NIS2 vs NIS1: What Changed and Why It Matters
A comprehensive comparison of what changed between the original NIS Directive and NIS2 — covering scope, sectors, fines, enforcement, and new obligations that did not exist under NIS1.
The NIS2 Directive (EU 2022/2555) is not merely an update to its predecessor — it is a fundamental reconstruction of the EU's cybersecurity framework. While the original NIS Directive of 2016 established important principles, its implementation was widely acknowledged to have been inconsistent and insufficient. Understanding what changed helps organisations understand why NIS2 compliance requires a substantially greater effort than NIS1 ever did.
Scope Expansion: From 11,000 to 160,000+ Entities
The most striking difference between NIS1 and NIS2 is the dramatic expansion of scope. The original NIS Directive applied to an estimated 11,000 operators of essential services across 7 sectors, with Member States having considerable discretion in identifying which specific entities were covered. NIS2 replaces this approach with a size-based rule: all medium and large enterprises in Annex I and II sectors are automatically in scope, with no requirement for national designation. This expansion means that approximately 160,000 entities across the EU are now subject to binding cybersecurity obligations — a more than 14-fold increase. Critically, NIS2 also introduces entirely new sectors including ICT managed services, space, wastewater, digital providers, and public administration at the regional level.
| Aspect | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Entities covered | ~11,000 designated OES | ~160,000+ by operation of law |
| Sectors covered | 7 (energy, transport, banking, FMI, health, water, digital infra) | 18 (Annex I: 11 sectors, Annex II: 7 sectors) |
| Who is covered | Designated by Member States | All medium and large enterprises in scope sectors |
| Largest fine | €1M (some Member States) — very inconsistent | €10M or 2% of global turnover (EE) |
| Supply chain obligations | Not explicitly addressed | Explicit requirement in Article 21(2)(d) |
| Management accountability | Not addressed | Article 20 — personal liability for executives |
| Incident reporting timeline | 72 hours (some MS varied) | 24h early warning + 72h notification + 1 month final |
| Enforcement harmonisation | Very low — major divergence between MS | Minimum penalties and supervisory powers harmonised |
| Proactive supervision | Minimal, mostly ex-post | Essential Entities subject to ex-ante proactive supervision |
| Sector-specific rules | No coordination | NIS2 defines relationship with DORA, CER Directive |
Supply Chain: From Silence to Explicit Obligation
The original NIS Directive did not explicitly address supply chain security. Some Member States included supply chain considerations in guidance, but there was no uniform obligation. NIS2 Article 21(2)(d) makes supply chain security an explicit and mandatory requirement, requiring entities to assess and manage risks from their direct suppliers and service providers. This change was directly driven by major supply chain attacks such as SolarWinds (2020) and Kaseya (2021) that demonstrated the catastrophic potential of unmanaged supply chain risk.
Management Accountability: A Fundamental Shift
NIS1 placed obligations on organisations as legal entities. It did not address the personal responsibility of individual board members or executives. NIS2 Article 20 changes this completely — board members and C-suite executives are now personally responsible for approving, overseeing, and having training in cybersecurity measures. For Essential Entities, enforcement authorities can temporarily ban individual executives from holding management positions for serious violations. This change fundamentally alters the incentive structure for cybersecurity governance.
Incident Reporting: Stricter and More Structured
Under NIS1, the requirement was to notify incidents without undue delay, and most Member States implemented a 72-hour deadline — but the content of notifications varied enormously. NIS2 introduces a three-stage reporting structure with specific content requirements at each stage: a 24-hour early warning, a 72-hour full notification, and a final report within one month. This structured approach removes ambiguity and ensures authorities receive consistent, actionable information.
Enforcement Harmonisation
One of the most serious criticisms of NIS1 was the extreme divergence in how Member States implemented and enforced it. Some countries imposed significant fines and conducted proactive supervision; others took a minimal approach with minimal enforcement. NIS2 addresses this through harmonised minimum maximum penalties, harmonised supervisory powers, defined categories of measures that authorities must be able to impose, and stronger coordination mechanisms including the NIS Cooperation Group and the EU-CyCLONe network for crisis coordination.
Already Compliant with NIS1? You Still Have Work to Do
If your organisation was already compliant with the original NIS Directive, NIS2 still requires significant additional effort. Supply chain security, management training and accountability, the new reporting structure, and the expanded security measures under Article 21 all go significantly beyond NIS1 requirements. Do not assume NIS1 compliance is sufficient — conduct a fresh gap analysis against NIS2.