What is the NIS2 Directive?
A comprehensive introduction to the EU NIS2 Directive — why it was created, who it applies to, and what obligations it imposes on covered entities.
The NIS2 Directive (EU 2022/2555) is the European Union's updated legal framework for cybersecurity. It replaces the original NIS Directive of 2016 and dramatically expands the scope of organisations required to implement cybersecurity measures. NIS2 entered into force on 16 January 2023, with EU Member States required to transpose it into national law by 17 October 2024.
Transposition Deadline Passed
The deadline for EU Member States to transpose NIS2 into national law was 17 October 2024. Enforcement is now active in many jurisdictions. If you have not yet assessed your obligations, this should be your highest priority.
Why NIS2 Was Created
The original NIS Directive (2016) was the EU's first horizontal cybersecurity legislation. While it represented an important step, it had significant shortcomings. Member States implemented it inconsistently — some countries imposed strict obligations while others took a minimal approach. The scope was narrow, covering fewer than 11,000 entities across 7 sectors. Enforcement powers were limited and rarely used, and incident reporting obligations were vague. Critically, NIS1 did not address the reality of modern supply chain attacks. The NIS2 Directive was designed to correct all of these shortcomings while dramatically raising the baseline cybersecurity standard across the EU.
NIS2 at a Glance
Key facts about the NIS2 Directive
Legislative Timeline
NIS1 Directive
Original NIS Directive enters into force
NIS2 Proposed
European Commission proposes NIS2
NIS2 Adopted
NIS2 formally adopted and published
Transposition Deadline
Member States must implement in national law
NIS2 legislative journey from NIS1 to enforcement
Core Obligations
All entities covered by NIS2 must fulfil five core categories of obligation:
- Risk management measures — implement technical and organisational measures proportionate to the risks faced (Article 21)
- Incident reporting — report significant incidents to national authorities within strict timeframes (Article 23)
- Supply chain security — assess and manage cybersecurity risks in your supply chain (Article 21(2)(d))
- Management accountability — senior management must oversee and be trained on cybersecurity (Article 20)
- Registration — register with your national competent authority and maintain up-to-date information
The 18 Covered Sectors
NIS2 organises covered sectors into two annexes with different obligations and enforcement levels:
| Annex I — Highly Critical Sectors | Annex II — Other Critical Sectors |
|---|---|
| Energy (electricity, oil, gas, hydrogen) | Postal and courier services |
| Transport (air, rail, water, road) | Waste management |
| Banking and financial markets | Manufacture of chemicals |
| Health (hospitals, labs, pharma) | Food production and distribution |
| Drinking water | Manufacturing (medical devices, electronics, machinery, vehicles) |
| Waste water | Digital providers (marketplaces, search engines, social networks) |
| Digital infrastructure (DNS, IXPs, cloud, datacentres) | Research organisations |
| ICT service management (managed services, managed security) | |
| Public administration | |
| Space |
What NIS2 Means for Your Organisation
For organisations newly brought into scope, NIS2 represents a significant compliance programme. You will need to implement a formal risk management process, appoint responsible persons for cybersecurity, establish an incident response capability, assess your supply chain, document your security measures, and engage your board and senior management in cybersecurity governance. The Nistoo platform is designed to guide you through each of these requirements systematically.
Not Sure if You're in Scope?
Use our free NIS2 Entity Check tool to determine whether your organisation is covered by the directive and whether you would be classified as an Essential or Important Entity.