NIS2 Directive Explained: Who It Affects, Requirements & Penalties

The NIS2 Directive (Network and Information Security Directive 2) is the EU’s most ambitious cybersecurity legislation. It replaces the original NIS Directive from 2016, dramatically expanding its scope and tightening requirements. NIS2 makes one thing clear: your cybersecurity is no longer just your problem — it’s everyone’s problem.

If a cyberattack takes down your company, the damage doesn’t stop at your door. Your customers lose service, your suppliers lose revenue, and entire sectors can be disrupted. NIS2 exists to make sure that doesn’t happen.

Who Does NIS2 Affect?

NIS2 applies to essential and important entities across 18 critical sectors. The scope is far broader than most organizations expect.

Essential Entities (Highest Requirements)

Energy (electricity, oil, gas, hydrogen, district heating)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Healthcare (hospitals, laboratories, medical device manufacturers)
Drinking water supply and wastewater management
Digital infrastructure (DNS providers, TLD registries, cloud, data centers, CDNs)
ICT service management (B2B — managed service providers, managed security providers)
Public administration (central and regional government)
Space

Important Entities

Postal and courier services
Waste management
Chemical manufacturing and distribution
Food production and distribution
Manufacturing (medical devices, electronics, machinery, motor vehicles)
Digital providers (online marketplaces, search engines, social networking platforms)
Research organizations

Size Thresholds

NIS2 generally applies to medium and large enterprises: organizations with 50+ employees or €10M+ annual turnover. However, some entities are in scope regardless of size — DNS providers, TLD registries, and providers of public electronic communications.

The Supply Chain Factor

Critical: NIS2 doesn’t just apply to the entities listed above. It also reaches into their supply chains. If you’re a software vendor, cloud provider, or IT service provider to an essential entity, you may face NIS2 requirements indirectly — through contractual obligations your clients impose on you.

Key Requirements

NIS2 mandates a comprehensive approach to cybersecurity:

1. Risk Management Measures

Organizations must implement appropriate technical, operational, and organizational measures to manage cybersecurity risks. At minimum:

Risk analysis and information system security policies
Incident handling procedures
Business continuity and crisis management
Supply chain security (including security aspects of supplier relationships)
Security in network and information system acquisition, development, and maintenance
Vulnerability handling and disclosure
Cybersecurity assessment and testing practices
Cryptography and encryption policies
Human resource security, access control, and asset management
Multi-factor authentication and secure communication

2. Incident Reporting

NIS2 establishes strict, multi-stage incident reporting:

Timeline	Obligation
24 hours	Early warning to competent authority — initial notification that a significant incident has occurred
72 hours	Full incident notification — initial assessment, severity, impact, indicators of compromise
1 month	Final report — root cause analysis, mitigation measures, cross-border impact

A “significant incident” is one that causes or could cause severe operational disruption or financial loss, or affects other natural or legal persons by causing considerable damage.

3. Management Accountability

This is new. NIS2 makes management bodies personally responsible for cybersecurity. Management must:

Approve cybersecurity risk management measures
Oversee their implementation
Undergo cybersecurity training
Be held liable for infringements

The CEO can no longer say “cybersecurity is IT’s problem.” Under NIS2, it’s the board’s problem.

4. Business Continuity

Organizations must have plans for:

Backup management and disaster recovery
Crisis management
Ensuring continuity of essential or important services during and after an incident

5. Supply Chain Security

Entities must assess and manage risks from their direct suppliers and service providers. This includes:

Evaluating the cybersecurity practices of suppliers
Including cybersecurity requirements in contracts
Monitoring and auditing supplier security
Having contingency plans for supplier failures

Why NIS2 Matters

NIS2 reflects a fundamental shift in how the EU views cybersecurity: it’s no longer a technical issue — it’s a matter of societal resilience.

Interconnected risk: A single compromised supplier can cascade across an entire sector. NIS2 forces organizations to think beyond their own perimeter.
Competitive differentiation: Organizations that demonstrate strong NIS2 compliance become preferred partners and vendors.
Insurance requirements: Cyber insurance providers increasingly require NIS2-level controls as a condition for coverage.
Overlap with other frameworks: NIS2 compliance provides a strong foundation for ISO 27001, DORA, and CRA requirements.

What Happens If You Don’t Comply

The Fines

Entity Type	Maximum Fine
Essential entities	Up to €10 million or 2% of global annual turnover (whichever is higher)
Important entities	Up to €7 million or 1.4% of global annual turnover (whichever is higher)

Plus: personal liability for management — including potential temporary bans from exercising management functions.

A Scenario That Keeps CISOs Awake

This is an illustrative scenario based on real attack patterns.

A SaaS company provides invoicing and payment processing to 3,000 small and medium businesses. An attacker compromises their CI/CD pipeline through a stolen developer credential and modifies the payment gateway code. For 18 hours, every customer payment is silently redirected to the attacker’s account.

€340,000 stolen in one day.

The company didn’t have:

An incident response plan
Multi-factor authentication on their development infrastructure
Supply chain security assessment from their clients
Incident detection capabilities (it took 3 days to discover)
Notification procedures (they never notified authorities)

Under NIS2:

€10 million fine on top of the financial losses
Personal liability for the CEO, who never approved a cybersecurity policy
Mandatory public disclosure of the incident
Regulatory supervision and mandatory remediation
Every one of their 3,000 clients must report the supply chain incident to their own regulators

The attacker stole €340,000. The NIS2 consequences cost 30 times more.

How to Get Started

1. Determine If You’re in Scope

Check whether your organization falls under one of the 18 NIS2 sectors and meets the size threshold. Don’t forget: if you’re a supplier to essential entities, you may be indirectly in scope.

2. Conduct a Gap Assessment

Evaluate your current cybersecurity posture against NIS2’s ten minimum security measures. Identify where you fall short — most organizations find gaps in incident reporting, supply chain security, and management accountability.

3. Establish Incident Response

Build a multi-stage incident response capability aligned with NIS2’s 24h/72h/1month timeline. Designate responsible persons, create communication templates, and run tabletop exercises.

4. Engage Your Management

NIS2 requires board-level involvement. Brief your management on their new obligations, schedule cybersecurity training, and ensure they formally approve security policies.

5. Assess Your Supply Chain

Map your critical suppliers, evaluate their security posture, and update contracts to include cybersecurity requirements. This is often the hardest and most time-consuming step — start early.

NIS2 compliance is not optional, and the clock is ticking. The organizations that start now will be ready. Those that wait will be scrambling — and paying the price.