NIS2: the directive for EU cyber resilience.

Directive (EU) 2022/2555

Direct answer

NIS2, Directive (EU) 2022/2555, is the EU directive on network and information security, replacing the 2016 NIS Directive with a transposition deadline of 17 October 2024. It covers essential entities (Annex I sectors, large) and important entities (Annex I mid-size, Annex II sectors), requires ten categories of security measures, imposes a 24-hour early warning and 72-hour incident notification, and holds management bodies personally liable.

What NIS2 is

NIS2, Directive (EU) 2022/2555, is the EU legal framework for network and information security across critical and important sectors. Published on 27 December 2022 and entering into force on 16 January 2023, it replaced the 2016 NIS Directive (Directive (EU) 2016/1148) with substantially expanded scope, stronger security obligations, harmonized incident reporting, and personal management liability.

NIS2 is a directive, not a regulation. That distinction matters: a regulation applies directly across the EU without national implementing measures, while a directive must be transposed into each member state's national law. The transposition deadline was 17 October 2024. In practice, not all member states met that deadline, which means the specific obligations, supervisory body, and enforcement approach differ across the EU. When your legal team assesses NIS2 exposure, they need to assess the transposed national law of the member states where you operate, not only the directive text.

What NIS2 stands for: Network and Information Security. NIS2 is the shorthand for the second-generation cybersecurity directive, succeeding NIS1.

What changed from the NIS Directive to NIS2

NIS2 is not a minor update. The 2022 version overhauled the 2016 directive on scope, obligations, accountability, and enforcement.

NIS Directive (2016) vs NIS2 (2022)
DimensionNIS1 (2016)NIS2 (2022)
Sectors covered7 sectors (operators of essential services)18 sectors across Annex I and Annex II
Entity classificationOperators of essential services + digital service providersEssential entities (Annex I, large) and important entities (Annex I mid-size, Annex II all)
Size thresholdMember-state discretionMedium (50+ employees or 10M+ turnover) and above, with size-independent exceptions
Security measuresBroad, member-state-defined10 specific categories, Article 21, binding
Incident reportingInconsistent across member statesHarmonized: 24-hour early warning, 72-hour notification, 1-month final report
Management liabilityNot addressedManagement bodies personally liable; mandatory training (Article 20)
PenaltiesMember-state discretionMaximum ceiling: 10M EUR or 2% (essential), 7M EUR or 1.4% (important)
Supervision modelReactive for DSPsProactive ex-ante for essential; reactive ex-post for important
Supply chainNot explicitly addressedExplicit supply chain security requirement (Article 21(d))

Who NIS2 applies to

Scope is the hardest practical question. Most compliance teams underestimate the reach. NIS2 applies to entities that: (1) are of a type listed in Annex I or Annex II, (2) provide services in or operate in the EU, and (3) meet or exceed the size threshold (medium: 50 or more employees, or 10 million EUR or more in annual turnover or balance sheet). Some entities are in scope regardless of size.

NIS2 distinguishes two entity types. Essential entities face stricter supervision: proactive, ex-ante oversight by the national competent authority, which can audit without an incident trigger. Important entities face reactive supervision: the authority acts after an incident, complaint, or evidence of non-compliance. Both are required to implement the same ten Article 21 security measures. The distinction affects supervision intensity and some penalty ceilings, not the obligation set.

NIS2 is a directive, so "in scope" means in scope under the national transposition law of the relevant member state. National laws may extend scope beyond the directive minimum, and several member states have done so.

Essential vs important entities under NIS2
DimensionEssential entitiesImportant entities
SourceAnnex I sectors AND large (250+ employees or 50M+ turnover or 43M+ balance sheet)Annex I sectors AND medium (50-249 employees or 10-49M turnover); OR Annex II sectors AND medium+
Size-independent inclusionsQualified trust service providers, TLD name registries, DNS service providers, providers of public electronic comms networks/services (medium+), public administrationSome entities designated by member state
Supervision modelProactive, ex-ante: audits, on-site inspections, targeted security scans without an incident triggerReactive, ex-post: investigation triggered by incident, complaint, or evidence of non-compliance
Obligations (Article 21)All ten security measuresAll ten security measures (identical obligation set)
Penalty ceilingAt least 10M EUR or 2% of global annual turnover, whichever is higherAt least 7M EUR or 1.4% of global annual turnover, whichever is higher
Personal liabilityManagement body personally liable (Article 20)Management body personally liable (Article 20)
ExamplesLarge energy operator, large bank, large hospital, large cloud provider, qualified trust service providerMid-size manufacturer of medical devices, online marketplace, food producer, mid-size energy company

Annex I and Annex II sectors

NIS2 covers 18 sectors split across two annexes. Annex I sectors are treated as higher criticality: large entities in these sectors are essential entities, medium entities are important entities. Annex II sectors produce important entities regardless of whether the entity is large or medium.

The sector categorization matters for self-assessment, but the definitive test is always the national transposition law. Some member states have added sectors or adjusted definitions.

NIS2 sector coverage: Annex I (essential at large) and Annex II (important)
AnnexSectorExamples of covered entities
IEnergyElectricity operators, oil transmission and storage, gas supply/distribution/transmission/storage, hydrogen production/storage/transmission, district heating/cooling operators
ITransportAir carriers, airport management bodies, maritime shipping companies, port management bodies, road authorities, railway infrastructure managers
IBankingCredit institutions
IFinancial market infrastructureTrading venue operators, central counterparties (CCPs)
IHealthHealthcare providers, EU reference laboratories, R+D entities, pharmaceutical manufacturers of critical medicines, medical device manufacturers for public health emergencies
IDrinking waterSuppliers and distributors of water for human consumption (excluding distributors for whom it is not a principal activity)
IWaste waterWaste-water and urban run-off collection, treatment, and discharge
IDigital infrastructureInternet exchange points (IXPs), DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery networks (CDNs), trust service providers, providers of public electronic communications networks/services
IICT service management (B2B)Managed service providers (MSPs), managed security service providers (MSSPs)
IPublic administrationCentral government entities; regional level entities (as determined by each member state)
ISpaceOperators of ground-based infrastructure supporting space-based services
IIPostal and courier servicesUniversal service providers and other postal/courier operators
IIWaste managementWaste management operators
IIChemicalsManufacturers, producers, and distributors of chemicals
IIFoodFood production, processing, and distribution at scale
IIManufacturingMedical devices, computers and electronics, machinery, motor vehicles, other transport equipment
IIDigital providersOnline marketplaces, online search engines, social networking service platforms
IIResearchResearch organisations

The size threshold, and why supply chain matters

The baseline size threshold for NIS2 scope is the EU definition of a medium-sized enterprise: 50 or more employees, or 10 million EUR or more in annual turnover or balance sheet. Entities below this threshold in Annex I or II sectors are generally out of scope, with the exceptions below.

Size-independent inclusions: qualified trust service providers and top-level domain (TLD) name registries are essential entities regardless of size. DNS service providers and providers of public electronic communications networks or services who are at least medium-sized are essential. Public administration entities are essential regardless of size. Member states may designate additional entities.

The supply chain angle: NIS2 Article 21(d) requires covered entities to manage supply chain security, including the security practices of direct suppliers and service providers. This means a Swiss or non-EU entity that supplies software, cloud infrastructure, or managed services to an EU-covered entity will face contractual NIS2 security requirements as part of that customer relationship, even though the supplier is not itself directly subject to the directive. This is the mechanism by which NIS2 reaches beyond EU borders.

For Swiss entities specifically: Switzerland is not an EU member state and NIS2 does not apply directly. Swiss law provides for information security requirements under the ISG (Informationssicherheitsgesetz) and related legislation for federal bodies and critical infrastructure. However, Swiss companies operating EU subsidiaries, providing digital services to EU users, or supplying EU-covered entities will encounter NIS2 obligations through their EU operations or customer contracts.

NIS2 timeline and national transposition

NIS2 was published in the Official Journal of the EU on 27 December 2022 and entered into force on 16 January 2023. Member states had until 17 October 2024 to transpose it into national law and notify the Commission. Not all member states met that deadline. As of mid-2025, several had transposed late, and some transpositions were still pending.

Because NIS2 is a directive rather than a regulation, the enforceable obligations in any member state come from that state's national law, not from the directive text directly. This has practical consequences: the definitions used, the designated competent authority, the exact penalty ranges (within the directive ceilings), and the registration requirements all vary by member state. Entities operating across multiple EU countries must assess compliance against each relevant national law.

NIS2 key dates
DateEvent
27 December 2022Published in the Official Journal of the EU (OJ L 333/80)
16 January 2023Entered into force (20 days after OJ publication)
17 October 2024Transposition deadline: member states required to adopt and publish national implementing measures
17 October 2024NIS1 (Directive (EU) 2016/1148) repealed
17 April 2025Entities required to register with national competent authorities (18 months after transposition deadline)
OngoingNational transpositions: several member states transposed late or with varying implementation; check the ENISA national authorities directory for the latest status

Article 21: the ten required security measures

Article 21 is the core obligations article. It requires essential and important entities to take appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks and prevent or minimise the impact of incidents. The measures must be based on an all-hazards approach and proportionate to the level of risk, the entity's size, and the impact a potential incident would have.

The ten measure categories are specified in Article 21(2). Member states may not impose additional cybersecurity requirements on top of these unless national law specifically authorizes it.

Article 21 cybersecurity risk management measures
Article 21(2)Measure categoryWhat it requires in practice
(a)Risk analysis and information system security policiesDocumented risk assessment methodology, information security policy, asset inventory, ongoing risk treatment
(b)Incident handlingIncident response plan, classification criteria, internal reporting chain, CSIRT notification workflow
(c)Business continuity, backup, disaster recovery, and crisis managementBIA for critical services, tested backup and recovery procedures, crisis communication plan
(d)Supply chain securitySecurity assessment of direct suppliers and service providers, contractual security requirements, ongoing monitoring
(e)Security in network and information system acquisition, development, and maintenanceSecure development lifecycle, vulnerability management programme, responsible disclosure policy
(f)Policies and procedures to assess effectiveness of cybersecurity risk management measuresPeriodic testing (penetration tests, audits, table-top exercises), KPIs, management reporting
(g)Cyber hygiene practices and cybersecurity trainingBaseline hygiene programme (patching, password policy, asset hygiene), security awareness training for all staff
(h)Cryptography and, where appropriate, encryptionEncryption policy, key management, cryptographic standards for data at rest and in transit
(i)Human resources security, access control policies, and asset managementJoiner/mover/leaver process, least-privilege access controls, privileged access management, asset register
(j)Multi-factor authentication or continuous authentication, and secured communicationsMFA for all privileged and remote access, secured voice/video/text communications for sensitive discussions

The NIS2 incident reporting timeline

Article 23 sets the reporting obligations for significant incidents. A significant incident is one that causes or is capable of causing severe operational disruption, financial loss, or damage to other persons. The reporting clock runs from the moment the entity becomes aware of the incident, not from when the incident occurred.

Entities report to their national CSIRT (or competent authority where no CSIRT is designated). Entities that are also subject to DORA's incident reporting use the DORA regime for ICT-related incidents; see the NIS2 and DORA section below.

The practical challenge: the 24-hour clock is very tight. Many organizations find that detecting an incident, classifying it as significant, escalating to the team that can notify, and actually filing the early warning within 24 hours requires pre-built workflows, pre-approved messaging, and a clear decision tree -- all before any incident occurs. Building that workflow after an incident starts is too late.

NIS2 significant incident reporting timeline (Article 23)
StepDeadlineContent required
Early warningWithin 24 hours of becoming awareWhether the incident is suspected to be caused by unlawful or malicious action; whether it may have cross-border impact
Incident notificationWithin 72 hours of becoming awareInitial assessment: severity, indicators of compromise (if available), initial root cause hypothesis
Intermediate reportOn request from CSIRT or authorityStatus update: current assessment, mitigation measures in progress
Final reportNo later than 1 month after incident notificationComplete description, type of incident, root cause, cross-border impact, mitigating measures taken, risk of recurrence

Board and management liability under NIS2

Article 20 is one of the most operationally significant provisions in NIS2, and the one that most frequently surprises boards encountering it for the first time. It requires management bodies to approve the cybersecurity risk-management measures and to oversee their implementation. Management body members are personally liable for infringements.

The personal liability provision means that the head of the management body or, where national law provides for it, each member of the management body can be held directly responsible for violations of NIS2 obligations. The specific consequences (fines, temporary bans from management roles) depend on national transpositions, but the directive itself explicitly creates this accountability.

Article 20 also requires member states to ensure that management bodies of essential and important entities undergo cybersecurity training, and that they offer similar training to their employees regularly. This is not optional: it is a compliance obligation, not a best practice.

Where entities actually struggle: translating Article 20 into board practice. The required oversight is not a one-time approval of a security policy. It implies regular board-level reporting on the security measures, awareness of material risks, and documented evidence that the board reviewed and approved the measures. In a competent authority inspection, the board cannot simply point to a security team and say "they handle it."

NIS2 penalty framework

Articles 36 and 37 set the maximum penalty ceilings. The directive specifies minimums for what member states must make available; national transpositions may set specific penalty structures within those ceilings. Some member states have introduced administrative fines; others use criminal liability for management or civil enforcement mechanisms.

The penalty ceilings are expressed as the higher of a fixed maximum or a percentage of global annual turnover, applying to the worldwide revenue of the entity and its group where applicable. This mirrors the GDPR structure and is similarly designed to be proportionate to the size of large, global organizations.

Non-financial remedies are also available: competent authorities can issue binding instructions, require entities to implement specific security measures, publicly disclose non-compliance, and temporarily prohibit management body members from exercising managerial functions.

NIS2 maximum administrative fine ceilings (Article 36 and 37)
Entity typeMaximum fineAlternative ceilingAdditional measures available
Essential entities10,000,000 EUR2% of total worldwide annual turnover (whichever is higher)Binding instructions, mandatory security measures, public disclosure, temporary management prohibition
Important entities7,000,000 EUR1.4% of total worldwide annual turnover (whichever is higher)Binding instructions, mandatory security measures, public disclosure

NIS2 and DORA: the overlap for financial entities

For entities subject to DORA (Regulation (EU) 2022/2554), the relationship between the two frameworks is governed by a lex specialis rule. DORA is the sector-specific EU law for ICT risk in financial services. Under NIS2 Article 4(2), where a sector-specific Union legal act requires essential or important entities to adopt cybersecurity risk-management measures or to notify competent authorities of incidents, and where those requirements are at least equivalent to NIS2, the sector-specific provisions apply.

In practice: financial entities subject to DORA follow DORA for ICT risk management (Chapter II), major ICT incident classification and reporting (Chapter III), digital operational resilience testing (Chapter IV), ICT third-party risk management (Chapter V), and information sharing (Chapter VI). They do not run a separate NIS2 compliance programme for those areas. Where DORA does not provide equivalent coverage (which is limited), NIS2 applies as a baseline.

The supervisory channel also differs. DORA financial entities report major ICT incidents to their national financial supervisor (central bank, financial market authority, insurance supervisor) rather than to the NIS2 national competent authority. For entities in scope for both, this means maintaining clarity on which reporting channel applies for which incident type.

The practical implication: a bank or investment firm that is already compliant with DORA is substantially compliant with the equivalent NIS2 requirements. The risk management frameworks, incident workflows, third-party risk programme, and resilience testing covered by DORA overlap closely with NIS2 Article 21. Running both in Acuna with a shared control library means the overlap is mapped once, not maintained twice.

NIS2 vs DORA: key dimensions
DimensionNIS2 (Directive (EU) 2022/2555)DORA (Regulation (EU) 2022/2554)
Legal instrumentDirective -- requires national transpositionRegulation -- directly applicable across the EU
Scope18 sectors across Annex I (essential and important) and Annex II (important)Financial entities: credit institutions, payment institutions, investment firms, insurance, crypto-asset service providers, ICT third-party service providers
FocusNetwork and information security for critical and important sectorsDigital operational resilience specifically for financial sector ICT
Security measuresArticle 21: 10 measure categories, proportionate to riskChapter II: ICT risk management framework with detailed prescriptive requirements
Incident reportingArticle 23: 24-hour early warning, 72-hour notification, 1-month final report to national CSIRTArticle 19: 4-hour initial notification after classification, 72-hour intermediate, 1-month final to financial supervisor
Resilience testingArticle 21(f): policies to assess effectiveness of measures (including testing)Chapter IV: digital operational resilience testing, TLPT mandatory for significant entities
Third-party riskArticle 21(d): supply chain security obligationsChapter V: detailed ICT third-party risk management requirements, Register of Information
SupervisionNational competent authority: essential entities proactive ex-ante; important entities reactive ex-postFinancial supervisory authorities (EBA, EIOPA, ESMA for oversight of critical ICT TPPs)
Precedence where both applyNIS2 applies where DORA does not provide equivalent coverageDORA is lex specialis: applies in preference to NIS2 for covered financial entities for the covered pillars
Applied from17 October 2024 (transposition deadline)17 January 2025

How NIS2 maps to ISO 27001 and DORA

NIS2 and ISO 27001 overlap closely at the control level. An organization running ISO 27001 already has much of the Article 21 foundation in place: risk assessment, access control, incident management, business continuity, supplier security, cryptography, and training all map to ISO 27001 Annex A controls. NIS2 does not require ISO 27001 certification, but organizations with a mature ISMS will find their compliance effort significantly reduced.

The table maps selected NIS2 Article 21 measures to their ISO 27001 counterparts and, where DORA applies, to DORA chapters. Running all three in Acuna means the control library is built once and reused across frameworks, and the cross-framework mapping is maintained automatically.

NIS2 Article 21 cross-framework control mapping (selected areas)
NIS2 Article 21 measureISO 27001:2022 control areaDORA chapter (where applicable)
Art. 21(a) -- Risk analysis and security policiesClause 6.1 (risk assessment and treatment); 5.1 (policies)Chapter II, Art. 6 (ICT risk management framework)
Art. 21(b) -- Incident handling5.24 to 5.27 (incident management controls)Chapter III, Art. 17 to 23 (ICT-related incident management)
Art. 21(c) -- Business continuity, backup, DR5.29, 5.30, 8.13, 8.14 (BCM and redundancy)Chapter II, Art. 11 (ICT business continuity)
Art. 21(d) -- Supply chain security5.19 to 5.22 (supplier security controls)Chapter V, Art. 28 to 44 (ICT third-party risk)
Art. 21(e) -- Secure acquisition, development, maintenance8.25 to 8.32 (secure development controls)Chapter II, Art. 9 (protection)
Art. 21(f) -- Effectiveness testing and audit9.2, 9.3 (internal audit, management review)Chapter IV, Art. 24 to 27 (TLPT and testing)
Art. 21(g) -- Cyber hygiene and training6.3, 6.6 (awareness and training, NDA)Chapter II, Art. 13 (learning and evolving)
Art. 21(h) -- Cryptography and encryption8.24 (cryptography)Chapter II, Art. 9 (protection measures)
Art. 21(i) -- HR security, access control, asset management5.9 to 5.14 (asset management); 5.15 to 5.18 (access control); 6.1 to 6.5 (HR security)Chapter II, Art. 9 (protection)
Art. 21(j) -- MFA and secured communications8.5 (secure authentication); 8.20 (network security)Chapter II, Art. 9 (protection)

Running NIS2 in Acuna

Acuna is designed for the way NIS2 actually lands on compliance teams: alongside ISO 27001, DORA, and GDPR, sharing controls, evidence, and risk data across frameworks rather than running each as an isolated project.

For NIS2 specifically: the Comply pane walks through essential vs important scoping, maps all ten Article 21 measures to your organizational scope, and documents the cybersecurity risk management framework. Supplier Shield manages the Article 21(d) supply chain obligations: third-party risk assessments, contractual security requirements, and continuous monitoring. The incident workflow enforces the 24-hour and 72-hour notification clocks with pre-built escalation paths and draft notification templates. The Assure pane maintains the evidence trail for competent authority review, including board-level approval and training records as required by Article 20.

For entities subject to both NIS2 and DORA: Acuna's cross-framework mapping engine identifies which controls satisfy both sets of requirements, so a single control implementation produces evidence for both frameworks. Teams already running DORA in Acuna extend into NIS2 without rebuilding the control library.

See how Acuna supports NIS2 compliance.

EXPLORE

NIS2

NIS2 scope and applicabilityComing soon

Who NIS2 applies to: essential vs important entities, size thresholds, Annex I and II sectors, and the supply chain reach to non-EU entities.

NIS2 vs DORAComing soon

How NIS2 and DORA overlap for financial entities, the lex specialis rule, which reporting channel applies, and how to run both in a shared control library.

Incident reporting under NIS2Coming soon

Building the workflow behind the 24-hour early warning and 72-hour notification: classification criteria, escalation paths, and notification templates.

NIS2 readiness checklistComing soon

A structured 40-point checklist covering scope determination, Article 21 measures, incident reporting readiness, supply chain, and board accountability.

NIS2 by member stateComing soon

How the transposition has landed across key EU jurisdictions: national competent authorities, registration requirements, and enforcement postures.

NIS2: common questions.

Related answers

Questions practitioners ask.

What is NIS2 and who does it apply to?

NIS2 (Directive (EU) 2022/2555) is the EU directive on cybersecurity for essential and important entities. It expands the scope of NIS1, introduces stricter security requirements under Article 21, and mandates incident reporting within 24 hours (early warning), 72 hours (notification), and one month (final report). Essential entities include energy, transport, banking, health, water, and digital infrastructure. Important entities cover postal, waste, chemicals, food, manufacturing, and digital providers with 50+ employees or EUR 10M+ turnover. Acuna maps NIS2 articles to controls, manages supply chain risk, and tracks incident reporting deadlines.

Who does NIS2 apply to?

NIS2 (Directive (EU) 2022/2555) applies to public and private organisations that operate in one of the sectors listed in its annexes and meet a size threshold, generally medium-sized and larger organisations. In-scope organisations are classified as either essential entities or important entities, a distinction that determines the intensity of their supervision and the penalties they face, not whether the obligations apply. Because NIS2 is a directive, the precise scope is set by each member state's national transposition, so the exact boundaries can vary by country. NIS2 splits in-scope organisations into two tiers. Essential entities are the larger organisations in the highest-criticality sectors; important entities are the rest of those in scope. Both tiers must meet the same core risk-management and reporting obligations. The difference is supervisory: essential entities face proactive, ex-ante supervision, while important entities are supervised reactively, ex-post, typically after an incident or evidence of non-compliance. Penalty ceilings also differ between the tiers. NIS2 organises covered sectors into two annexes. Annex I lists sectors of high criticality such as energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management, public administration, and space. Annex II lists other critical sectors such as postal and courier services, waste management, chemicals, food, manufacturing of certain products, digital providers, and research. Whether you are essential or important depends on the combination of your sector and your size. As a general rule, NIS2 applies to medium-sized and larger organisations in the covered sectors, using the EU definition of enterprise size. But there are important exceptions where the directive applies regardless of size, for certain types of entity whose disruption would have outsized effect, so the size threshold is a starting point, not a complete test. National transposition can add further specifics. Scope is not a one-time determination. An organisation grows across a threshold, enters a covered sector through an acquisition, or its member state transposes the directive with a wider net than expected. Treating scope as settled is how organisations discover, late, that they were in scope all along.

What is the difference between NIS2 and DORA?

NIS2 and DORA are two EU frameworks for cybersecurity and operational resilience that came into force around the same time and overlap heavily, but they are not interchangeable. NIS2 (Directive (EU) 2022/2555) is a cross-sector cybersecurity directive covering many industries; DORA (Regulation (EU) 2022/2554) is a finance-specific regulation for digital operational resilience. Where both could apply to the same organisation, DORA generally takes precedence for ICT risk in financial services as the more specific law, the lex specialis principle. A financial entity can therefore be in scope for both, with DORA governing its ICT risk and NIS2 relevant to the extent DORA does not cover. The two differ on instrument, scope, and specificity. NIS2 is a directive, so it is transposed into each member state's national law and its details can vary by country. DORA is a regulation, so it applies directly and uniformly across the EU without transposition. NIS2 spans many sectors; DORA is confined to financial entities and their ICT providers. DORA is also more prescriptive on ICT specifics, such as the register of information and threat-led penetration testing, than NIS2's more general risk-management measures. Where a financial entity would fall under both, DORA is treated as the more specific regime for its ICT risk, and it prevails on the matters it covers. NIS2 recognises this relationship, so the two are designed to fit together rather than duplicate. In practice, a bank manages its ICT risk under DORA and does not also apply NIS2's general measures to the same ground. For a financial entity in scope for both: determine your DORA obligations for ICT risk first, since they are the more specific and prescriptive. Then confirm what, if anything, NIS2 adds beyond DORA's coverage for your organisation, which depends partly on your member state's transposition. The efficient path is to map the shared requirements once, as most of the risk-management and supply-chain substance is common, and only maintain the genuinely distinct pieces separately.

How does NIS2 incident reporting work?

Under Article 23 of NIS2, essential and important entities must report significant incidents to their national CSIRT or competent authority in stages: an early warning shortly after becoming aware of the incident, a fuller incident notification, and a final report once the incident is handled. An incident is significant if it has caused or is capable of causing serious operational disruption or financial loss, or has affected other people through considerable material or non-material damage. Because NIS2 is a directive, the exact deadlines and mechanics are shaped by each member state's transposition, so confirm the specifics against your applicable national law. The staged structure exists so authorities get an early signal quickly, then a complete picture as the situation resolves. The reporting clock only starts once you determine an incident is significant, which is why fast, accurate classification matters as much as the reporting itself. NIS2 sets out when an incident is significant, based on the disruption or loss it causes or could cause, and the harm to others. National transposition and guidance sharpen these thresholds. Classifying correctly is the gate: misjudge it and you either over-report routine events or, worse, miss the clock on a reportable one. Reporting is a sequence, not a single filing: an early warning soon after awareness, a subsequent notification with a fuller assessment, and a final report after the incident is resolved including root cause and mitigation. The precise timeframes are set by Article 23 and national implementation, so verify the current figures for your member state before relying on them.

What should be on a NIS2 compliance checklist?

A NIS2 compliance programme comes down to a handful of things done properly: confirm whether you are in scope and as which tier, put in place the Article 21 risk-management measures, stand up incident detection and staged reporting, address supply chain security, and get the management body to approve and oversee it all. The checklist below covers the core areas any programme must address; it is not a substitute for your member state's transposed requirements, which add the specifics. Determine scope and tier: confirm whether you are in scope, in which Annex I or II sector, and whether you are an essential or an important entity. Register with your authority: meet the registration and information obligations your member state's transposition sets for in-scope entities. Implement the Article 21 measures: put in place the ten categories of risk-management measures, covering risk analysis and security policy, incident handling, business continuity and crisis management, supply chain security, security in acquisition and development, policies to assess effectiveness, basic cyber hygiene and training, cryptography, human resources and access control, and multi-factor authentication and secured communications. Stand up incident reporting: build the detection, classification, and staged reporting process required under Article 23, and know who your CSIRT or competent authority is. Address supply chain security: assess and manage the security of your direct suppliers and service providers, as Article 21 requires. Secure management-body approval and oversight: under Article 20, the management body approves the risk-management measures, oversees them, and can be held liable. Training for management is part of this. Maintain evidence: keep the records that show the measures are real and operating, because supervision, proactive for essential entities, will look for them.

Why does NIS2 vary by country?

NIS2 is a directive, not a regulation, which means it does not apply directly. Instead, each EU member state must transpose it into national law, and it is that national law you actually comply with. The transposition deadline was 17 October 2024, but member states have transposed at different speeds and with different specifics, so the precise obligations, the designated authority, and some thresholds can vary depending on where you operate. For a multi-country organisation, this is the defining practical feature of NIS2. This is the single biggest difference in character between NIS2 and DORA. DORA, a regulation, is uniform across the EU. NIS2, a directive, is a common baseline that each country implements in its own law, so complying with NIS2 really means complying with the NIS2 transposition in each country where you are in scope. A directive sets the objectives every member state must achieve but leaves the form and method to national governments. That allows NIS2 to fit each country's existing legal and regulatory structures, but it means the operative detail lives in national law. Two organisations in the same sector in different member states can face variations in registration, reporting specifics, and supervisory approach. Member states were required to adopt and publish their transposing measures by 17 October 2024. In practice, transposition has been uneven. Because the position by country changes over time, confirm the current status and the operative national law for each member state where you are in scope rather than relying on a general statement. For a single-country organisation: identify your national transposing law and your competent authority, and comply with that. For a multi-country organisation: map the common NIS2 baseline once, then track the national deltas per member state. The baseline is largely shared; the variation is in the specifics, which is a manageable overlay rather than a separate programme per country.

NIS2 COMPLIANCE

Know your scope. Close the gaps.

Acuna maps NIS2 Article 21 obligations to your entity type, runs Article 21 risk management alongside ISO 27001 and DORA in one shared control library, and keeps the evidence trail competent authorities actually inspect.

See Acuna for NIS2Talk to a practitioner
Built for:CISOsCompliance LeadersMSSPs