NIS2 Directive
Directive (EU) 2022/2555 — Measures for a High Common Level of Cybersecurity Across the Union
Standard Introduction
The NIS2 Directive (Network and Information Security Directive 2) is an EU-wide cybersecurity legislation that establishes a high common level of cybersecurity across all member states. Adopted in November 2022 with a transposition deadline of October 2024, it significantly expands the scope of the original NIS Directive to cover 18 critical sectors and an estimated 160,000+ entities.
NIS2 introduces stricter requirements including management accountability, harmonized incident reporting timelines, and substantial penalties for non-compliance. It represents the EU’s most comprehensive cybersecurity legislation, mandating baseline security measures and creating a cooperative framework through CSIRTs and the EU Cybersecurity Agency (ENISA).
Expanded Scope
Covers 18 critical sectors and an estimated 160,000+ entities across the EU — significantly broader than the original NIS Directive, including digital infrastructure, public administration, and space.
Management Accountability
Holds management bodies personally liable for cybersecurity compliance. Executives can face temporary bans from management positions for repeated violations involving gross negligence.
Incident Reporting
Mandates early warning to national CSIRT within 24 hours of becoming aware of a significant incident, full notification within 72 hours, and a final report within one month.
list_alt Key Requirements
- Risk management measures covering at least 10 domains
- Supply chain security and vulnerability management
- Incident reporting within 24/72-hour timelines
- Management body training and accountability
- Use of encryption and multi-factor authentication
- Business continuity and crisis management plans
- Cybersecurity risk assessment and policies
- Essential vs Important entity classification
Who Needs to Comply?
Medium-sized and large organizations (50+ employees or EUR 10M+ turnover) in 18 critical sectors across EU member states, classified as either essential or important entities. Also applies to certain smaller entities providing critical services.
Key Requirements
Cybersecurity Risk Management
Implement appropriate and proportionate technical, operational, and organizational measures to manage cybersecurity risks. Measures must cover at least 10 domains including incident handling, supply chain, and cryptography.
Incident Reporting Obligations
Report significant incidents to the national CSIRT or competent authority: early warning within 24 hours, incident notification within 72 hours, and a final report within one month including root cause analysis.
Supply Chain Security
Assess and address cybersecurity risks in supply chains and supplier relationships. Consider the vulnerabilities of each direct supplier and the overall quality of their security practices.
Management Body Obligations
Management bodies must approve cybersecurity measures, oversee implementation, and undergo regular cybersecurity training. They can be held personally liable for infringements.
Registration & Cooperation
Entities must register with relevant national authorities. Cooperate with CSIRTs and competent authorities during incidents and share relevant threat intelligence.
Penalties & Enforcement
Essential entities face fines up to EUR 10 million or 2% of global annual turnover. Important entities face fines up to EUR 7 million or 1.4% of global annual turnover. Management can be held personally liable, with potential temporary bans from holding management positions.