website.documents.printTip
The NIS2 Compliance Guide for European Organizations
Executive Summary
The NIS2 Directive (Directive (EU) 2022/2555) is the most significant European cybersecurity legislation to date. It replaces the original 2016 NIS Directive and expands the regulated population from roughly 10,000 to an estimated 160,000 entities across the Union. For in-scope organizations, compliance is not optional — it is a legally enforceable obligation backed by fines of up to EUR 10 million or 2% of global annual turnover, plus personal liability for senior management.
Key takeaways
- NIS2 applies to medium and large organizations in 18 critical sectors, grouped into Essential and Important Entities with different obligations and penalty ceilings.
- Italy transposed NIS2 through Decreto Legislativo 138/2024, effective October 2024, with full enforcement of sanctions from 2026. Spain has aligned its transposition with EU timelines.
- Article 21 mandates ten categories of cybersecurity risk management measures, from encryption and MFA to supply-chain security and business continuity.
- Incident reporting follows a tiered timeline: 24-hour early warning, 72-hour incident notification, and a 1-month final report — significantly stricter than GDPR.
- Senior management is personally accountable for approving and overseeing cybersecurity measures. Board members must undergo cybersecurity training.
Who should read this guide
- CISOs and security leaders who need a consolidated reference for NIS2 scope, measures, and timelines.
- DPOs and compliance officers mapping NIS2 obligations against existing GDPR, ISO 27001 and sectoral frameworks.
- CIOs and IT directors planning the technical roadmap and budget required to close NIS2 gaps.
- Executive boards and management bodies responsible for approving the cybersecurity programme and accepting personal liability.
What Is the NIS2 Directive?
NIS2 — the Network and Information Security Directive 2 — is an EU-wide legislative framework that establishes a high common level of cybersecurity across the European Union. It was adopted by the European Parliament and Council in December 2022, entered into force on 16 January 2023, and had a Member State transposition deadline of 17 October 2024.
The directive was born out of necessity. Cyberattacks against EU organizations increased sharply between 2022 and 2024, with ransomware alone costing European businesses billions annually. The original NIS Directive, while pioneering, suffered from inconsistent implementation across Member States and a narrow scope that left many critical sectors unprotected.
NIS2 addresses these gaps through four main changes: broader sectoral coverage, harmonized minimum security measures, stricter incident reporting, and — crucially — direct accountability for management bodies. The directive also introduces supervisory powers for national authorities, including on-site inspections, ad-hoc audits, and the ability to suspend executive functions of non-compliant leaders.
16 Jan 2023 — NIS2 enters into force EU-wide. 17 Oct 2024 — Transposition deadline for Member States. Oct 2024 — Italy transposes via D.Lgs. 138/2024. 2026 — Full enforcement of sanctions in most Member States.
Who Does NIS2 Apply To? — Size Thresholds
NIS2 uses a size-cap mechanism combined with sector classification to determine applicability. The directive applies, by default, to all medium-sized and large entities operating in any of the 18 covered sectors. Size is determined using the standard EU SME definition from Recommendation 2003/361/EC.
| Criterion | Medium Enterprise | Large Enterprise |
|---|---|---|
| Employees | 50 to 249 | 250 or more |
| Annual Turnover | EUR 10M to EUR 50M | More than EUR 50M |
| Balance Sheet Total | EUR 10M to EUR 43M | More than EUR 43M |
Size-cap exceptions: some entities fall in scope regardless of size — including DNS service providers, TLD name registries, trust service providers, qualified providers of electronic communication services, and any organization identified by Member States as a critical entity under the CER Directive. Public administrations at central level are always in scope; regional and local entities may be designated by Member States.
Essential Entities (Annex I)
Essential Entities face the strictest oversight, the highest penalty ceiling, and proactive ex-ante supervision by the competent authority. They operate in sectors whose disruption would have systemic consequences across the single market.
Essential Entities are subject to supervisory powers that include unannounced on-site inspections, mandatory security audits, and direct intervention by national authorities. Maximum administrative fine: EUR 10 million or 2% of global annual turnover — whichever is higher.
Important Entities (Annex II)
Important Entities face a lower penalty ceiling and ex-post supervision: authorities generally act after receiving evidence of a breach or an incident, rather than inspecting proactively. Obligations under Article 21 — the ten risk-management measures — are otherwise identical to those for Essential Entities.
Maximum administrative fine for Important Entities: EUR 7 million or 1.4% of global annual turnover — whichever is higher. In both categories, the management body is personally accountable for approving the cybersecurity programme.
Article 21: Cybersecurity Risk Management Measures (1-5)
Article 21 of NIS2 mandates that in-scope entities take "appropriate and proportionate technical, operational and organizational measures" to manage cybersecurity risks. The directive lists ten categories of measures that must be addressed. These are not suggestions — they are legally binding minimum requirements, and failure to implement them is a direct violation exposing the entity and its management to sanctions.
Documented risk assessment methodology applied to all information systems, with written security policies approved by the management body and reviewed at planned intervals.
Documented procedures for detecting, analysing, containing, eradicating and recovering from cybersecurity incidents, including mandatory reporting within the 24/72h/1-month timelines covered later in this guide.
Backup management and restoration procedures, disaster recovery plans, and crisis management arrangements — tested regularly and aligned with business impact analysis outcomes.
Cybersecurity risk management in relationships with direct suppliers and service providers, including assessment of their security posture and contractual security requirements.
Security requirements integrated into procurement, SDLC, and change management — covering vulnerability handling and coordinated disclosure for products and services.
Article 21: Cybersecurity Risk Management Measures (6-10)
Policies and procedures to assess the effectiveness of cybersecurity risk management measures — including regular audits, penetration testing, and technical reviews.
Basic cyber hygiene practices (strong authentication, patching, secure configuration, phishing resistance) plus ongoing cybersecurity training for all personnel, including the management body.
Policies and procedures regarding the use of cryptography and, where appropriate, encryption — protecting data at rest, in transit and in use.
Vetting, onboarding and offboarding processes; role-based access control; inventory and classification of assets including hardware, software and data.
Use of MFA or continuous authentication solutions; secured voice, video and text communications; secured emergency communication systems within the entity, where appropriate.
Article 21 requires measures to be "appropriate and proportionate" to the risks faced. Proportionality is determined by the state of the art, implementation cost, and the entity's exposure, size and likelihood of incidents. It is not a loophole: national authorities are explicitly empowered to challenge an entity's proportionality assessment.
Incident Reporting — 24 / 72 hours / 1 month
Article 23 of NIS2 establishes a three-stage incident reporting timeline that is significantly stricter than GDPR. The clock starts the moment the entity becomes aware of a significant incident — defined as any incident that has caused or is capable of causing severe operational disruption or financial loss, or that has affected other natural or legal persons through considerable material or non-material damage.
Notify the national CSIRT or competent authority. The early warning must indicate whether the incident is suspected to be caused by unlawful or malicious acts, and whether it could have cross-border impact. No detailed analysis required at this stage.
Update the early warning with an initial assessment of the incident, including severity, impact and, where available, indicators of compromise. This replaces the early warning and is the formal notification of the incident.
Detailed description of the incident, including severity and impact, the type of threat or root cause that likely triggered the event, mitigation measures applied and ongoing, and, where applicable, the cross-border impact observed.
In addition to authority notification, entities may be required to inform the users of their services about significant incidents that are likely to adversely affect those users, and about any measures the users can take in response. This applies particularly when the incident is caused by a cyber threat that is disclosed publicly.
Supply Chain Security Obligations
Supply chain security is one of the most significant expansions introduced by NIS2 compared to the 2016 NIS Directive. Article 21(2)(d) explicitly requires entities to take into account "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers". This is not a generic best-practice statement — it is a specific compliance obligation.
The rationale is straightforward: the majority of damaging cyber incidents in the EU in recent years traced back to compromised suppliers, service providers or software components. NIS2 seeks to close that gap by extending cybersecurity accountability along the value chain, without formally placing suppliers inside the regulated perimeter unless they independently qualify.
In practice this means that an in-scope entity must identify its critical suppliers, assess their security posture, impose security requirements through contracts, monitor changes to that posture over time, and treat compromise of a critical supplier as a reportable incident under Article 23 where the impact threshold is met.
What "supply chain security" concretely requires
- Maintain an up-to-date inventory of critical suppliers and service providers — especially for cloud, managed services, software vendors and MSSPs.
- Assess the cybersecurity posture of critical suppliers prior to onboarding and at defined intervals thereafter — using questionnaires, attestations, independent audit reports or technical assessments.
- Incorporate security clauses into supplier contracts: minimum controls, incident notification obligations, audit rights, sub-processor approval, data handling commitments, termination on breach.
- Monitor supplier-side incidents and vulnerabilities: subscribe to security advisories, maintain contact channels, include suppliers in tabletop exercises.
- Flow down requirements: critical suppliers must impose equivalent obligations on their own critical sub-suppliers where relevant to the service provided.
- Include supplier risk in the business continuity plan: alternative suppliers, exit strategies, portability commitments.
Penalties & Management Liability
NIS2 introduces a two-tier penalty structure that mirrors the approach of GDPR. Sanctions can be imposed both on the entity and on members of its management body. The directive also grants national authorities far-reaching supervisory powers, including the ability to suspend certifications and executive functions.
Personal Liability of Management Bodies
Article 20 makes members of the management body personally accountable for approving the cybersecurity risk management measures and overseeing their implementation. Where the entity persistently fails to comply, national authorities can — in addition to fines — temporarily prohibit individual members from exercising managerial functions. This is a fundamental shift: NIS2 is the first EU cybersecurity instrument that directly sanctions individuals at board level.
When a NIS2 incident also involves a personal data breach, organizations may face parallel proceedings under GDPR. Article 35 of NIS2 provides that fines already imposed under GDPR for the same factual circumstances should be taken into account, to avoid disproportionate double punishment — but this is not a shield against investigation or reputational damage.
NIS2 vs GDPR — Where They Overlap and Differ
NIS2 and GDPR are often confused because both impose incident notification duties and both carry administrative fines measured against global turnover. They are, however, fundamentally different instruments addressing different risks: GDPR protects personal data, NIS2 protects network and information systems. A single event — for example, a ransomware attack — will frequently trigger both.
| Aspect | NIS2 | GDPR |
|---|---|---|
| Purpose | Cybersecurity of network and information systems | Protection of personal data of natural persons |
| Scope | 18 sectors, size-cap, Essential/Important entities | Any controller or processor of EU personal data |
| Trigger for notification | Significant incident (operational impact) | Personal data breach (risk to rights and freedoms) |
| Initial notification | Within 24 hours (early warning) | Within 72 hours |
| Maximum fine | EUR 10M / 2% (Essential) | EUR 20M / 4% |
| Personal liability | Management body (Art. 20) | Generally the legal entity |
| Supervisory model | Ex-ante (Essential) / ex-post (Important) | Ex-post, complaint-driven |
Bottom line: NIS2 and GDPR overlap but do not substitute each other. An organization already mature under GDPR has a meaningful head start on NIS2 governance, documentation, and incident response — but none of the Article 21 technical measures are automatically satisfied by GDPR compliance. Treat them as parallel programmes with shared evidence.
NIS2 Implementation Checklist
A phased approach to NIS2 compliance works better than attempting everything at once. The checklist below organizes the work into four phases from scoping to continuous improvement. Tick items as you validate them with evidence.
Phase 1 — Scope & Governance
- Confirm whether the organization meets the size thresholds and falls into one of the 18 sectors.
- Classify the entity as Essential or Important and document the rationale.
- Register with the national competent authority (e.g. ACN in Italy, INCIBE/CCN in Spain) within the deadline.
- Appoint a CISO or equivalent and formally assign NIS2 accountability to a member of the management body.
- Schedule mandatory cybersecurity training for all board members.
Phase 2 — Risk & Controls
- Conduct a NIS2 gap assessment against Article 21 measures 1 through 10.
- Document an information security policy approved by the management body.
- Define and document a risk assessment methodology and run a first organization-wide assessment.
- Implement MFA on all privileged and externally accessible accounts.
- Deploy encryption for data at rest and in transit across all in-scope systems.
- Establish vulnerability management with defined remediation SLAs.
Phase 3 — Incident Readiness & Supply Chain
- Write and exercise an incident response plan aligned with the 24/72h/1-month reporting timeline.
- Establish contact channels with the national CSIRT for incident notification.
- Build an inventory of critical suppliers and run an initial security assessment for each.
- Update procurement templates with NIS2 security clauses and incident notification obligations.
- Run a tabletop exercise simulating a significant incident with external reporting obligations.
Phase 4 — Continuous Improvement
- Schedule independent penetration testing at least annually.
- Review the information security policy annually or after significant incidents.
- Track NIS2 metrics at board level: mean time to detect, mean time to report, percentage of suppliers assessed.
- Feed lessons learned from incidents back into the risk assessment.
- Maintain evidence suitable for national authority inspection at short notice.
How Orizon Supports NIS2 Compliance
Orizon is a European cybersecurity platform designed from day one around the sovereignty, documentation and continuous-evidence requirements that NIS2 enforces. Compliance is not a side effect of our products — it is their primary design axis. The table below maps the core Orizon capabilities to the Article 21 measures they directly support.
Next steps
- Book a NIS2 scoping assessment with our compliance team to validate your in-scope status and priorities.
- Request a gap analysis against Article 21 based on your current controls, policies and evidence.
- Start a free external attack surface scan to establish a baseline of your exposure.
Contact: [email protected] · orizon.one/solutions/nis2-compliance · EU headquarters, sovereign infrastructure.