The Network and Information Systems Directive 2 (NIS2) came into force across EU member states in October 2024, replacing the original NIS Directive. It significantly expands the scope of organisations subject to mandatory cybersecurity requirements — and significantly increases the consequences of non-compliance.
If your organisation operates in the EU or serves EU customers in a critical sector, NIS2 likely applies to you. The question is not whether to comply but how — and in what order.
Who NIS2 Applies To
NIS2 introduces two categories of affected organisations: Essential and Important. Classification determines the level of supervision, penalties, and incident reporting obligations.
Essential entities (higher obligations): Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (IXPs, DNS, TLD registries, cloud providers, data centres, CDNs), ICT service management (MSPs, MSSPs), public administration, space.
Important entities (significant obligations): Postal and courier services, waste management, chemicals, food, manufacturing, digital providers (online marketplaces, search engines, social networks), research organisations.
The size thresholds (in scope if you exceed these):
- Medium enterprise: 50+ employees OR €10M+ annual turnover
- Large enterprise: 250+ employees OR €50M+ annual turnover
Regardless of size
Certain organisations are subject to NIS2 regardless of size: providers of public electronic communications networks, DNS service providers, TLD registries, cloud computing service providers, data centre service providers, and content delivery networks.
The 10 Mandatory Cybersecurity Measures
Article 21 of NIS2 specifies ten categories of security measures that all in-scope organisations must implement:
- ✓Documented risk assessment
- ✓Risk treatment plan
- ✓Annual review cycle
- ✓Board-level ownership
- ✓Detection capabilities
- ✓Incident response plan
- ✓24h notification process
- ✓Post-incident analysis
- ✓BCP documented + tested
- ✓Disaster recovery plan
- ✓Backup strategy
- ✓Crisis management
- ✓Vendor risk assessment
- ✓Security contractual requirements
- ✓SBOM / software inventory
- ✓Third-party monitoring
- ✓MFA for all accounts
- ✓Least privilege
- ✓Privileged access management
- ✓Regular access reviews
- ✓Encryption in transit (TLS 1.2+)
- ✓Encryption at rest
- ✓Key management policy
- ✓Certificate lifecycle management
The remaining four measures:
- Network security — Segmentation, monitoring, anomaly detection
- Vulnerability management — Patching process, vulnerability scanning, responsible disclosure policy
- Cyber hygiene and training — Staff security awareness, phishing simulation, secure development training
- Asset management — Software and hardware inventory, CMDB
Incident Reporting Obligations
NIS2 mandates a multi-stage incident reporting process for significant incidents:
Stage 1 — Early warning (within 24 hours of detection): Notify the competent authority that a significant incident has occurred or is suspected. At this stage, you may not have full details — the obligation is to report promptly, not comprehensively.
Stage 2 — Incident notification (within 72 hours): Provide an updated assessment including the nature of the incident, initial severity assessment, indicators of compromise, and whether the incident is suspected to be malicious.
Stage 3 — Intermediate report (if requested): Additional updates on request from the competent authority.
Stage 4 — Final report (within one month of notification): Full description, incident timeline, root cause analysis, cross-border impact assessment, and remediation measures taken.
What constitutes a "significant" incident: An incident that causes severe operational disruption, significant financial loss, or impacts other organisations or persons — particularly affecting the confidentiality, integrity, or availability of network and information systems.
The 24-hour clock starts at detection, not discovery
NIS2's 24-hour notification window starts when your team detects the incident, not when it began. This makes incident detection capability a compliance requirement, not just a security best practice. If you have no alerting and your systems have been breached for 30 days before you find out, your 24-hour clock started 30 days ago.
Management Liability
One of the most significant changes in NIS2 versus the original directive is personal liability for management bodies. NIS2 requires that management bodies (boards, executives) approve cybersecurity risk management measures, oversee implementation, and can be held personally liable for infringements.
This means:
- Cybersecurity must be on the board agenda regularly, not just during incidents
- Board members need sufficient competence to oversee cybersecurity (training is now mandatory)
- The CISO/CTO must report directly to board level on cybersecurity matters
- Management approval must be documented for all significant security decisions
A Practical Compliance Roadmap
Assess whether NIS2 applies to your organisation and whether you're Essential or Important. Check the sector classification, size thresholds, and review your member states' implementing legislation.
- →Identify the relevant competent authority in each member state you operate in
- →Determine your entity category (Essential vs. Important)
- →Identify applicable national legislation (each EU member state implements NIS2 slightly differently)
- →Register with the competent authority if required (mandatory in most states)
Assess your current security posture against each of the 10 mandatory measures. Identify gaps and their severity. This becomes the basis for your compliance roadmap.
- →Conduct a formal risk assessment (ISO 27005 or NIST RMF methodology)
- →Review incident response capability against the 24h notification requirement
- →Assess supply chain security practices
- →Review board-level cybersecurity governance
Address the gaps that carry the highest compliance and operational risk first. Prioritise incident detection capability, MFA deployment, and incident response plan documentation.
- →Enforce MFA across all accounts (highest priority)
- →Document and test incident response plan
- →Establish 24h notification capability
- →Implement basic vulnerability management process
Complete implementation of all 10 mandatory measures. Establish the governance structures and recurring processes that maintain compliance over time.
- →Implement supply chain security assessments
- →Establish business continuity and disaster recovery plans
- →Deploy comprehensive network monitoring
- →Launch staff security awareness programme
- →Complete asset inventory (hardware + software)
The ISO 27001 Connection
ISO 27001 and NIS2 have significant overlap. If your organisation already holds ISO 27001 certification, you've completed a substantial portion of the NIS2 compliance journey. The main gaps between ISO 27001 and NIS2 are typically:
- Incident reporting: ISO 27001 doesn't mandate specific external notification timelines; NIS2 does
- Supply chain security: NIS2 is more prescriptive about vendor risk management
- Management liability: NIS2 explicitly mandates board-level competence and accountability
- Sector-specific requirements: NIS2 implementing legislation in each member state may add sector-specific requirements beyond ISO 27001's scope
If you're not ISO 27001 certified, pursuing it as part of your NIS2 compliance programme is worth considering — it provides a recognised international standard that demonstrates compliance maturity beyond NIS2 alone.
Use NIS2 as a business driver, not just compliance
NIS2 compliance requires you to implement controls that genuinely reduce your security risk: MFA, incident response, supply chain security, business continuity. These aren't just boxes to tick — they're investments that make your business more resilient. Frame the compliance programme as a security improvement programme that happens to satisfy regulatory requirements.
Cybersecurity compliance — including NIS2, ISO 27001, GDPR, and sector-specific frameworks — is one of my core areas of practice. If you need an independent assessment of your NIS2 readiness or a compliance roadmap, let's talk.