees or more than EUR 10 million turnover) (Article 2, Directive 2022/2555) in sectors covered by Annex I or Annex II.
Size Criteria
To determine whether your organisation qualifies as Essential or Important, two criteria apply: employee headcount and annual turnover. An organisation is considered large (Essential Entity threshold) if it exceeds 250 employees or EUR 50 million in turnover (Article 2, Directive 2022/2555). It is considered medium-sized (Important Entity threshold) if it exceeds 50 employees or EUR 10 million in turnover (Article 2, Directive 2022/2555). These thresholds are assessed at the legal entity level, not the group level.
The 18 Sectors Covered
The Directive covers 18 sectors (Annexes I and II, Directive 2022/2555) split across two annexes. Annex I comprises 11 highly critical sectors: energy — transport — banking — financial market infrastructures — health — drinking water — wastewater — digital infrastructure — ICT service management — public administration — space. Annex II adds 7 critical sectors: postal and courier services — waste management — manufacture, production and distribution of chemicals — food production and distribution — manufacturing — digital providers — research.
Even if your organisation does not fall directly under a covered sector, you may still be affected if you supply services or products to an Essential or Important Entity. NIS2 requires in-scope entities to ensure that their critical suppliers also maintain an adequate level of security, in practice through contractual clauses, security questionnaires, and audits.
3. Concrete obligations
Article 21 of Directive 2022/2555 imposes eight core obligations: governance, risk management, supply chain security, incident notification within 24 h/72 h (Article 23), business continuity, HR security, cryptography and access control (MFA).
Article 21 of the NIS2 Directive defines the technical, operational, and organisational measures that in-scope entities must implement. These measures must be proportionate to the level of risk, the size of the entity, and the potential impact of incidents. Eight core obligations are defined.
Governance and Accountability
First, governance and management accountability: governing bodies must approve cybersecurity measures and bear personal liability for serious failures. Second, cybersecurity risk management: regular risk assessments, identification of critical assets, and a documented security policy. Third, supply chain security: evaluation and oversight of critical suppliers through contractual clauses, security questionnaires, and audits for the most critical vendors.
Incident Notification
Fourth, incident management and 72-hour notification (Article 23, Directive 2022/2555): an early warning to the national authority within 24 hours (Article 23, Directive 2022/2555) of detecting a significant incident, a full notification within 72 hours, and a final report within one month.
Business Continuity
Fifth, business continuity: formalised and regularly tested business continuity plans (BCP) and disaster recovery plans (DRP).
Risk Management
Sixth, human resources security: background checks for sensitive roles, cybersecurity training, and immediate revocation of access upon departure. Seventh, use of cryptography: encryption of sensitive data in transit and at rest, documented key management and certificate lifecycle procedures. Eighth, access control and authentication: multi-factor authentication (MFA) mandatory for critical systems, and an IAM policy based on the principle of least privilege.
4. Sanctions and enforcement
NIS2 fines reach EUR 10,000,000 or 2% of global annual turnover for Essential Entities, and EUR 7,000,000 or 1.4% of turnover for Important Entities (Article 34, Directive 2022/2555). Senior managers face personal liability including temporary bans from management roles.
NIS2 establishes a significantly more stringent sanctions regime than its predecessor. Fines are calculated by taking the higher of a fixed ceiling and a percentage of global annual turnover, ensuring deterrence regardless of the entity's size. For Essential Entities, the maximum fine is EUR 10,000,000 or 2% of global annual turnover (Article 34, Directive 2022/2555). For Important Entities, it is EUR 7,000,000 or 1.4% of global annual turnover (Article 34, Directive 2022/2555).
A major innovation compared to NIS1 is the introduction of personal liability for senior managers in the event of serious breaches of cybersecurity obligations. Member States may impose individual sanctions against natural persons holding management functions within Essential Entities, up to and including a temporary ban on exercising management roles. This provision is designed to ensure that governance bodies take direct responsibility for cybersecurity policy.
The NCSC and sector-specific regulators hold broad powers to enforce compliance: on-site and off-site security audits, requests for information, compliance orders with deadlines, and the naming of non-compliant organisations (name and shame). For Essential Entities, audits may be initiated proactively without a prior incident having occurred.
5. How to comply
NIS2 compliance follows 5 steps over a minimum of 9 months: asset mapping, risk assessment (using ISO 27005 or NCSC's CAF), deployment of technical controls, staff training and continuous auditing. Senior leadership must drive the compliance programme.
Achieving NIS2 compliance is a multi-month organisational project. The following five-step plan is based on ENISA guidance and early compliance experience across European organisations.
Step 1: Map Your Assets
Step 1 (months 1-2) — Asset mapping: identify and catalogue all digital assets (servers, applications, network equipment, workstations, cloud access) and classify them by business criticality.
Step 2: Assess Risks
Step 2 (months 2-3) — Risk assessment: conduct a risk analysis identifying threats, vulnerabilities, and potential impacts for each critical asset, using a structured methodology such as ISO 27005 or NCSC's CAF.
Step 3: Implement Controls
Step 3 (months 3-6) — Implement controls: deploy technical and organisational measures prioritised by your risk assessment (MFA, encryption, network segmentation, patch management, backups, incident detection) and document each measure implemented.
Step 4: Train Your Teams
Step 4 (months 6-9) — Staff training: raise awareness across all staff on cyber risks and best practices; provide targeted training for IT teams on new incident detection and notification procedures; include senior leadership in governance and NIS2 liability training.
Step 5: Audit and Improve Continuously
Step 5 (ongoing) — Audit and continuous improvement: schedule regular internal and external audits, update your risk assessment at least annually or after any major change, test your business continuity plan through crisis simulation exercises, and maintain up-to-date documentation of all compliance activities.
6. Official resources
Key NIS2 compliance resources include the official text on EUR-Lex, NCSC's Cyber Assessment Framework (ncsc.gov.uk), ENISA technical guidelines, and ISO/IEC 27005 for the risk analysis required by Article 21.
Several official resources will help you deepen your understanding of NIS2 and begin your compliance journey.
The full text of Directive (EU) 2022/2555 is available on EUR-Lex, the official journal of the European Union. The NCSC (National Cyber Security Centre) publishes practical guidance, the Cyber Assessment Framework (CAF), and sector-specific advice on its website (ncsc.gov.uk). ENISA (the EU Agency for Cybersecurity) provides technical guidelines and implementation recommendations for Member States and in-scope entities.
For UK organisations subject to the domestic Cyber Security and Resilience Bill, the NCSC's CAF provides a structured compliance framework aligned with NIS2 principles. For risk management methodology, ISO/IEC 27005 and the NCSC's risk management guidance are well-suited frameworks to meet the risk analysis requirements of NIS2.