EU NIS2 Directive
NIS2 compliance, without the jargon
NIS2 widens EU cybersecurity rules to thousands more organisations — with real security measures, tight incident-reporting deadlines and personal accountability for management. Find out if you are in scope and how ready you are.
- Based on Directive (EU) 2022/2555
- Vendor-neutral
- Updated 2026
What is NIS2
Europe’s baseline for cybersecurity, dramatically widened
NIS2 is an EU directive that raises and harmonises cybersecurity requirements across far more sectors and organisations than the original NIS rules.
The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s framework for a high common level of cybersecurity. It replaces the original 2016 NIS directive and greatly expands who must comply — covering essential and important entities across around 18 sectors.
In-scope organisations must adopt a defined set of risk-management security measures (Article 21), report significant incidents on a strict timeline (Article 23), register with authorities, and manage supply-chain risk. Crucially, management bodies must approve and oversee these measures — and can be held personally accountable (Article 20).
It is transposed into national law by each member state, so the exact obligations and supervisor differ by country — but the core requirements are common across the EU.
The essentials
What NIS2 actually requires
Four pillars that define your obligations under the directive.
- SCOPE
Wider scope
NIS2 covers essential and important entities across around 18 sectors, generally from medium size upward — far more organisations than the original NIS directive.
- MEASURES
Ten security measures
Article 21 sets a baseline of risk-management measures: risk analysis, incident handling, backups, supply-chain security, encryption, access control, MFA and more.
- LIABILITY
Management accountability
Under Article 20, management bodies must approve and oversee the cybersecurity measures, undergo training, and can be held liable for failures.
- REPORTING
Fast incident reporting
Significant incidents trigger a strict timeline: an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month.
Are you in scope
Essential, important — or out of scope?
NIS2 classifies in-scope organisations into two tiers, mostly by sector and size. Broadly:
- Essential
Essential entities
Larger organisations in high-criticality sectors — energy, transport, banking, health, water, digital infrastructure and more. Subject to proactive supervision.
Category: High-criticality sectors (Annex I), generally large entities.
- Important
Important entities
Organisations in other critical sectors — postal, waste, chemicals, food, manufacturing, digital providers, research. Subject to reactive supervision.
Category: Other critical sectors (Annex II) and medium-sized entities.
- Size rule
The size threshold
Generally, medium-sized organisations and above (roughly 50+ staff or €10M+ turnover) in covered sectors are in scope — with exceptions.
Category: Some entities are in scope regardless of size.
- Check
Not sure?
Sector, size and national transposition all matter, and some smaller entities are still caught. If in doubt, verify your status rather than assume you are out.
Category: National rules can extend scope — confirm your status.
Free readiness check
How ready are you for NIS2?
Rate your organisation against the ten Article 21 security measures. The score, band and gaps update live — nothing is sent anywhere.
- Risk analysis & information security policies Art. 21(2)(a)
- Incident handling Art. 21(2)(b)
- Business continuity, backups & crisis management Art. 21(2)(c)
- Supply-chain security Art. 21(2)(d)
- Secure acquisition, development & vulnerability handling Art. 21(2)(e)
- Testing the effectiveness of measures Art. 21(2)(f)
- Cyber hygiene & security training Art. 21(2)(g)
- Cryptography & encryption Art. 21(2)(h)
- Access control & asset management Art. 21(2)(i)
- Multi-factor authentication & secure communications Art. 21(2)(j)
Significant gaps
Several core measures are missing. Prioritise the fundamentals — risk assessment, incident handling, backups and access control — and build a plan against all ten measures.
Partly there
A foundation exists but with real gaps. Close the partial and missing measures, and document what you have — NIS2 expects evidence, not intentions.
Most measures in place
You cover most of Article 21. Tackle the remaining gaps, test the effectiveness of your measures, and make sure management oversight and reporting processes are documented.
Strong coverage
You report strong coverage of the measures. Keep it current, evidence it, rehearse incident reporting, and validate with an independent assessment.
A self-assessment aid, not a formal audit or legal advice. Exact obligations depend on your sector, size and national transposition of NIS2.
The facts
NIS2 at a glance
A directive that is in force, broad in scope, and backed by real penalties.
Each figure links to its primary source. Exact obligations depend on national transposition; confirm your status with a qualified adviser.
Get compliant
From "are we in scope?" to audit-ready
NIS2 is not a one-off project — it is an ongoing, evidenced risk-management programme that management must own.
Under Article 20 of NIS2, the management bodies of essential and important entities must approve the cybersecurity risk-management measures, oversee their implementation, follow training — and can be held liable for infringements.
-
Confirm scope and register
Determine whether you are an essential or important entity, and meet any national registration requirements.
-
Close the Article 21 gaps
Assess your coverage of the ten security measures, then remediate the gaps — with documentation, not just intentions.
-
Rehearse incident reporting
The 24-hour clock starts at awareness. Build and practise the process to detect, decide and report in time.
-
Prove it with testing
NIS2 expects you to test the effectiveness of your measures. Independent assessment and penetration testing provide that evidence.
Guides
Go deeper
Plain-English guides to NIS2 scope, the security measures, and reaching compliance.
-
NIS2 scope: is your organisation in scope?
NIS2 covers essential and important entities across ~18 sectors, mostly from medium size upward. Here is how to tell if it applies to you.
Read guide -
The NIS2 security measures: Article 21 explained
Article 21 sets ten baseline risk-management measures every in-scope entity must implement. Here is what each one means.
Read guide -
NIS2 compliance checklist: a practical path to audit-ready
A step-by-step checklist to move from "are we in scope?" to an evidenced, audit-ready NIS2 programme.
Read guide
Frequently asked questions
Short, clear answers
What is the NIS2 Directive?
NIS2 (Directive (EU) 2022/2555) is the EU’s cybersecurity directive for essential and important entities. It widens scope, sets baseline security measures, mandates incident reporting and makes management accountable. It replaced the original 2016 NIS directive.
Who does NIS2 apply to?
Essential and important entities across roughly 18 sectors — energy, transport, health, banking, water, digital infrastructure, manufacturing, food, waste and more — generally from medium size upward, though some entities are in scope regardless of size. Check who is in scope →
What security measures does NIS2 require?
Article 21 lists ten baseline measures, including risk analysis, incident handling, business continuity and backups, supply-chain security, encryption, access control and multi-factor authentication. See all ten measures →
What are the NIS2 incident-reporting deadlines?
For a significant incident: an early warning within 24 hours of becoming aware, a fuller notification within 72 hours, and a final report within one month.
Can management be held personally liable under NIS2?
Yes. Article 20 requires management bodies to approve and oversee the cybersecurity measures and follow training, and provides that they can be held liable for infringements.
What are the penalties for non-compliance?
For essential entities, fines can reach up to €10 million or 2% of global annual turnover, whichever is higher; for important entities, up to €7 million or 1.4%. Authorities also have supervisory and enforcement powers.
How do we become NIS2 compliant?
Confirm your scope, assess your coverage of the Article 21 measures, close the gaps with documented controls, set up incident reporting, ensure management oversight, and validate with testing. Follow the checklist →