About the NIS2 directive: What you need to know
Cybersecurity is no longer optional—it’s a legal obligation. To strengthen digital resilience across Europe, the European Union introduced the NIS2 Directive, replacing the original NIS Directive. NIS2 imposes stricter requirements on essential and important entities in critical sectors, with legal obligations around risk management, incident reporting and board accountability.
This page provides a clear overview of the NIS2 Directive, its scope, key changes compared to NIS, and what it means in practice. Looking to prepare your organization? Explore the NIS2 training at BC Academy, CyberFundamentals certification or ISO 27001 certification.
What is the NIS2 Directive?
What is the NIS2 Directive?
The original NIS1 Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 was introduced to strengthen cybersecurity within the EU. Due to the increasing threat of cyber attacks, this directive was replaced by the NIS2 Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022, which imposes stricter requirements and has a broader scope to increase the resilience of critical infrastructures against cyber attacks. The NIS2 Directive has been applicable since 16 January 2023.
Each EU Member State must transpose the Directive into national law by 17 October 2024 at the latest. From 18 October 2024, organisations falling within the scope of the national NIS2 law will be required to comply with this law.
What is the difference between NIS and NIS2?
What is the difference between NIS and NIS2?
In order to provide increased protection against growing cyber incidents and threats, the NIS Directive was replaced by the NIS2 Directive. The latter introduces significant improvements over the original NIS Directive by extending sectoral coverage, strengthening security requirements and imposing stricter reporting obligations. Unlike NIS, which allowed flexibility in national implementation, NIS2 ensures harmonised cybersecurity rules across all EU Member States. In addition, penalties for non-compliance have been significantly increased to strengthen accountability.
1. Broader scope
Where the original NIS focused mainly on a limited group of essential services such as energy, transport, banking, healthcare and digital infrastructure, NIS2 extends the scope to include more sectors such as postal and courier services, waste water and waste management, food production, aerospace and digital service providers. The sectors covered by NIS2 are described in Annexes I and II of the NIS2 Directive.
2. Categorisation into essential and important entities
Under NIS, Member States themselves determined which organisations were considered critical, which led to inconsistencies within the EU. NIS2 introduces a uniform approach based on the size of the organisation. All medium-sized and large companies in the sectors listed in Annexes I and II fall within the scope of NIS2. In addition, Member States may also require small enterprises with a high security risk profile to comply with the requirements of NIS2. Depending on the sector in which the organisation operates and its size, a distinction is made between “essential entities” and “important entities”. This distinction is important as they are subject to a different control system.
3. Strengthening risk management measures and reporting requirements
The NIS2 describes a minimum list of management measures that must be implemented by the entity. It also specifies how a significant incident must be reported, when such an incident must be reported and what the report must contain. Both topics are explained in more detail in the section “What does this mean for my organisation?”.
4. Stricter supervisory measures
The NIS2 provides for stricter penalties for non-compliance with the regulations. The national authority may impose administrative measures such as warnings, temporary suspension of certification or authorisation, etc. In addition, administrative fines may be imposed in the event of non-compliance by the essential or important entity, which may amount to €10,000,000 and €7,000,000 respectively.
Why was the NIS2 Directive introduced?
Why was the NIS2 Directive introduced?
The NIS2 Directive essentially pursues the same objectives as the NIS Directive, namely:
- Requiring national authorities to commit to cybersecurity.
- Strengthening the cyber resilience of essential and important sectors in our society.
- Creating equivalent minimum standards for cybersecurity in all EU Member States.
- Improving cross-border cooperation and information exchange between national authorities.
Does my organisation fall within the scope of NIS2?
Does my organisation fall within the scope of NIS2?
In principle, your organisation falls under NIS2 if it is active in one of the (sub)sectors listed in Annexes I and II of the Directive and is of a certain size.
The sectors considered to be highly critical are described in Annex I of the Directive:
- Energy (electricity, district heating and cooling, oil, natural gas, hydrogen)
- Transport (air, rail, water, road)
- Banking
- Financial market infrastructure
- Health
- Drinking water
- Waste water
- Digital infrastructure
- ICT service management (B2B)
- Public administration
- Space
Critical sectors under NIS2 are listed in Annex II of the Directive:
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacture (of medical devices and in vitro diagnostic medical devices; computer, electronic and optical products; electrical equipment; machinery and equipment; motor vehicles, trailers and semi-trailers; other means of transport)
- Digital providers
- Research
In addition to the services provided, the size of the entity also plays a role in determining whether or not it falls within the scope of the NIS2. In principle, the entity must be at least a medium-sized enterprise.
According to the European definition laid down in Recommendation 2003/631/EC, companies are classified into three categories based on the number of employees (measured in full-time equivalents (FTE)) and their financial data (annual turnover and/or annual balance sheet total):
| Micro or small enterprise | Medium-sized enterprise | Large enterprise | |
|---|---|---|---|
| Number of FTEs | < 50 FTEs | ≥ 50 FTEs and < 250 FTEs | > 250 FTEs |
| Annual turnover (in €) | ≤ 10 million | > 10 million and ≤ 50 million | > 50 million |
| Balance sheet total (in €) | ≤ 10 million | > 10 million and ≤ 43 million | > 43 million |
To determine the size of an organisation, the number of persons employed within the entity is first determined. Next, the annual turnover and annual balance sheet total are checked. The company can choose to meet either the threshold for annual turnover or that for the annual balance sheet total. One of the two can therefore exceed the threshold without affecting SME status.
For example: A company with 55 FTEs (medium-sized), an annual turnover of 20 million euros (medium-sized) and a balance sheet total of 50 million euros (large) is classified as a medium-sized enterprise.
The combination of the sector and the size of the company leads to a subdivision between essential entities and important entities:
| Medium-sized enterprise | Large enterprise | |
|---|---|---|
| Services listed in Annex I | Important entity | Essential entity |
| Services listed in Annex II | Important entity | Important entity |
There are a few exceptions to the above rule and the following points should be taken into account:
- If the entity is part of a group, the consolidated data must be used to calculate the size of the company.
- Certain entities fall within the scope of the NIS2 Act regardless of their size:
- Qualified trust service providers (essential)
- Non-qualified trust service providers (important for micro, small or medium-sized enterprises and essential for large enterprises)
- DNS service providers (essential)
- TLD name registries (essential)
- Domain name registration services
- Providers of public electronic communications networks (essential)
- Providers of public electronic communications services (essential)
- Entities designated as operators of critical infrastructure in accordance with the Act of 1 July 2011 on the security and protection of critical infrastructure (essential)
- Public authorities dependent on the Federal State (essential)
- Furthermore, the Member State may designate an entity as essential or important in certain circumstances, regardless of its size.
- If an organisation is not an essential or important entity, it may still be affected by national NIS2 legislation if it belongs to the supply chain of a NIS2 entity.
How does NIS2 impact your organization?
How does NIS2 impact your organization?
Essential and important entities are subject to various obligations with a view to protecting and managing their network and information systems, preventing incidents or limiting the consequences of incidents. The most important obligations are described below. In addition, these are elaborated separately for each Member State.
1. Risk management measures
The NIS2 Directive sets out minimum management measures that essential and important entities must implement to protect their network and information systems and physical access to those systems against incidents. These are described in the Directive as follows:
- Risk analysis and information system security policy
- Incident response
- Business continuity, such as backup management and contingency plans, and crisis management
- Supply chain security, including security-related aspects of the relationships between each entity and its direct suppliers or service providers
- Security in the acquisition, development and maintenance of network and information systems, including vulnerability response and disclosure
- Policies and procedures to assess the effectiveness of cyber security risk management measures
- Basic cyber hygiene practices and cyber security training
- Policies and procedures on the use of cryptography and, where appropriate, encryption
- Security aspects relating to personnel, access policy and asset management
- Where appropriate, the use of multi-factor authentication or continuous authentication solutions, secure voice, video and text communication and secure emergency communication systems within the entity.
2. Reporting obligations
Important and essential entities are required to notify the national CSIRT if a significant incident occurs.
According the NIS2 Directive, ‘an incident shall to be significant if:
- it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity concerned;
- it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.’
The significant incident shall be reported by the essential and important entity to the CSIRT in accordance with the following procedure:
- An early warning shall be submitted immediately and within 24 hours of becoming aware of the significant incident, indicating the probable cause and any cross-border implications;
- An incident report shall be submitted immediately and within 72 hours of becoming aware of the significant incident, containing an information update and an initial assessment of the incident;
- An interim report shall be submitted at the request of the CSIRT or the competent authority;
- A final report shall be submitted no later than one month after the incident report, stating:
- A detailed description of the incident, as well as its severity and consequences;
- The type of threat or root cause that is likely to have led to the incident;
- Applied and ongoing risk mitigation measures;
- The cross-border impact of the incident, if applicable.
- A progress report shall be submitted if the incident is still ongoing one month after the incident report and a final report shall be submitted within one month of the incident being resolved.
3. Obligations and responsibilities of management
The management bodies of essential and important entities must comply with specific obligations such as approving the control measures taken and monitoring their implementation. In addition, members of the management body must undergo training to ensure that their knowledge and skills are sufficient to identify risks and assess the control measures taken and their impact on the services provided. They must also offer such training to their employees. The management body is liable in the event of non-compliance with the law and regulations.
4. Cooperation with authorities
NIS2 entities must cooperate with the national competent authorities. This concerns the exchange of information on the security of network and information systems, reporting incidents, cooperation with the inspection service, etc.