What is NIS 2? A Complete Guide for Organizations
The NIS 2 Directive (Directive (EU) 2022/2555) is the European Union's updated cybersecurity legislation that establishes a high common level of cybersecurity across all member states. It replaces the original NIS Directive from 2016 and significantly expands the scope, requirements, and enforcement mechanisms for organizations operating in the EU.
Key Takeaways
| Point | Summary |
|---|---|
| What it is | EU directive establishing cybersecurity requirements for essential and important entities across member states |
| Effective date | Entered into force January 16, 2023, with member states required to transpose by October 17, 2024 |
| Who it applies to | Medium and large organizations in 18 critical sectors, covering both essential and important entities |
| Maximum penalty | Up to 10 million or 2% of global annual turnover for essential entities |
| Key difference from NIS 1 | Broader scope, stricter requirements, harmonized enforcement, and supply chain security obligations |
Quick Answer: NIS 2 is the EU's updated cybersecurity directive requiring organizations in critical sectors to implement comprehensive cybersecurity measures, report incidents within strict timelines, and manage supply chain security risks. Penalties can reach 10 million or 2% of global turnover.
NIS 2 vs NIS 1: What Changed?
| NIS 1 (2016) | NIS 2 (2022) | |
|---|---|---|
| Scope | Limited sectors | 18 sectors, ~160,000 entities |
| Entity classification | Operators of essential services | Essential and important entities |
| Size threshold | Member state discretion | Harmonized size-cap rules |
| Incident reporting | General obligation | Strict multi-stage timeline (24h/72h/1 month) |
| Penalties | Varied by member state | Harmonized, up to 10M or 2% turnover |
| Supply chain | Not addressed | Explicit requirements |
| Management liability | Not specified | Personal accountability for management |
The original NIS Directive left significant room for member states to interpret and implement requirements differently. This led to inconsistent cybersecurity standards across the EU. NIS 2 addresses these gaps by harmonizing requirements, expanding scope, and introducing stricter enforcement.
Who Does NIS 2 Apply To?
NIS 2 uses a size-cap mechanism combined with sector classification. Organizations are covered if they meet both criteria:
Size thresholds:
- Medium enterprises: 50+ employees or 10M+ annual turnover
- Large enterprises: 250+ employees or 50M+ annual turnover
Sector classification:
| Category | Sectors |
|---|---|
| Essential entities (Annex I) | Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space |
| Important entities (Annex II) | Postal services, waste management, chemicals, food, manufacturing (medical devices, computers, electronics, machinery, motor vehicles), digital providers (marketplaces, search engines, social networks), research organizations |
Some entities are included regardless of size, such as qualified trust service providers, DNS service providers, TLD name registries, and entities identified as critical under the CER Directive.
Core NIS 2 Requirements
NIS 2 mandates a risk-based approach to cybersecurity. Article 21 outlines the minimum measures organizations must implement:
| Requirement | Description |
|---|---|
| Risk analysis and policies | Information system security policies and risk assessment procedures |
| Incident handling | Detection, response, and recovery processes |
| Business continuity | Backup management, disaster recovery, and crisis management |
| Supply chain security | Security measures for supplier and service provider relationships |
| Network security | Security in network and information system acquisition, development, and maintenance |
| Vulnerability management | Vulnerability handling and disclosure policies |
| Cyber hygiene | Basic cyber hygiene practices and cybersecurity training |
| Cryptography | Policies and procedures on the use of cryptography and encryption |
| Access control | Human resources security, access control policies, and asset management |
| Multi-factor authentication | Use of MFA, secured communications, and secured emergency communications |
Incident Reporting Timeline
NIS 2 introduces a strict multi-stage incident reporting obligation:
| Stage | Deadline | What to Report |
|---|---|---|
| Early warning | Within 24 hours | Initial notification of a significant incident |
| Incident notification | Within 72 hours | Updated assessment, including severity and impact |
| Final report | Within 1 month | Detailed description, root cause, mitigation measures, and cross-border impact |
A "significant incident" is one that has caused or is capable of causing severe operational disruption or financial loss, or has affected or could affect other natural or legal persons by causing considerable damage.
Penalties and Enforcement
NIS 2 harmonizes penalty frameworks across member states:
| Entity Type | Maximum Fine |
|---|---|
| Essential entities | 10,000,000 or 2% of worldwide annual turnover, whichever is higher |
| Important entities | 7,000,000 or 1.4% of worldwide annual turnover, whichever is higher |
Beyond financial penalties, supervisory authorities can:
- Issue binding instructions and compliance orders
- Order security audits at the entity's expense
- Temporarily suspend certifications or authorizations
- Temporarily prohibit management from exercising functions
Management accountability is a distinctive feature of NIS 2. Senior management can be held personally liable for non-compliance, and must approve cybersecurity risk management measures, oversee their implementation, and undertake regular cybersecurity training.
How NIS 2 Relates to Other Frameworks
NIS 2 does not exist in isolation. It connects to several other compliance frameworks:
| Framework | Relationship |
|---|---|
| ISO 27001 | NIS 2 explicitly encourages the use of international standards. ISO 27001 certification can demonstrate compliance with many NIS 2 requirements |
| GDPR | Both apply to EU operations. NIS 2 focuses on cybersecurity while GDPR focuses on data protection. Incident reporting requirements overlap |
| CER Directive | Complements NIS 2 by addressing physical resilience of critical entities |
| DORA | Specific to financial sector, with requirements that align with NIS 2 |
| Cyber Resilience Act | Addresses product security, complementing NIS 2's organizational requirements |
How Bastion Helps with NIS 2 Compliance
Bastion provides comprehensive support for organizations navigating NIS 2 compliance:
- Gap assessment: We evaluate your current cybersecurity posture against NIS 2 requirements and identify areas that need attention
- Policy development: We help develop the required policies, procedures, and documentation that satisfy NIS 2 obligations
- ISO 27001 certification: Since ISO 27001 maps closely to NIS 2 requirements, achieving certification provides a strong compliance foundation
- Incident response planning: We help establish incident detection, response, and reporting processes aligned with NIS 2 timelines
- Supply chain security: We help assess and manage third-party risks as required by the directive
- Ongoing compliance: Continuous monitoring and regular reviews to maintain compliance as requirements evolve
Common Questions
Is NIS 2 mandatory?
Yes. NIS 2 is an EU directive that member states must transpose into national law. Organizations that fall within scope are legally required to comply. Unlike voluntary certifications, NIS 2 compliance is a regulatory obligation with significant penalties for non-compliance.
When does NIS 2 take effect?
The directive entered into force on January 16, 2023. Member states had until October 17, 2024 to transpose it into national law. However, implementation timelines vary by country, and some member states may have extended deadlines. Organizations should check their local transposition status.
Does NIS 2 apply to non-EU companies?
NIS 2 can apply to non-EU companies if they provide services within the EU in covered sectors. Entities not established in the EU but offering services within the EU must designate a representative in one of the member states where they operate.
How does NIS 2 differ from GDPR?
GDPR focuses on protecting personal data, while NIS 2 focuses on cybersecurity of network and information systems. GDPR applies to any organization processing EU personal data, while NIS 2 targets specific sectors. Both have incident reporting requirements, but with different timelines and scopes. Organizations in scope for both must comply with each separately.
Can ISO 27001 help with NIS 2 compliance?
Yes. ISO 27001 certification provides a strong foundation for NIS 2 compliance. The directive explicitly references international standards, and many NIS 2 requirements map directly to ISO 27001 controls. However, ISO 27001 alone may not cover all NIS 2-specific requirements, such as the multi-stage incident reporting timeline.