For CISOs, security leaders, and compliance teams
NIS2 Directive
Compliance Made
Manageable
Turn NIS2 obligations into assigned controls, linked evidence, and board-visible progress across risk management, incidents, supplier governance, and oversight duties.
What is the NIS2 Directive?
The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation, replacing the original NIS Directive from 2016. It establishes a high common level of cybersecurity across the European Union, significantly expanding the scope from roughly 10,000 entities under NIS1 to over 160,000 under NIS2.
NIS2 introduces stricter requirements for risk management, incident reporting, supply chain security, and governance, including personal accountability for management bodies. Member States were required to transpose the directive into national law by October 2024.
Timeline and Compliance Milestones
The NIS2 Directive was adopted in December 2022 with a 21-month transposition period. The October 17, 2024 transposition deadline has passed, while national implementation and enforcement remain uneven across Member States. Use this timeline to benchmark urgency and sequence readiness activities.
European Commission proposes the NIS2 Directive to replace the original NIS Directive from 2016
Directive adopted and published in the Official Journal; 21-month transposition period begins
Transposition deadline for all 27 Member States to adopt national laws; NIS1 repealed
Deadline for Member States to identify and compile lists of essential and important entities
European Commission issues reasoned opinions to 19 Member States for not notifying full transposition after the October 2024 deadline
First Commission review of NIS2 functioning and effectiveness (Article 40)
European Commission proposes the NIS2 Directive to replace the original NIS Directive from 2016
Directive adopted and published in the Official Journal; 21-month transposition period begins
Transposition deadline for all 27 Member States to adopt national laws; NIS1 repealed
Deadline for Member States to identify and compile lists of essential and important entities
European Commission issues reasoned opinions to 19 Member States for not notifying full transposition after the October 2024 deadline
First Commission review of NIS2 functioning and effectiveness (Article 40)
European Commission proposes the NIS2 Directive to replace the original NIS Directive from 2016
Directive adopted and published in the Official Journal; 21-month transposition period begins
Transposition deadline for all 27 Member States to adopt national laws; NIS1 repealed
Deadline for Member States to identify and compile lists of essential and important entities
European Commission issues reasoned opinions to 19 Member States for not notifying full transposition after the October 2024 deadline
First Commission review of NIS2 functioning and effectiveness (Article 40)
Who is Subject to NIS2?
NIS2 uses a size-cap rule combined with sector classification for most entities. Certain digital and ICT service providers can also be in scope even when not established in the EU.
The Size-Cap Rule (Article 2)
Organizations in covered sectors are in scope if they meet either threshold:
Size doesn't matter for some. Article 2(2) lists exceptions where entities are in scope regardless of size, including DNS service providers, TLD name registries, trust service providers, and certain public electronic communications entities.
Essential Entities — Annex I
Stricter supervision, higher penalties (€10M / 2%)
- Energy
- Transport
- Banking
- Financial market infrastructure
- Health
- Drinking water
- Waste water
- Digital infrastructure
- ICT service management (B2B)
- Public administration
- Space
Important Entities — Annex II
Lighter supervision, lower penalties (€7M / 1.4%)
- Postal and courier services
- Waste management
- Chemicals
- Food production & distribution
- Manufacturing (medical devices, electronics, machinery, motor vehicles)
- Digital providers (marketplaces, search engines, social networks)
- Research organisations
Article 26 Jurisdiction for Certain Non-EU Providers
Article 26 applies to specific non-EU digital and ICT providers listed in Article 26(1)(b), such as cloud computing, managed services, and online marketplace/search/social network providers that offer services in the EU. These entities must designate a representative in one Member State where services are offered.
Example: A US-based cloud provider serving EU customers can fall within Article 26 jurisdiction even without an EU office. It must appoint an EU representative and comply with NIS2 obligations that apply to its service category.
10 Mandatory Cybersecurity Measures
Article 21(2) of NIS2 prescribes 10 minimum cybersecurity risk-management measures that both Essential and Important entities must implement.
Risk Analysis & Security Policies
Establish and maintain comprehensive risk analysis and information system security policies.
Incident Handling
Prevention, detection, analysis, containment, response, and recovery from security incidents.
Business Continuity
Backup management, disaster recovery, and crisis management procedures.
Supply Chain Security
Assess and manage security risks from direct suppliers and service providers.
Secure Development & Vulnerability Handling
Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure where appropriate.
Effectiveness Assessment
Policies and procedures to regularly assess the effectiveness of cybersecurity measures.
Cyber Hygiene & Training
Basic cyber hygiene practices and mandatory cybersecurity training for all staff.
Cryptography & Encryption
Policies governing the use of cryptography and encryption where applicable.
Access Control & HR Security
Human resources security, access control policies, and comprehensive asset management.
Multi-Factor Authentication
MFA or continuous authentication, secured communications, and emergency systems.
Incident Reporting Timeline
NIS2 introduces strict incident reporting obligations under Article 23. Organizations must report significant incidents in three stages.
Early Warning
Submit an early warning to the CSIRT or competent authority without undue delay.
Incident Notification
Provide an initial assessment including severity, impact, and indicators of compromise.
Final Report
Deliver a detailed description with root cause analysis and mitigation measures applied.
Penalties for Non-Compliance
NIS2 introduces significant financial penalties and personal liability for management bodies.
Essential Entities
Energy, transport, banking, health, digital infrastructure, and other sectors of high criticality. Subject to proactive supervision.
Important Entities
Manufacturing, food, chemicals, postal services, digital providers, and research. Subject to reactive supervision.
Management body members can be held personally liable and temporarily banned from exercising managerial functions in cases of gross negligence.
How Modulos Helps with NIS2 Compliance
Modulos gives compliance and security teams one workflow for requirements, controls, evidence, reviews, and exports. This helps you move faster from legal text to operational execution with clearer ownership and stronger auditability.
Book a NIS2 DemoTranslate NIS2 obligations into structured requirements and mapped controls so teams know exactly what needs to be done and by whom.
FAQ about NIS2
The NIS2 Directive (EU 2022/2555) is the EU's updated cybersecurity legislation that replaces the original NIS Directive from 2016. It establishes a high common level of cybersecurity across the Union, covering 18 sectors and over 160,000 entities.
NIS2 primarily applies to medium and large entities operating in Annex I and Annex II sectors. Certain entities are in scope regardless of size, including DNS service providers, TLD name registries, trust service providers, and specific digital and ICT service providers listed in the directive.
Essential entities face fines of up to €10 million or 2% of worldwide annual turnover (whichever is higher). Important entities face fines of up to €7 million or 1.4% of worldwide annual turnover. Additionally, management body members can be held personally liable and temporarily banned from exercising managerial functions.
DORA (Digital Operational Resilience Act) is considered lex specialis to NIS2 for financial sector entities. This means DORA takes precedence over NIS2 for ICT risk management and incident reporting in the financial sector, while NIS2's broader governance and supply chain requirements may still apply.
NIS2 requires a three-stage reporting process: an early warning within 24 hours of becoming aware of a significant incident, an incident notification with initial assessment within 72 hours, and a final report with root cause analysis within one month.
Article 20 of NIS2 mandates that management bodies must approve and oversee cybersecurity risk-management measures. Board members must undergo regular cybersecurity training and can be held personally liable for compliance failures, including temporary bans from exercising managerial functions in cases of gross negligence.
Modulos helps teams structure NIS2 work from obligations to controls, evidence, reviews, and exports. This supports traceable implementation, reusable controls where requirements overlap, and audit-ready documentation for supervisory reviews.
Need a Practical NIS2 Rollout Plan?
In a live walkthrough, see how to structure obligations, assign owners, and prepare audit-ready evidence without duplicating work.