NIS2 Directive Compliance: Stay Ahead of EU Cybersecurity Obligations
NIS2 raises the bar for cybersecurity risk management, incident reporting, and management-body accountability across essential and important entities. RegSpace helps your compliance team monitor the law, find policy gaps, and keep the registers that evidence your programme.
What is NIS2?
The NIS2 Directive (Directive (EU) 2022/2555) is the European Union's reworked cybersecurity law for network and information systems, replacing the original 2016 NIS Directive. Adopted by the European Parliament and Council in December 2022, it sets a high common baseline of cybersecurity risk-management measures, incident-reporting duties, and governance obligations for a much wider set of sectors than its predecessor. As a directive it does not apply directly; each Member State had to transpose it into national law by 17 October 2024, with national measures applying from 18 October 2024. The exact obligations, supervisory authority, and penalties therefore live in each country's transposing legislation.
Who does NIS2 apply to?
NIS2 applies to public and private organisations operating in the sectors listed in its Annexes, generally those that meet at least medium-enterprise size, plus certain entities regardless of size. The directive splits in-scope organisations into essential and important entities, which face different supervisory regimes.
- Essential entities in high-criticality sectors (Annex I): energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management (B2B), public administration, and space
- Important entities in other critical sectors (Annex II): postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing (incl. medical devices, computers and electronics, machinery, motor vehicles), digital providers, and research
- Medium and large organisations in those sectors (generally 50+ staff or over EUR 10m turnover), with some entity types in scope regardless of size, such as certain DNS, TLD, trust service, and telecoms providers
- Digital service providers including online marketplaces, search engines, cloud computing, data centres, content delivery networks, and managed/managed security service providers
- Suppliers and ICT vendors who, while not always directly in scope, are pulled in through in-scope entities' supply-chain security and contractual due-diligence obligations
- Non-EU providers that offer in-scope services in the Union and must designate an EU representative for certain digital services
Key NIS2 obligations
Cybersecurity risk-management measures (Article 21)
Adopt appropriate and proportionate technical, operational, and organisational measures on an all-hazards basis, covering risk analysis and information security policies, incident handling, business continuity and backup, supply-chain security, secure acquisition and development, vulnerability handling, cryptography, access control, and the use of multi-factor authentication.
Multi-stage incident reporting (Article 23)
Report significant incidents to the national CSIRT or competent authority through staged notifications: an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month, with intermediate updates on request and notification of affected service recipients where appropriate.
Management-body accountability (Articles 20 and 32)
Management bodies must approve the cybersecurity risk-management measures, oversee their implementation, and can be held liable for breaches; members are required to undergo cybersecurity training and encouraged to extend similar training to staff.
Supply-chain and supplier security
Assess and address cybersecurity risks across the supply chain and supplier relationships, taking account of the security practices of direct suppliers and service providers, including the results of coordinated EU-level risk assessments of critical supply chains.
Registration and information duties
Provide the competent authority or ENISA, as applicable, with up-to-date entity information such as name, sector, contact details, IP ranges, and the Member States where services are provided, and keep that information current.
Supervision and enforcement readiness
Essential entities face proactive ex-ante supervision (audits, inspections, security scans) while important entities face ex-post supervision triggered by evidence of non-compliance; both must be able to demonstrate their measures on request.
Penalties and corrective powers
National authorities can impose binding instructions, suspend authorisations, and levy administrative fines, with maximums of at least EUR 10m or 2% of global annual turnover for essential entities and at least EUR 7m or 1.4% for important entities, as set by each Member State's transposing law.
Key dates
- 27 December 2022NIS2 Directive (EU 2022/2555) published in the Official Journal of the European Union, entering into force 20 days later in January 2023.
- 17 October 2024Deadline for Member States to transpose NIS2 into national law; many states missed it, prompting Commission infringement procedures.
- 18 October 2024Date from which transposing national measures apply; the original NIS Directive (EU 2016/1148) is repealed.
- 17 April 2025Deadline for Member States to establish the list of essential and important entities, with periodic review thereafter (at least every two years).
How RegSpace helps with NIS2
Draft, source-linked intelligence for your team to review. Not legal advice.
Weekly-monitors the EU institutions and the national regulators and legislative trackers that touch your business, and drafts a source-linked digest of NIS2-related changes, including national transposition updates, so your team sees what moved and where it came from.
Where a NIS2 development hits a policy you have already published, Watcher prepares DOCX policy redlines in track-changes for your qualified counsel to review and decide on; RegSpace never auto-applies changes.
Scores your uploaded security and incident-handling policies against the corpus and shows the gaps as missing, partial, or covered with a score, so you can see where your documentation stands against Article 21-style risk-management themes.
Gives you the registers NIS2 programmes lean on, including an incident register, a risk register with a 5x5 matrix, a controls library, vendors, and assets, plus a review and approval workflow and dashboards to evidence and track the work.
Supports supply-chain and supplier due diligence through vendor and third-party risk scoring, helping you organise the supplier-security work NIS2 expects across your registers.
NIS2 FAQ
Who does NIS2 apply to?
NIS2 applies to medium and large organisations operating in the sectors listed in Annexes I and II of the directive, such as energy, transport, banking, health, digital infrastructure, water, public administration, manufacturing, food, and digital providers. Some entity types are in scope regardless of size. In-scope organisations are classified as essential or important entities, which face different levels of supervision. The precise scope for your organisation is set by your Member State's transposing law.
When does NIS2 apply from?
Member States were required to transpose NIS2 into national law by 17 October 2024, with national measures applying from 18 October 2024. Because NIS2 is a directive, the obligations that bind you come from your country's transposing legislation, and several Member States transposed late, so national application dates vary.
What are the NIS2 incident reporting timelines?
Significant incidents must be reported in stages to the national CSIRT or competent authority: an early warning within 24 hours of becoming aware of the incident, a fuller incident notification within 72 hours including an initial assessment and any indicators of compromise, and a final report within one month covering root cause, mitigation, and cross-border impact, with intermediate updates if requested.
What is the difference between essential and important entities under NIS2?
Both categories must meet the same core cybersecurity risk-management and reporting obligations, but they differ in supervision. Essential entities (typically larger organisations in Annex I high-criticality sectors) face proactive ex-ante supervision such as audits and inspections, while important entities face ex-post supervision triggered by signs of non-compliance, and the two groups have different maximum fine levels.
What are the penalties for NIS2 non-compliance?
National authorities can issue binding instructions, order remediation, and impose administrative fines. The directive sets maximums of at least EUR 10m or 2% of global annual turnover for essential entities and at least EUR 7m or 1.4% for important entities, whichever is higher, with exact figures and powers defined by each Member State's transposing law. Management bodies can also be held accountable for breaches.
How can RegSpace help with NIS2 compliance?
RegSpace is an agentic GRC and compliance-automation platform. Its Watcher agent monitors the EU and national regulators and produces a source-linked digest of NIS2 changes plus track-changes policy redlines where a change hits a policy you published; the Assessor scores your policies and shows gaps; and the GRC Workspace gives you incident, risk, control, vendor, and asset registers with approval workflows. RegSpace outputs are draft regulatory intelligence for your qualified counsel to review. RegSpace does not provide legal advice, does not file anything with a regulator, and does not guarantee compliance.
Stay ahead of NIS2 changes, automatically.
RegSpace monitors the regulators that touch you, scores your policies against the law, and drafts the redlines. Every claim cited, every output lawyer-reviewed.