About this article: the requirements outlined here reflect the official obligations defined at EU level by the NIS2 Directive. Each Member State transposes the directive into its own national law, which may introduce specific deadlines, registration procedures and supervisory mechanisms. If you'd like to understand the obligations specific to your country, get in touch — we'll help you navigate your local framework.
NIS2 in 30 seconds
NIS2 is a European cybersecurity directive adopted in 2022 that replaces the original NIS Directive from 2016. Its goal: to require companies and public bodies that keep the European economy running to take cybersecurity seriously — with concrete obligations and penalties for non-compliance.
As of early 2026, 21 out of 27 EU Member States have transposed NIS2 into national law. Some countries — including France, Ireland, and Spain — are in the final stages of adoption. But the obligations defined in the directive itself are already clear and actionable.
The bottom line: don't wait for your country's transposition to start preparing. The requirements are defined, enforcement is coming, and the window for preparation is closing.
Am I affected? The 3 criteria to check
NIS2 works on the combination of three cumulative criteria. If you tick all three, you're in scope.
Criterion 1 — Location
Your organisation provides services or carries out activities within the European Union. Headquarters can be outside the EU — it's the activity that counts.
Criterion 2 — Sector
Your activity falls within one of the 18 sectors listed in the directive's annexes. NIS2 distinguishes two levels:
Highly critical sectors (Annex I) → "Essential Entities"
- Energy (electricity, gas, oil, hydrogen, district heating)
- Transport (air, rail, maritime, road)
- Banking and financial market infrastructure
- Health (hospitals, labs, pharmaceutical manufacturing, medical devices)
- Drinking water and wastewater
- Digital infrastructure (cloud, data centres, DNS, CDN, hosting)
- ICT service management B2B (MSPs, MSSPs)
- Public administration
- Space
Other critical sectors (Annex II) → "Important Entities"
- Postal and courier services
- Waste management
- Chemicals (manufacture, production, distribution)
- Food (production, processing, wholesale distribution)
- Manufacturing (medical devices, electronics, machinery, vehicles)
- Digital providers (marketplaces, search engines, social networks)
- Research
Criterion 3 — Size
Your organisation exceeds the medium-sized enterprise thresholds:
- Important Entity (IE): at least 50 employees OR annual turnover/balance sheet above €10M
- Essential Entity (EE): at least 250 employees OR turnover above €50M AND balance sheet above €43M
Important: some entities are covered regardless of size: DNS service providers, top-level domain registries, qualified trust service providers, telecom operators, public administrations. And if you're a supplier to a regulated entity, expect NIS2 to impact you indirectly through contractual cybersecurity requirements imposed by your client.
Essential vs Important Entity: what's the difference?
The substantive obligations are the same for both categories. What changes is the supervision intensity and the level of penalties:
| Essential Entity (EE) | Important Entity (IE) | |
|---|---|---|
| Supervision | Proactive (inspections and audits even without an incident) | Reactive (controls triggered after an incident) |
| Max penalties | €10M or 2% of global annual turnover | €7M or 1.4% of global annual turnover |
| Management liability | Personal, with possible temporary ban from exercising management functions | Personal |
In short: if you're "Essential", the national authority can audit your measures at any time. If you're "Important", audits will come mainly after an incident. But in both cases, the technical obligations are identical.
What do I actually need to do?
The directive defines 10 minimum cyber risk management measures (Article 21), mandatory for all regulated entities. Here's what they cover in practice:
1. Risk analysis and security policy
Have a formalised security policy based on a documented risk analysis. This isn't a document that gathers dust in a drawer — it must reflect your actual risks and be reviewed regularly.
2. Incident management
Establish prevention, detection and response processes. NIS2 imposes strict notification deadlines to the national authority:
- 24 hours: initial alert after detecting a significant incident
- 72 hours: detailed notification with impact assessment
- 1 month: final report with remediation measures
3. Business continuity
Backup plans, disaster recovery plans, crisis management procedures. You must be able to demonstrate that you've anticipated disruption scenarios.
4. Supply chain security
Assess and document the cyber risks of your critical suppliers and service providers. This is one of NIS2's major additions: your suppliers become your responsibility.
5. Security in acquisition, development and maintenance
Integrate security into the lifecycle of your information systems, including vulnerability management and patching.
6. Effectiveness assessment
Regularly test and audit your cybersecurity measures. This is where penetration testing and security audits come into their own.
7. Cyber hygiene and training
Train and raise awareness across all staff, including executives. NIS2 makes board members personally liable for the validation of risk management measures. They must undergo cybersecurity training.
8. Cryptography and encryption
Implement policies on the use of cryptography, including encryption of sensitive data.
9. HR security and access management
Access control, identity management, least privilege principle, privileged account management.
10. Multi-factor authentication and secure communications
Deploy MFA, encrypted communications and secure emergency communication systems.
Key point: ISO 27001 is a good starting point but does not automatically equal NIS2 compliance. It only partially covers the security objectives, you need to go further.
My 5-step action plan
Step 1 — Determine whether you're in scope
Check your national authority's self-assessment tool. In France for example, ANSSI provides MonEspaceNIS2. The test takes less than 10 minutes. Identify whether you're EE or IE.
Step 2 — Appoint a lead and involve the board
NIS2 makes executives personally liable. Cybersecurity can no longer remain "an IT department topic". Appoint a compliance project lead and ensure the board is trained and involved.
Step 3 — Conduct a gap assessment
Map your information systems, identify your critical assets, and carry out a risk analysis. Document the gap between your current practices and NIS2 requirements. An external security audit is often the most effective and fastest way to establish this baseline.
Step 4 — Build your remediation roadmap
Prioritise actions by criticality and cost. Focus first on high-impact quick wins: access management, MFA, backups, incident response procedures. Then plan the longer-term projects (governance, supply chain assessment, regular audits).
Step 5 — Register and prepare for inspections
Once your country's transposition law is enacted, you will need to register with the national authority. Prepare your registration data: company ID, sectors of activity, headcount, and incident-handling contact details.
Useful links
- Official NIS2 Directive text — EU Official Journal
- NIS2 transposition tracker — European Commission
Need a security audit or tailored cybersecurity support?
Explore our services →