Read Time: 10 minutes

What Is the NIS2 Directive?

The NIS2 Directive, officially known as the Network and Information Systems Directive 2, is a European Union law aimed at enhancing cybersecurity across the continent. It builds upon the original NIS Directive by expanding its scope and strengthening its requirements, particularly for critical infrastructure and essential services. The directive’s primary goal is to improve the overall cyber resilience of organizations and ensure a higher level of security for digital infrastructure.

NIS2 applies to a wide range of organizations, including those operating in critical infrastructure sectors, those considered essential for society, and those providing digital services. To determine if your organization needs to comply, consider these factors:

  • Sector: Does your organization operate in one of the sectors covered by NIS2?
  • Size: Is your organization a mid-size or large company (e.g., at least 50 employees and 10 million euros in annual revenue)?
  • Location: Does your organization offer services or products within the EU?

Organizations within the NIS2 Directive’s scope are required to improve their cybersecurity posture through various technical and organizational measures. The directive mandates risk management, improved incident response, and rigorous oversight, extending beyond IT providers to a wider range of sectors and services.

Evolution from NIS to NIS2

The original NIS Directive, adopted in 2016, was the EU’s first attempt to create a common baseline for cybersecurity across Member States. While it improved cooperation and set basic security and incident reporting obligations, its scope was limited, and enforcement varied significantly. Member States could choose which entities were considered “operators of essential services,” leading to inconsistent application.

NIS2 addresses these shortcomings by expanding coverage to more sectors, including public administration, waste management, space, and manufacturing of critical products. It introduces a clear distinction between “essential” and “important” entities, both of which face binding requirements. The directive also strengthens supervision and enforcement, requiring Member States to impose stricter penalties for non-compliance.

Another key change is harmonization: NIS2 reduces national discretion, defining uniform risk management measures, incident reporting rules, and supply chain security requirements. This shift aims to create a more predictable and cohesive cybersecurity framework across the EU.

Key Objectives of NIS2

The NIS2 Directive focuses on creating a consistent and high level of cybersecurity across the EU by addressing gaps in the original framework and adapting to modern threats. Its main objectives include:

  • Expanding sector coverage: Bringing more sectors and types of entities under its scope, ensuring that not only traditional critical infrastructure but also other high-impact industries follow common security standards.
  • Improving risk management: Requiring organizations to adopt cybersecurity risk management practices, covering prevention, detection, response, and recovery.
  • Enhancing incident reporting: Setting clear and uniform deadlines and procedures for notifying authorities about significant incidents, enabling faster cross-border coordination.
  • Strengthening supply chain security: Mandating assessment and management of risks from third-party vendors and service providers to reduce vulnerabilities in interconnected systems.
  • Increasing accountability and enforcement: Introducing stricter supervisory powers and financial penalties to ensure that compliance is not optional but an operational priority.
  • Promoting EU-wide harmonization: Reducing differences in national implementation so that organizations operating in multiple Member States face consistent requirements.

Related content: Read our guide to NIS2 checklist

Tips from the expert:

In my experience, here are tips that can help you better adapt to NIS2 compliance:

  1. Map business processes, not just assets: Go beyond technical inventories and create detailed maps showing how data and systems support critical business workflows. This helps pinpoint where a cyber incident would cause the most disruption and aids in prioritizing protections.
  2. Establish “reporting dry runs”: Conduct timed mock incident reports to simulate the 24-hour NIS2 reporting requirement. This identifies bottlenecks in communication, legal review, and technical evidence gathering before a real incident happens.
  3. Use threat modeling at the sector level: Instead of generic threat catalogs, develop sector-specific attack scenarios (e.g., SCADA compromises in energy, DNS hijacking for digital infrastructure). This makes your controls directly relevant to your risk profile.
  4. Integrate NIS2 into procurement governance: Ensure that procurement teams have NIS2-specific clauses, vendor security questionnaires, and termination rights built into contracts from the start—retroactive fixes are much harder to enforce.
  5. Maintain a “compliance evidence vault”: Keep a dedicated, auditable repository for all risk assessments, test results, supplier evaluations, and incident logs. This accelerates regulatory inspections and proves continuous compliance.

Scope of Entities Covered by NIS2

Essential Entities

Essential entities under NIS2 include organizations whose services are critical to maintaining key societal functions, economic activities, and public safety. This category includes, but is not limited to, operators in energy, transport, banking, financial market infrastructure, healthcare, water supply, and digital infrastructure.

Being categorized as essential means these entities must adhere to the strictest security obligations set by the directive. Regulators place significant emphasis on these organizations due to the catastrophic consequences that could result from security failures.

Essential entities are typically identified based on the scale at which they operate and the potential cross-border effects of any operational disruption or data breach. They are subject to rigorous supervision and must demonstrate ongoing compliance through both technical measures and transparent reporting requirements.

Important Entities

Important entities represent organizations that, while not as critical as those in the essential category, are still significant for the functioning of vital societal and economic activities. These may include certain providers in postal services, waste management, chemicals, food, manufacturing, and smaller digital services.

Although subject to a slightly reduced level of regulatory scrutiny compared to essential entities, they are still required to implement cybersecurity measures and report incidents effectively. The inclusion of important entities expands the risk management net, ensuring that vulnerabilities in supporting sectors do not lead to cascading effects across the larger ecosystem.

These organizations are generally defined based on the nature and scale of their service provision, as well as the potential impact on public security and economic stability if compromised. NIS2 ensures that oversight remains proportionate but effective.

Key Sectors Impacted by NIS2

The NIS2 Directive applies to a wider range of sectors than its predecessor, reflecting the increasing interdependence of modern infrastructure. It targets both essential and important entities across industries where disruptions can have significant societal or economic consequences:

  • Energy: Covers electricity, oil, and gas supply, including generation, transmission, distribution, and storage.
  • Transport: Includes air, rail, water, and road transport operators, as well as traffic management systems.
  • Banking and financial market infrastructure: Encompasses credit institutions, payment service providers, trading venues, and central counterparties.
  • Healthcare: Extends beyond hospitals to cover laboratories, pharmaceutical manufacturers, and medical device suppliers.
  • Drinking water and wastewater: Involves supply networks, treatment facilities, and distribution systems.
  • Digital infrastructure: Includes domain name system (DNS) providers, data centers, cloud service providers, and content delivery networks.
  • Public administration: Brings in central and regional government bodies, as well as key agencies.
  • Manufacturing of critical products: Targets production of items such as medical devices, pharmaceuticals, chemicals, electronics, and aerospace components.

Core Cybersecurity Requirements Under NIS2

Risk Management Measures

NIS2 obligates entities to adopt systematic risk management measures proportional to the risks they face. This includes the identification and evaluation of both internal and external threats, followed by the implementation of appropriate technical and organizational controls. Risk management is not limited to technological fixes; it also requires ongoing assessment, planning, and integration with broader business processes.

Organizations must establish accountability and ensure their security policies are well-documented and regularly updated. Continuous monitoring, vulnerability management, and periodic audits form a core part of the risk management approach.

The directive expects organizations to be proactive, anticipating new threats, learning from past incidents, and ensuring their measures remain fit for purpose as the threat landscape evolves. Regular employee training and a security culture across all levels of the organization are essential to maintaining effective risk management under NIS2.

Incident Response and Reporting Obligations

Entities covered by NIS2 must develop incident response capabilities, ensuring they can detect, mitigate, and recover from security incidents efficiently. This involves establishing dedicated incident response teams, protocols for escalation, and clear lines of communication for both internal and external stakeholders.

The emphasis is on minimizing impact, restoring normal operations rapidly, and learning from each incident to prevent future occurrences. Reporting obligations are much stricter under NIS2 than before. Organizations are required to notify the relevant national authorities or CSIRTs within tight timelines, often within 24 hours of becoming aware of an incident.

Reports must include detailed information about the nature, impact, and mitigation measures taken. These strict reporting and response standards drive higher organizational readiness and enable authorities to coordinate responses on a national and EU-wide scale.

Business Continuity and Crisis Management

Business continuity requirements under NIS2 focus on ensuring essential functions can resume or be maintained during and after a cyber incident. Organizations must identify critical operations, develop continuity plans, and conduct regular scenario-based tests. Planning includes the allocation of resources and clearly defined responsibilities to handle disruptions, regardless of their origin.

Crisis management extends this concept to incident escalation, communication with public authorities, and coordination with external partners. Entities must prepare for severe, large-scale incidents by having tested frameworks for crisis decision-making, public communication, and resource reallocation.

NIS2 mandates that these plans are not static; organizations must continuously review and adapt their strategies in response to tests, exercises, and changes in threats or operations.

Supply Chain Security

NIS2 recognizes that supply chain vulnerabilities can undermine an organization’s own security posture, regardless of its internal measures. The directive requires organizations to map, assess, and manage risks introduced by external suppliers and service providers. This includes vetting vendors, conducting regular security assessments, and formalizing contractual requirements for cybersecurity standards.

Supply chain security extends to building strong relationships with suppliers, sharing threat intelligence, and planning for third-party incident management. Entities must also anticipate and mitigate risks from downstream providers, such as software updates or outsourced IT functions. NIS2’s emphasis on supply chain security makes it clear that cybersecurity must cover every link in the operational chain.

Access Control and Identity Management

Stringent access control is a cornerstone of NIS2 compliance. Entities must ensure only authorized individuals can access critical systems and data, applying the principle of least privilege throughout the organization. This involves implementing identity management solutions, multi-factor authentication, and regular reviews of existing permissions and user roles.

Ongoing monitoring, logging, and auditing of user access activities are required to quickly detect unauthorized or anomalous behavior. Strong onboarding and offboarding procedures, combined with regular staff training, help prevent common access-related vulnerabilities.

Related content: Read our guide to NIS2 cybersecurity (coming soon)

NIS2 Enforcement and Penalties

Enforcement under NIS2 is significantly stronger than in the original directive, reflecting the EU’s aim to make compliance a binding operational requirement rather than a voluntary best practice. Member States must designate national competent authorities with clear supervisory powers to monitor covered entities. These authorities can conduct inspections, request documentation, perform security audits, and require proof of risk management implementation.

Supervision is applied differently for essential and important entities. Essential entities are subject to proactive oversight, meaning authorities can carry out regular checks without prior indication of non-compliance. Important entities are monitored reactively, with investigations triggered by evidence or reports of violations.

Penalties for non-compliance are harmonized across the EU to ensure consistent deterrence. For essential entities, fines can reach up to €10 million or 2% of the organization’s total worldwide annual turnover, whichever is higher. For important entities, the cap is €7 million or 1.4% of turnover. Member States may impose additional corrective measures, such as binding instructions, temporary suspension of operations, or public disclosure of violations.

NIS2 also introduces personal accountability. Senior management can be held responsible for serious compliance failures, with obligations to oversee and approve cybersecurity risk management measures. Repeated or severe violations can lead to temporary bans from managerial functions.

NIS2 Integration with Other EU Regulations

NIS2 is part of a wider EU regulatory framework aimed at strengthening digital resilience, data protection, and operational stability. Many entities within its scope are also subject to other sector-specific or horizontal regulations, requiring coordinated compliance strategies to avoid overlap and conflicts.

One key intersection is with the General Data Protection Regulation (GDPR). While GDPR focuses on protecting personal data and privacy, NIS2 addresses the broader security of networks and information systems. A cyber incident involving personal data may trigger both NIS2 reporting obligations and GDPR breach notifications, often within similar timeframes. Organizations must align their incident response processes to satisfy both requirements without duplication or delay.

Another important link is with the Digital Operational Resilience Act (DORA), which targets the financial sector. For financial entities, DORA introduces detailed ICT risk management, testing, and third-party oversight requirements. NIS2 obligations apply alongside DORA, but in cases of overlap, DORA’s sector-specific rules generally take precedence while still maintaining alignment with NIS2’s core principles.

NIS2 also connects with sectoral legislation, such as the CER Directive (on critical entities resilience), which addresses physical security and resilience in critical sectors. Together, CER and NIS2 create a dual focus on both cyber and physical threats. Similarly, links exist with regulations like the EU Cybersecurity Act, which sets certification schemes that can be leveraged to demonstrate compliance with NIS2’s technical measures.

This regulatory integration means that organizations must adopt a holistic compliance framework, mapping obligations from multiple EU laws into a single governance, risk, and compliance (GRC) process. Proper alignment avoids gaps, reduces duplicated effort, and ensures consistent security and reporting across legal regimes.

Best Practices for NIS2 Compliance

Here are some of the ways that organizations can ensure compliance with NIS2 directives.

1. Perform a Comprehensive Inventory of All IT Assets

Organizations must identify and catalogue all hardware, software, data, and network components that support the delivery of essential and important services. This process extends to cloud services, mobile devices, and any remote endpoints, ensuring a complete overview of the digital landscape. Visibility into all assets is critical to recognize vulnerabilities, prioritize risks, and implement targeted controls.

Regular review and updating of the inventory are essential, especially as systems change, assets are added or retired, or new threats emerge. Effective inventory management supports rapid incident response by helping teams quickly identify affected systems during a breach. An accurate asset inventory also underpins other compliance initiatives, such as vulnerability scanning, patch management, and supply chain risk assessments.

2. Adopt a Risk-Based Approach

A risk-based approach starts with a thorough assessment of the threats facing an organization’s assets, services, and operations. NIS2 places significant emphasis on understanding and prioritizing risks in context, rather than applying generic controls. This means evaluating the likelihood and impact of various cyber risks, mapping dependencies, and allocating resources to the protection of the most critical assets.

The risk-based methodology is not a one-time exercise but an ongoing process of monitoring, reviewing, and updating with the changing threat landscape and operational realities. Engaging senior management, relevant business units, and technical staff in risk discussions ensures that risk ownership is distributed and that mitigation strategies are practical.

3. Establish a Formal Response Plan

A formal incident response plan enables organizations to react systematically and effectively when cybersecurity incidents occur. Under NIS2, this means having predefined roles, responsibilities, and communication channels, as well as escalation procedures for critical situations. Plans should detail detection, containment, eradication, and recovery steps for likely incident scenarios, ensuring that staff know exactly how to respond under pressure.

Regular testing and refresher training are crucial to ensure these response plans are practical and up-to-date. Tabletop exercises and live drills help expose flaws, improve coordination, and foster confidence among team members.

4. Ensure Third-Party Due Diligence

Organizations subject to NIS2 must apply due diligence to third-party vendors, contractors, and partners, especially those with access to critical systems or sensitive data. This involves evaluating the cybersecurity posture of suppliers before onboarding and enforcing clear standards via contracts and ongoing assessments.

Risk assessments must extend throughout the vendor lifecycle, including periodic reviews and the swift remediation of identified issues. Third-party due diligence also requires integrating supply chain risk management into overall cybersecurity governance. This includes sharing threat intelligence, coordinating on incident response, and ensuring vendors are aware of their reporting obligations under NIS2.

5. Establish an ISMS

Implementing an information security management system (ISMS) is a best-practice approach recommended under NIS2 for continuous, structured oversight of cybersecurity policies, controls, and objectives. An ISMS, often based on frameworks such as ISO/IEC 27001, provides a governance structure to identify risks, allocate security resources, assign responsibilities, and measure ongoing effectiveness.

This systematic approach aligns with NIS2’s focus on ongoing, lifecycle-based security management. Routine ISMS activities, such as internal audits, management reviews, and iterative improvements, ensure that organizations can adapt to both evolving threats and changing regulatory requirements. The ISMS framework also supports demonstrable compliance, as records, processes, and policies are centrally managed and regularly updated.

Easier NIS2 Compliance with Faddom

Meeting NIS2 requirements depends on having complete visibility into IT assets, applications, and dependencies. Without this visibility, assessing risks, enforcing segmentation, or responding effectively to incidents becomes nearly impossible. Faddom provides real-time, agentless application dependency mapping that automatically discovers servers, business applications, and traffic flows across hybrid, cloud, and on-premises environments.

This transparency ensures organizations can maintain accurate inventories, uncover risky connections, and identify hidden dependencies that may compromise compliance. With continuously updated maps and AI-driven anomaly detection, Faddom helps IT and security teams strengthen governance, reduce blind spots, and meet NIS2’s strict risk management and reporting standards.

Discover how Faddom can simplify your NIS2 compliance journey!