The NIS2 Directive (Directive (EU) 2022/2555) is the most significant European cybersecurity legislation to date, replacing the original NIS Directive from 2016 and expanding its scope to cover approximately 160,000 entities across the EU. If your organization operates in one of 18 critical sectors and meets specific size thresholds, compliance is not optional: it is a legal obligation enforced with fines of up to EUR 10 million or 2% of global annual turnover. This guide walks you through everything you need to know to achieve and maintain compliance.
Key Takeaways
- NIS2 applies to medium and large organizations in 18 sectors including energy, transport, health, digital infrastructure, and public administration.
- Fines reach EUR 10 million or 2% of global turnover for essential entities, with personal liability for senior management.
- Italy transposed NIS2 through D.Lgs. 138/2024, effective from October 2024, with full enforcement from 2026.
- Spain transposed NIS2 through a Royal Decree-Law, with enforcement aligned to EU timelines.
- 24-hour initial incident notification is mandatory, far stricter than the 72 hours under GDPR.
What Is the NIS2 Directive?
NIS2 (Network and Information Security Directive 2) is an EU-wide legislative framework that establishes a high common level of cybersecurity across the European Union. Adopted by the European Parliament and Council in December 2022, it entered into force on January 16, 2023, with a transposition deadline for Member States of October 17, 2024.
The directive was born out of necessity. According to the ENISA Threat Landscape 2024 report, cyberattacks against EU organizations increased by 38% between 2022 and 2024, with ransomware alone costing European businesses an estimated EUR 5.5 billion annually. The original NIS Directive, while pioneering, suffered from inconsistent implementation across Member States and a narrow scope that left many critical sectors unprotected.
Who Does NIS2 Apply To?
NIS2 significantly broadens the scope of regulated entities compared to NIS1. The directive uses a size-cap mechanism combined with sector classification to determine applicability.
Size Thresholds
| Criterion | Medium Enterprise | Large Enterprise |
|---|---|---|
| Employees | 50 to 249 | 250 or more |
| Annual Turnover | EUR 10M to EUR 50M | More than EUR 50M |
| Balance Sheet Total | EUR 10M to EUR 43M | More than EUR 43M |
Essential Entities (Annex I Sectors)
- Energy (electricity, oil, gas, hydrogen, district heating)
- Transport (air, rail, water, road)
- Banking and financial market infrastructures
- Health sector (hospitals, laboratories, pharmaceutical manufacturing)
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD registries, cloud computing, data centres, CDNs, trust service providers)
- ICT service management (managed service providers, managed security service providers)
- Public administration (central government)
- Space
Important Entities (Annex II Sectors)
- Postal and courier services
- Waste management
- Chemical manufacturing, production, and distribution
- Food production, processing, and distribution
- Manufacturing of medical devices, computers, electronics, machinery, and motor vehicles
- Digital providers (online marketplaces, search engines, social networking platforms)
- Research organizations
Key Requirements Under NIS2
Article 21 of NIS2 outlines the core cybersecurity risk-management measures that all in-scope entities must implement. These are not suggestions but legally binding requirements.
1. Risk Analysis and Information Security Policies
Organizations must conduct regular risk assessments and establish documented security policies. According to IBM's Cost of a Data Breach Report 2024, organizations with mature risk assessment programs experienced breach costs 23.4% lower than those without.
2. Incident Handling
A robust incident response capability is mandatory. NIS2 requires a tiered notification system:
- 24 hours: Early warning to the competent authority (CSIRT)
- 72 hours: Incident notification with initial assessment
- 1 month: Final report with root cause analysis
3. Business Continuity and Crisis Management
This includes backup management, disaster recovery planning, and crisis response procedures. The Verizon DBIR 2024 found that 32% of breached organizations lacked adequate business continuity plans, resulting in 2.7x longer recovery times.
4. Supply Chain Security
Organizations must address cybersecurity risks in their relationships with direct suppliers and service providers. This is a major expansion from NIS1 and reflects the growing threat of supply chain attacks, which increased by 26% according to ENISA data.
5. Security in Network and Information Systems
This covers acquisition, development, and maintenance of systems, including vulnerability handling and disclosure.
6. Cybersecurity Risk Assessment Effectiveness
Organizations must implement policies and procedures to assess the effectiveness of their cybersecurity risk-management measures, including regular audits and penetration testing.
7. Cryptography and Encryption
Policies for the use of cryptography and encryption must be in place to protect data in transit and at rest.
8. Human Resources Security
Access control policies, asset management, and cybersecurity training for all employees are required.
9. Multi-Factor Authentication
The use of multi-factor authentication (MFA), continuous authentication solutions, and secured communication systems is mandated where appropriate.
10. Management Body Accountability
Senior management must approve cybersecurity measures, oversee their implementation, and can be held personally liable for non-compliance. Board members must undergo cybersecurity training.
NIS2 Transposition: Italy (D.Lgs. 138/2024)
Italy transposed NIS2 through Decreto Legislativo 138/2024, published in the Gazzetta Ufficiale on October 1, 2024. The Italian implementation is overseen by the Agenzia per la Cybersicurezza Nazionale (ACN), which serves as the national competent authority and CSIRT.
Key aspects of the Italian transposition:
- Registration requirement: All in-scope entities must register on the ACN digital platform by January 2025.
- Self-assessment: Entities must determine whether they qualify as essential or important and communicate this to ACN.
- Sector-specific guidelines: ACN has published additional technical guidelines for critical sectors including energy and healthcare.
- Enforcement timeline: While the decree entered into force in October 2024, full enforcement with penalties begins from 2026, giving organizations a transition period.
- Integration with national framework: D.Lgs. 138/2024 integrates with Italy's existing cybersecurity perimeter (Perimetro di Sicurezza Nazionale Cibernetica).
NIS2 Transposition: Spain
Spain transposed NIS2 through its national legislative process, with the Centro Criptologico Nacional (CCN-CERT) and INCIBE serving as key implementation bodies. Spain's approach builds upon its existing National Security Framework (Esquema Nacional de Seguridad, ENS).
- CCN-CERT handles incidents affecting public sector entities and essential service operators.
- INCIBE-CERT handles incidents affecting private sector entities and citizens.
- Alignment with ENS: Organizations already compliant with ENS have a head start, as many NIS2 requirements overlap with ENS controls.
- Sectoral CSIRTs: Spain has established sector-specific CSIRTs for financial services, energy, and transport.
Penalties Overview
NIS2 introduces a two-tiered penalty structure that mirrors the approach of GDPR:
| Entity Type | Maximum Fine | Revenue-Based Cap |
|---|---|---|
| Essential Entities | EUR 10,000,000 | 2% of global annual turnover |
| Important Entities | EUR 7,000,000 | 1.4% of global annual turnover |
Critically, NIS2 also introduces personal liability for management bodies. Under Article 20, senior management who fail to approve and oversee cybersecurity measures can face individual sanctions, including temporary bans from exercising management functions. This represents a major departure from previous EU cybersecurity legislation.
For a detailed breakdown of penalties and enforcement, see our article on NIS2 penalties and sanctions.
Steps to Achieve NIS2 Compliance
Achieving compliance requires a structured, phased approach. Here is a high-level roadmap:
- Determine applicability: Assess whether your organization falls within scope based on sector and size thresholds.
- Classify your entity: Determine whether you are an essential or important entity, as this affects both obligations and penalties.
- Conduct a gap analysis: Compare your current cybersecurity posture against NIS2 requirements to identify areas of non-compliance.
- Establish governance: Ensure senior management accountability and appoint a CISO or equivalent role.
- Implement risk management measures: Address all 10 categories of security measures outlined in Article 21.
- Set up incident response: Build the capability to detect, respond to, and report incidents within the 24/72-hour timelines.
- Address supply chain security: Assess and manage the cybersecurity risks posed by your suppliers and service providers.
- Register with the national authority: Complete registration with ACN (Italy), CCN-CERT/INCIBE (Spain), or your relevant national authority.
- Train your workforce: Implement ongoing cybersecurity awareness training for all employees and specialized training for the management body.
- Monitor and improve continuously: NIS2 compliance is not a one-time project but an ongoing programme of assessment and improvement.
For a detailed, actionable checklist, read our 14-step NIS2 implementation checklist.
How Orizon Can Help
Navigating NIS2 compliance can be complex, especially for organizations that are newly in scope. Orizon's NIS2 compliance solutions provide end-to-end support, from initial gap analysis and risk assessment through implementation to ongoing monitoring and audit preparation. Our team of certified professionals understands the specific requirements of the Italian and Spanish transpositions and can guide your organization to full compliance efficiently and effectively.
Frequently Asked Questions
When does NIS2 become enforceable?
NIS2 entered into force on January 16, 2023, with a transposition deadline of October 17, 2024. Most Member States, including Italy, have transposed the directive into national law. Enforcement with full penalties is expected from 2026 onward, depending on the Member State.
Does NIS2 apply to small businesses?
Generally, NIS2 applies to medium and large enterprises. However, some entities are in scope regardless of size, including DNS service providers, TLD registries, trust service providers, and entities identified as critical by Member States.
How does NIS2 differ from the original NIS Directive?
NIS2 dramatically expands the scope from approximately 10,000 to 160,000 entities, introduces stricter incident reporting timelines (24 hours vs. no fixed timeline), adds personal liability for management, increases maximum fines, and mandates supply chain security measures.
Can I be fined under both NIS2 and GDPR?
Yes. If a cybersecurity incident also involves a personal data breach, organizations may face penalties under both NIS2 and GDPR. However, Article 35 of NIS2 provides that fines imposed under GDPR for the same incident should be taken into account to avoid double punishment.