For CISOs, security leaders, and compliance teams

NIS2 Directive
Compliance Made
Manageable

Turn NIS2 obligations into assigned controls, linked evidence, and board-visible progress across risk management, incidents, supplier governance, and oversight duties.

Book a NIS2 DemoExplore Platform Capabilities
(EU) 2022/2555
Directive
18
Sectors Covered
160,000+
Entities in Scope
NIS1 (2016)
Replaces

What is the NIS2 Directive?

The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation, replacing the original NIS Directive from 2016. It establishes a high common level of cybersecurity across the European Union, significantly expanding the scope from roughly 10,000 entities under NIS1 to over 160,000 under NIS2.

NIS2 introduces stricter requirements for risk management, incident reporting, supply chain security, and governance, including personal accountability for management bodies. Member States were required to transpose the directive into national law by October 2024.

Timeline and Compliance Milestones

The NIS2 Directive was adopted in December 2022 with a 21-month transposition period. The 17 October 2024 transposition deadline has passed, while national implementation and enforcement remain uneven across Member States. Use this timeline to benchmark urgency and sequence readiness activities.

December 2020

European Commission proposes the NIS2 Directive to replace the original NIS Directive from 2016

You are here
2
December 2022

Directive adopted and published in the Official Journal; 21-month transposition period begins

3
October 2024

Article 41(1) transposition deadline (17 October); NIS2 applies from 18 October 2024, and the original NIS Directive is repealed from the same date under Article 44

4
April 2025

Article 3(3) deadline for Member States to compile and maintain lists of essential entities, important entities, and entities providing domain name registration services

5
May 2025

European Commission issues reasoned opinions to 19 Member States for not notifying full transposition after the October 2024 deadline

6
October 2027

First Commission review of NIS2 functioning and effectiveness (Article 40)

Who is Subject to NIS2?

NIS2 uses a size-cap rule combined with sector classification for most entities. Certain digital and ICT service providers can also be in scope even when not established in the EU.

The Size-Cap Rule (Article 2)

Organizations in covered sectors are in scope if they meet either threshold:

≥ 50
employees
> €10M
annual turnover or balance sheet

Size doesn't matter for some. Article 2(2) lists exceptions where entities are in scope regardless of size, including DNS service providers, TLD name registries, trust service providers, and certain public electronic communications entities.

Annex I (Sectors of High Criticality)

Mostly essential entities. Stricter supervision and minimum maximum fine of at least €10M / 2%.

  • Energy
  • Transport
  • Banking
  • Financial market infrastructure
  • Health
  • Drinking water
  • Waste water
  • Digital infrastructure
  • ICT service management (B2B)
  • Public administration
  • Space

Annex II (Other Critical Sectors)

Mostly important entities. Reactive supervision and minimum maximum fine of at least €7M / 1.4%.

  • Postal and courier services
  • Waste management
  • Chemicals
  • Food production & distribution
  • Manufacturing (medical devices, electronics, machinery, motor vehicles)
  • Digital providers (marketplaces, search engines, social networks)
  • Research organisations

Article 26 Jurisdiction for Certain Non-EU Providers

Article 26(1)(b) applies to specific non-EU digital and ICT providers offering services in the EU: DNS service providers, TLD name registries, domain name registration service providers, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, and providers of online marketplaces, online search engines, and social networking services. These entities must designate a representative in one Member State where services are offered.

Example: A US-based cloud provider serving EU customers can fall within Article 26 jurisdiction even without an EU office. It must appoint an EU representative and comply with NIS2 obligations that apply to its service category.

10 Mandatory Cybersecurity Measures

Article 21(2) of NIS2 prescribes 10 minimum cybersecurity risk-management measures that both Essential and Important entities must implement.

1.

Risk Analysis & Security Policies

Establish and maintain comprehensive risk analysis and information system security policies.

2.

Incident Handling

Prevention, detection, analysis, containment, response, and recovery from security incidents.

3.

Business Continuity

Backup management, disaster recovery, and crisis management procedures.

4.

Supply Chain Security

Assess and manage security risks from direct suppliers and service providers.

5.

Secure Development & Vulnerability Handling

Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure where appropriate.

6.

Effectiveness Assessment

Policies and procedures to regularly assess the effectiveness of cybersecurity measures.

7.

Cyber Hygiene & Training

Basic cyber hygiene practices and cybersecurity training across staff. Article 20(2) makes specific cybersecurity training mandatory for management bodies on top.

8.

Cryptography & Encryption

Policies governing the use of cryptography and encryption where applicable.

9.

Access Control & HR Security

Human resources security, access control policies, and comprehensive asset management.

10.

Multi-Factor Authentication

MFA or continuous authentication, secured communications, and emergency systems.

Incident Reporting Timeline

NIS2 introduces strict incident reporting obligations under Article 23. Organizations must report significant incidents in four stages.

24 hours

Early Warning

Article 23(4)(a). Submit an early warning to the CSIRT or competent authority, indicating whether the incident is suspected of being caused by unlawful or malicious acts or could have a cross-border impact.

72 hours

Incident Notification

Article 23(4)(b). Provide an initial assessment including severity, impact, and indicators of compromise; updates the early warning.

On request

Intermediate Report

Article 23(4)(c). On request from the CSIRT or competent authority, provide relevant status updates while the incident is still being handled.

1 month

Final Report

Article 23(4)(d). Within one month after the 72-hour notification, deliver root cause analysis, mitigation measures applied, and any cross-border impact. Article 23(4)(e) sets a progress-report rule for ongoing incidents.

Penalties for Non-Compliance

Article 34 sets minimum maximum administrative fines: member states must allow at least the figures below, and national law may set higher caps.

€10M
or 2% of worldwide annual turnover (whichever is higher)

Essential Entities

Article 34(4): minimum maximum fine. Essential entities mostly come from the Annex I sectors of high criticality (energy, transport, banking, health, digital infrastructure) and are subject to proactive supervision.

€7M
or 1.4% of worldwide annual turnover (whichever is higher)

Important Entities

Article 34(5): minimum maximum fine. Important entities mostly come from the Annex II other-critical sectors (manufacturing, food, chemicals, postal services, digital providers, research) and are subject to reactive supervision.

Under Article 20, management bodies must approve and oversee the Article 21(2) cybersecurity risk-management measures and may be held liable for failures. For essential entities, supervisory authorities can also exercise the exceptional Article 32(5) power to request a temporary prohibition of CEO or legal-representative-level duties when measures remain ineffective despite enforcement.

How Modulos Helps with NIS2 Compliance

Modulos gives compliance and security teams one workflow for requirements, controls, evidence, reviews, and exports. This helps you move faster from legal text to operational execution with clearer ownership and stronger auditability.

Book a NIS2 Demo

Translate NIS2 obligations into structured requirements and mapped controls so teams know exactly what needs to be done and by whom.

FAQ about NIS2

The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s updated cybersecurity legislation, replacing the original NIS Directive of 2016. It expands the scope of regulated entities, raises baseline cybersecurity requirements, and tightens incident reporting obligations. EU member states had to transpose NIS2 into national law by 17 October 2024.

How NIS2 fits with other frameworks

Most security teams run NIS2 alongside other regimes rather than instead of them.

Article 21(2) of NIS2 maps directly onto the controls in ISO/IEC 27001 for information security; ISO/IEC 42001 supports the AI-management portion indirectly. There is no formal presumption of conformity, but most mature security programs run NIS2 inside an ISO/IEC 27001 management system.

For financial sector entities, Article 4 of NIS2 disapplies equivalent NIS2 risk-management and incident-reporting provisions where the Digital Operational Resilience Act (DORA) covers the same matter. NIS2 governance and supply-chain provisions that are not covered by DORA may still apply alongside.

For AI systems specifically, the EU AI Act and GDPR sit alongside NIS2 with overlapping risk-management and supply-chain expectations. Risk operating models such as the NIST AI RMF support the Article 21(2)(a) risk-analysis duty without substituting for it.

For US-attestation work, SOC 2 control sets often share evidence with NIS2 cybersecurity-measure controls, especially around access, change, and incident management.

Need a Practical NIS2 Rollout Plan?

In a live walkthrough, see how to structure obligations, assign owners, and prepare audit-ready evidence without duplicating work.

Book a NIS2 DemoExplore Platform Capabilities