NIS2 Directive
Compliance Made
Manageable

NIS2 stands for the second Network and Information Security Directive (Directive (EU) 2022/2555). It is the EU’s second-generation cybersecurity framework for essential and important entities, replacing Directive (EU) 2016/1148. NIS2 raises baseline cybersecurity requirements, expands sectoral scope, and tightens incident reporting across 18 sectors.

The NIS2 Directive entered into force on 16 January 2023. EU member states were required to transpose it into national law by 17 October 2024 under Article 41, with NIS2 applicable and the original NIS Directive (2016/1148) repealed from 18 October 2024 under Article 44. On 7 May 2025 the European Commission issued reasoned opinions to 19 Member States for non-full transposition. Verify the country-specific implementation status before relying on national readiness.

Yes, for entities in scope. NIS2 is binding EU law transposed into national legislation across the member states. In-scope essential and important entities must implement the Article 21(2) cybersecurity risk-management measures and the Article 23 incident reporting obligations. Non-compliance exposes entities to Article 34 administrative fines, with additional enforcement powers for essential entities under Article 32.

NIS2 covers two annexes. Annex I lists sectors of high criticality (energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management (B2B), public administration, space). Annex II lists other critical sectors (postal and courier services, waste management, chemicals, food, manufacturing, digital providers, research). Article 3 then sets the classification rule for essential vs important status, based on sector, entity size, special provider categories, and Member State CER identification.

Medium and large entities (≥ 50 employees or > €10M annual turnover or balance sheet) operating in the 18 sectors listed in Annexes I and II. Article 2(2) also brings certain entities into scope regardless of size, including DNS service providers, TLD name registries, trust service providers, and specific public electronic communications providers. Non-EU digital and ICT providers in the Article 26(1)(b) categories that offer those services in the EU also fall under Article 26 jurisdiction in addition to the Article 2 scope rules.

The UK has not adopted NIS2; it follows the UK NIS Regulations 2018, with a UK Cyber Security and Resilience Bill introduced to Parliament in November 2025 as the planned NIS2-equivalent reform. UK companies that fall within the Article 26(1)(b) provider categories (DNS, TLD, domain registration, cloud, data centre, CDN, managed services, managed security services, online marketplaces, search engines, social platforms) and offer those services in the EU may fall under NIS2 jurisdiction for those services. The UK domestic regime and EU NIS2 obligations can apply simultaneously.

Article 21(2) sets ten cybersecurity risk-management measures: (a) risk-analysis and information-system security policies; (b) incident handling; (c) business continuity, backup, and crisis management; (d) supply-chain security; (e) security in network and information-system acquisition, development, and maintenance with vulnerability handling; (f) effectiveness assessment of risk-management measures; (g) basic cyber hygiene and cybersecurity training; (h) cryptography policies; (i) human-resources security, access control, and asset management; (j) multi-factor authentication and secured communications. Article 23 adds incident-reporting obligations on top.

Article 23(4) sets four stages for significant incidents: (a) an early warning to the CSIRT or competent authority within 24 hours of becoming aware; (b) an incident notification within 72 hours of awareness, with an initial severity and impact assessment; (c) an intermediate report on request; (d) a final report within one month of the incident notification under (b). For ongoing incidents, a progress report is also required.

Under Article 34, member states must allow administrative fines of at least €10 million or 2% of total worldwide annual turnover (whichever is higher) for essential entities, and at least €7 million or 1.4% for important entities. National caps may be set higher. Article 20 makes management bodies responsible for approving and overseeing the Article 21(2) measures and exposes them to individual liability. For essential entities, supervisory authorities can also exercise the exceptional Article 32(5) power to request a temporary prohibition of CEO or legal-representative duties when measures remain ineffective.

Most NIS2 Article 21(2) risk-management measures map directly to ISO/IEC 27001 controls. Holding ISO/IEC 27001 certification does not satisfy NIS2 by itself: there is no formal presumption of conformity in the directive. It does provide a defensible operational baseline that significantly reduces NIS2 implementation effort, which is why most mature security programs operate ISO/IEC 27001 inside their NIS2 compliance approach.

Modulos automates the governance, risk, and compliance workflow that NIS2 Article 21(2) expects: risk-management policy documentation, incident-response evidence, supply-chain risk records, and audit trails for security controls. Controls map across NIS2, ISO/IEC 27001, ISO/IEC 42001, the EU AI Act, and SOC 2 simultaneously, so one evidence pipeline serves multiple frameworks.