▸ About NIS2 · Frequently Asked Questions · Sectors & Obligations
What is NIS2?
NIS2 (Directive 2022/2555) is the EU's updated Network and Information Systems Directive, replacing NIS1. It significantly expands the scope of organisations required to implement cybersecurity measures, introduces stricter incident reporting obligations (24-hour early warning, 72-hour notification), and holds management personally liable for compliance failures. Member states were required to transpose NIS2 into national law by 17 October 2024.
Essential vs Important Entities
NIS2 distinguishes between Essential Entities (Annex I — energy, transport, banking, health, water, digital infrastructure) and Important Entities (Annex II — postal, waste, chemicals, food, manufacturing, digital providers). Essential entities face stricter supervision and fines up to €10M or 2% global turnover. Important entities face up to €7M or 1.4% global turnover.
Who must comply with NIS2?
Medium and large enterprises in Annex I/II sectors must comply. Micro and small enterprises (<50 employees, <€10M turnover) are generally excluded unless they are sole national providers, operate in specific high-risk sub-sectors, or member states expand scope nationally. Always verify with your national competent authority.
The 10 Article 21 Measures
- Risk analysis & information security policies
- Incident handling and reporting
- Business continuity & disaster recovery
- Supply chain security
- Security in acquisition, development & maintenance
- Policies to assess cybersecurity effectiveness
- Cyber hygiene practices and training
- Cryptography and encryption policies
- HR security, access control & asset management
- MFA and secure communications
NIS2 Incident Reporting Deadlines
24 hours — early warning to CSIRT/competent authority. 72 hours — incident notification with severity assessment and indicators of compromise. 1 month — final report with root cause analysis, mitigation and cross-border impact. Failure to report is itself a sanctionable offence.
NIS2 & Related Frameworks
NIS2 overlaps with DORA (financial entities), GDPR (data protection), CER Directive (critical infrastructure), and ISO/IEC 27001. ISO 27001 certified organisations will find significant control overlap but NIS2 adds specific incident notification timelines, supply chain requirements, and management personal liability provisions not covered by ISO 27001 alone.
Full list of NIS2 sectors (Annex I & II)
Annex I — Essential Entities: Energy (electricity, oil & gas, hydrogen, district heating/cooling), Transport (air, rail, water, road), Banking, Financial market infrastructure, Health, Drinking water, Wastewater, Digital infrastructure (IXPs, DNS, TLD registries, cloud computing, data centres, CDN, trust services, electronic communications), ICT service management (B2B), Space, Public administration (central and regional government).
Annex II — Important Entities: Postal and courier services, Waste management, Manufacture/production/distribution of chemicals, Food production/processing/distribution, Manufacturing (medical devices, computers & electronics, electrical equipment, machinery, motor vehicles, aerospace, other transport equipment), Digital providers (online marketplaces, search engines, social networking platforms), Research organisations.
Disclaimer: This tool provides a preliminary indication only and does not constitute legal advice. NIS2 applicability depends on national transposition law which varies by EU member state. Always verify with your national competent authority or qualified legal counsel. Nothing is uploaded — all data stays in your browser.