Directive (EU) 2022/2555
Direct answer
NIS2, Directive (EU) 2022/2555, is the EU directive on network and information security, replacing the 2016 NIS Directive with a transposition deadline of 17 October 2024. It covers essential entities (Annex I sectors, large) and important entities (Annex I mid-size, Annex II sectors), requires ten categories of security measures, imposes a 24-hour early warning and 72-hour incident notification, and holds management bodies personally liable.
NIS2, Directive (EU) 2022/2555, is the EU legal framework for network and information security across critical and important sectors. Published on 27 December 2022 and entering into force on 16 January 2023, it replaced the 2016 NIS Directive (Directive (EU) 2016/1148) with substantially expanded scope, stronger security obligations, harmonized incident reporting, and personal management liability.
NIS2 is a directive, not a regulation. That distinction matters: a regulation applies directly across the EU without national implementing measures, while a directive must be transposed into each member state's national law. The transposition deadline was 17 October 2024. In practice, not all member states met that deadline, which means the specific obligations, supervisory body, and enforcement approach differ across the EU. When your legal team assesses NIS2 exposure, they need to assess the transposed national law of the member states where you operate, not only the directive text.
What NIS2 stands for: Network and Information Security. NIS2 is the shorthand for the second-generation cybersecurity directive, succeeding NIS1.
NIS2 is not a minor update. The 2022 version overhauled the 2016 directive on scope, obligations, accountability, and enforcement.
| Dimension | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Sectors covered | 7 sectors (operators of essential services) | 18 sectors across Annex I and Annex II |
| Entity classification | Operators of essential services + digital service providers | Essential entities (Annex I, large) and important entities (Annex I mid-size, Annex II all) |
| Size threshold | Member-state discretion | Medium (50+ employees or 10M+ turnover) and above, with size-independent exceptions |
| Security measures | Broad, member-state-defined | 10 specific categories, Article 21, binding |
| Incident reporting | Inconsistent across member states | Harmonized: 24-hour early warning, 72-hour notification, 1-month final report |
| Management liability | Not addressed | Management bodies personally liable; mandatory training (Article 20) |
| Penalties | Member-state discretion | Maximum ceiling: 10M EUR or 2% (essential), 7M EUR or 1.4% (important) |
| Supervision model | Reactive for DSPs | Proactive ex-ante for essential; reactive ex-post for important |
| Supply chain | Not explicitly addressed | Explicit supply chain security requirement (Article 21(d)) |
Scope is the hardest practical question. Most compliance teams underestimate the reach. NIS2 applies to entities that: (1) are of a type listed in Annex I or Annex II, (2) provide services in or operate in the EU, and (3) meet or exceed the size threshold (medium: 50 or more employees, or 10 million EUR or more in annual turnover or balance sheet). Some entities are in scope regardless of size.
NIS2 distinguishes two entity types. Essential entities face stricter supervision: proactive, ex-ante oversight by the national competent authority, which can audit without an incident trigger. Important entities face reactive supervision: the authority acts after an incident, complaint, or evidence of non-compliance. Both are required to implement the same ten Article 21 security measures. The distinction affects supervision intensity and some penalty ceilings, not the obligation set.
NIS2 is a directive, so "in scope" means in scope under the national transposition law of the relevant member state. National laws may extend scope beyond the directive minimum, and several member states have done so.
| Dimension | Essential entities | Important entities |
|---|---|---|
| Source | Annex I sectors AND large (250+ employees or 50M+ turnover or 43M+ balance sheet) | Annex I sectors AND medium (50-249 employees or 10-49M turnover); OR Annex II sectors AND medium+ |
| Size-independent inclusions | Qualified trust service providers, TLD name registries, DNS service providers, providers of public electronic comms networks/services (medium+), public administration | Some entities designated by member state |
| Supervision model | Proactive, ex-ante: audits, on-site inspections, targeted security scans without an incident trigger | Reactive, ex-post: investigation triggered by incident, complaint, or evidence of non-compliance |
| Obligations (Article 21) | All ten security measures | All ten security measures (identical obligation set) |
| Penalty ceiling | At least 10M EUR or 2% of global annual turnover, whichever is higher | At least 7M EUR or 1.4% of global annual turnover, whichever is higher |
| Personal liability | Management body personally liable (Article 20) | Management body personally liable (Article 20) |
| Examples | Large energy operator, large bank, large hospital, large cloud provider, qualified trust service provider | Mid-size manufacturer of medical devices, online marketplace, food producer, mid-size energy company |
NIS2 covers 18 sectors split across two annexes. Annex I sectors are treated as higher criticality: large entities in these sectors are essential entities, medium entities are important entities. Annex II sectors produce important entities regardless of whether the entity is large or medium.
The sector categorization matters for self-assessment, but the definitive test is always the national transposition law. Some member states have added sectors or adjusted definitions.
| Annex | Sector | Examples of covered entities |
|---|---|---|
| I | Energy | Electricity operators, oil transmission and storage, gas supply/distribution/transmission/storage, hydrogen production/storage/transmission, district heating/cooling operators |
| I | Transport | Air carriers, airport management bodies, maritime shipping companies, port management bodies, road authorities, railway infrastructure managers |
| I | Banking | Credit institutions |
| I | Financial market infrastructure | Trading venue operators, central counterparties (CCPs) |
| I | Health | Healthcare providers, EU reference laboratories, R+D entities, pharmaceutical manufacturers of critical medicines, medical device manufacturers for public health emergencies |
| I | Drinking water | Suppliers and distributors of water for human consumption (excluding distributors for whom it is not a principal activity) |
| I | Waste water | Waste-water and urban run-off collection, treatment, and discharge |
| I | Digital infrastructure | Internet exchange points (IXPs), DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery networks (CDNs), trust service providers, providers of public electronic communications networks/services |
| I | ICT service management (B2B) | Managed service providers (MSPs), managed security service providers (MSSPs) |
| I | Public administration | Central government entities; regional level entities (as determined by each member state) |
| I | Space | Operators of ground-based infrastructure supporting space-based services |
| II | Postal and courier services | Universal service providers and other postal/courier operators |
| II | Waste management | Waste management operators |
| II | Chemicals | Manufacturers, producers, and distributors of chemicals |
| II | Food | Food production, processing, and distribution at scale |
| II | Manufacturing | Medical devices, computers and electronics, machinery, motor vehicles, other transport equipment |
| II | Digital providers | Online marketplaces, online search engines, social networking service platforms |
| II | Research | Research organisations |
The baseline size threshold for NIS2 scope is the EU definition of a medium-sized enterprise: 50 or more employees, or 10 million EUR or more in annual turnover or balance sheet. Entities below this threshold in Annex I or II sectors are generally out of scope, with the exceptions below.
Size-independent inclusions: qualified trust service providers and top-level domain (TLD) name registries are essential entities regardless of size. DNS service providers and providers of public electronic communications networks or services who are at least medium-sized are essential. Public administration entities are essential regardless of size. Member states may designate additional entities.
The supply chain angle: NIS2 Article 21(d) requires covered entities to manage supply chain security, including the security practices of direct suppliers and service providers. This means a Swiss or non-EU entity that supplies software, cloud infrastructure, or managed services to an EU-covered entity will face contractual NIS2 security requirements as part of that customer relationship, even though the supplier is not itself directly subject to the directive. This is the mechanism by which NIS2 reaches beyond EU borders.
For Swiss entities specifically: Switzerland is not an EU member state and NIS2 does not apply directly. Swiss law provides for information security requirements under the ISG (Informationssicherheitsgesetz) and related legislation for federal bodies and critical infrastructure. However, Swiss companies operating EU subsidiaries, providing digital services to EU users, or supplying EU-covered entities will encounter NIS2 obligations through their EU operations or customer contracts.
NIS2 was published in the Official Journal of the EU on 27 December 2022 and entered into force on 16 January 2023. Member states had until 17 October 2024 to transpose it into national law and notify the Commission. Not all member states met that deadline. As of mid-2025, several had transposed late, and some transpositions were still pending.
Because NIS2 is a directive rather than a regulation, the enforceable obligations in any member state come from that state's national law, not from the directive text directly. This has practical consequences: the definitions used, the designated competent authority, the exact penalty ranges (within the directive ceilings), and the registration requirements all vary by member state. Entities operating across multiple EU countries must assess compliance against each relevant national law.
| Date | Event |
|---|---|
| 27 December 2022 | Published in the Official Journal of the EU (OJ L 333/80) |
| 16 January 2023 | Entered into force (20 days after OJ publication) |
| 17 October 2024 | Transposition deadline: member states required to adopt and publish national implementing measures |
| 17 October 2024 | NIS1 (Directive (EU) 2016/1148) repealed |
| 17 April 2025 | Entities required to register with national competent authorities (18 months after transposition deadline) |
| Ongoing | National transpositions: several member states transposed late or with varying implementation; check the ENISA national authorities directory for the latest status |
Article 21 is the core obligations article. It requires essential and important entities to take appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks and prevent or minimise the impact of incidents. The measures must be based on an all-hazards approach and proportionate to the level of risk, the entity's size, and the impact a potential incident would have.
The ten measure categories are specified in Article 21(2). Member states may not impose additional cybersecurity requirements on top of these unless national law specifically authorizes it.
| Article 21(2) | Measure category | What it requires in practice |
|---|---|---|
| (a) | Risk analysis and information system security policies | Documented risk assessment methodology, information security policy, asset inventory, ongoing risk treatment |
| (b) | Incident handling | Incident response plan, classification criteria, internal reporting chain, CSIRT notification workflow |
| (c) | Business continuity, backup, disaster recovery, and crisis management | BIA for critical services, tested backup and recovery procedures, crisis communication plan |
| (d) | Supply chain security | Security assessment of direct suppliers and service providers, contractual security requirements, ongoing monitoring |
| (e) | Security in network and information system acquisition, development, and maintenance | Secure development lifecycle, vulnerability management programme, responsible disclosure policy |
| (f) | Policies and procedures to assess effectiveness of cybersecurity risk management measures | Periodic testing (penetration tests, audits, table-top exercises), KPIs, management reporting |
| (g) | Cyber hygiene practices and cybersecurity training | Baseline hygiene programme (patching, password policy, asset hygiene), security awareness training for all staff |
| (h) | Cryptography and, where appropriate, encryption | Encryption policy, key management, cryptographic standards for data at rest and in transit |
| (i) | Human resources security, access control policies, and asset management | Joiner/mover/leaver process, least-privilege access controls, privileged access management, asset register |
| (j) | Multi-factor authentication or continuous authentication, and secured communications | MFA for all privileged and remote access, secured voice/video/text communications for sensitive discussions |
Article 23 sets the reporting obligations for significant incidents. A significant incident is one that causes or is capable of causing severe operational disruption, financial loss, or damage to other persons. The reporting clock runs from the moment the entity becomes aware of the incident, not from when the incident occurred.
Entities report to their national CSIRT (or competent authority where no CSIRT is designated). Entities that are also subject to DORA's incident reporting use the DORA regime for ICT-related incidents; see the NIS2 and DORA section below.
The practical challenge: the 24-hour clock is very tight. Many organizations find that detecting an incident, classifying it as significant, escalating to the team that can notify, and actually filing the early warning within 24 hours requires pre-built workflows, pre-approved messaging, and a clear decision tree -- all before any incident occurs. Building that workflow after an incident starts is too late.
| Step | Deadline | Content required |
|---|---|---|
| Early warning | Within 24 hours of becoming aware | Whether the incident is suspected to be caused by unlawful or malicious action; whether it may have cross-border impact |
| Incident notification | Within 72 hours of becoming aware | Initial assessment: severity, indicators of compromise (if available), initial root cause hypothesis |
| Intermediate report | On request from CSIRT or authority | Status update: current assessment, mitigation measures in progress |
| Final report | No later than 1 month after incident notification | Complete description, type of incident, root cause, cross-border impact, mitigating measures taken, risk of recurrence |
Article 20 is one of the most operationally significant provisions in NIS2, and the one that most frequently surprises boards encountering it for the first time. It requires management bodies to approve the cybersecurity risk-management measures and to oversee their implementation. Management body members are personally liable for infringements.
The personal liability provision means that the head of the management body or, where national law provides for it, each member of the management body can be held directly responsible for violations of NIS2 obligations. The specific consequences (fines, temporary bans from management roles) depend on national transpositions, but the directive itself explicitly creates this accountability.
Article 20 also requires member states to ensure that management bodies of essential and important entities undergo cybersecurity training, and that they offer similar training to their employees regularly. This is not optional: it is a compliance obligation, not a best practice.
Where entities actually struggle: translating Article 20 into board practice. The required oversight is not a one-time approval of a security policy. It implies regular board-level reporting on the security measures, awareness of material risks, and documented evidence that the board reviewed and approved the measures. In a competent authority inspection, the board cannot simply point to a security team and say "they handle it."
Articles 36 and 37 set the maximum penalty ceilings. The directive specifies minimums for what member states must make available; national transpositions may set specific penalty structures within those ceilings. Some member states have introduced administrative fines; others use criminal liability for management or civil enforcement mechanisms.
The penalty ceilings are expressed as the higher of a fixed maximum or a percentage of global annual turnover, applying to the worldwide revenue of the entity and its group where applicable. This mirrors the GDPR structure and is similarly designed to be proportionate to the size of large, global organizations.
Non-financial remedies are also available: competent authorities can issue binding instructions, require entities to implement specific security measures, publicly disclose non-compliance, and temporarily prohibit management body members from exercising managerial functions.
| Entity type | Maximum fine | Alternative ceiling | Additional measures available |
|---|---|---|---|
| Essential entities | 10,000,000 EUR | 2% of total worldwide annual turnover (whichever is higher) | Binding instructions, mandatory security measures, public disclosure, temporary management prohibition |
| Important entities | 7,000,000 EUR | 1.4% of total worldwide annual turnover (whichever is higher) | Binding instructions, mandatory security measures, public disclosure |
For entities subject to DORA (Regulation (EU) 2022/2554), the relationship between the two frameworks is governed by a lex specialis rule. DORA is the sector-specific EU law for ICT risk in financial services. Under NIS2 Article 4(2), where a sector-specific Union legal act requires essential or important entities to adopt cybersecurity risk-management measures or to notify competent authorities of incidents, and where those requirements are at least equivalent to NIS2, the sector-specific provisions apply.
In practice: financial entities subject to DORA follow DORA for ICT risk management (Chapter II), major ICT incident classification and reporting (Chapter III), digital operational resilience testing (Chapter IV), ICT third-party risk management (Chapter V), and information sharing (Chapter VI). They do not run a separate NIS2 compliance programme for those areas. Where DORA does not provide equivalent coverage (which is limited), NIS2 applies as a baseline.
The supervisory channel also differs. DORA financial entities report major ICT incidents to their national financial supervisor (central bank, financial market authority, insurance supervisor) rather than to the NIS2 national competent authority. For entities in scope for both, this means maintaining clarity on which reporting channel applies for which incident type.
The practical implication: a bank or investment firm that is already compliant with DORA is substantially compliant with the equivalent NIS2 requirements. The risk management frameworks, incident workflows, third-party risk programme, and resilience testing covered by DORA overlap closely with NIS2 Article 21. Running both in Acuna with a shared control library means the overlap is mapped once, not maintained twice.
| Dimension | NIS2 (Directive (EU) 2022/2555) | DORA (Regulation (EU) 2022/2554) |
|---|---|---|
| Legal instrument | Directive -- requires national transposition | Regulation -- directly applicable across the EU |
| Scope | 18 sectors across Annex I (essential and important) and Annex II (important) | Financial entities: credit institutions, payment institutions, investment firms, insurance, crypto-asset service providers, ICT third-party service providers |
| Focus | Network and information security for critical and important sectors | Digital operational resilience specifically for financial sector ICT |
| Security measures | Article 21: 10 measure categories, proportionate to risk | Chapter II: ICT risk management framework with detailed prescriptive requirements |
| Incident reporting | Article 23: 24-hour early warning, 72-hour notification, 1-month final report to national CSIRT | Article 19: 4-hour initial notification after classification, 72-hour intermediate, 1-month final to financial supervisor |
| Resilience testing | Article 21(f): policies to assess effectiveness of measures (including testing) | Chapter IV: digital operational resilience testing, TLPT mandatory for significant entities |
| Third-party risk | Article 21(d): supply chain security obligations | Chapter V: detailed ICT third-party risk management requirements, Register of Information |
| Supervision | National competent authority: essential entities proactive ex-ante; important entities reactive ex-post | Financial supervisory authorities (EBA, EIOPA, ESMA for oversight of critical ICT TPPs) |
| Precedence where both apply | NIS2 applies where DORA does not provide equivalent coverage | DORA is lex specialis: applies in preference to NIS2 for covered financial entities for the covered pillars |
| Applied from | 17 October 2024 (transposition deadline) | 17 January 2025 |
NIS2 and ISO 27001 overlap closely at the control level. An organization running ISO 27001 already has much of the Article 21 foundation in place: risk assessment, access control, incident management, business continuity, supplier security, cryptography, and training all map to ISO 27001 Annex A controls. NIS2 does not require ISO 27001 certification, but organizations with a mature ISMS will find their compliance effort significantly reduced.
The table maps selected NIS2 Article 21 measures to their ISO 27001 counterparts and, where DORA applies, to DORA chapters. Running all three in Acuna means the control library is built once and reused across frameworks, and the cross-framework mapping is maintained automatically.
| NIS2 Article 21 measure | ISO 27001:2022 control area | DORA chapter (where applicable) |
|---|---|---|
| Art. 21(a) -- Risk analysis and security policies | Clause 6.1 (risk assessment and treatment); 5.1 (policies) | Chapter II, Art. 6 (ICT risk management framework) |
| Art. 21(b) -- Incident handling | 5.24 to 5.27 (incident management controls) | Chapter III, Art. 17 to 23 (ICT-related incident management) |
| Art. 21(c) -- Business continuity, backup, DR | 5.29, 5.30, 8.13, 8.14 (BCM and redundancy) | Chapter II, Art. 11 (ICT business continuity) |
| Art. 21(d) -- Supply chain security | 5.19 to 5.22 (supplier security controls) | Chapter V, Art. 28 to 44 (ICT third-party risk) |
| Art. 21(e) -- Secure acquisition, development, maintenance | 8.25 to 8.32 (secure development controls) | Chapter II, Art. 9 (protection) |
| Art. 21(f) -- Effectiveness testing and audit | 9.2, 9.3 (internal audit, management review) | Chapter IV, Art. 24 to 27 (TLPT and testing) |
| Art. 21(g) -- Cyber hygiene and training | 6.3, 6.6 (awareness and training, NDA) | Chapter II, Art. 13 (learning and evolving) |
| Art. 21(h) -- Cryptography and encryption | 8.24 (cryptography) | Chapter II, Art. 9 (protection measures) |
| Art. 21(i) -- HR security, access control, asset management | 5.9 to 5.14 (asset management); 5.15 to 5.18 (access control); 6.1 to 6.5 (HR security) | Chapter II, Art. 9 (protection) |
| Art. 21(j) -- MFA and secured communications | 8.5 (secure authentication); 8.20 (network security) | Chapter II, Art. 9 (protection) |
Acuna is designed for the way NIS2 actually lands on compliance teams: alongside ISO 27001, DORA, and GDPR, sharing controls, evidence, and risk data across frameworks rather than running each as an isolated project.
For NIS2 specifically: the Comply pane walks through essential vs important scoping, maps all ten Article 21 measures to your organizational scope, and documents the cybersecurity risk management framework. Supplier Shield manages the Article 21(d) supply chain obligations: third-party risk assessments, contractual security requirements, and continuous monitoring. The incident workflow enforces the 24-hour and 72-hour notification clocks with pre-built escalation paths and draft notification templates. The Assure pane maintains the evidence trail for competent authority review, including board-level approval and training records as required by Article 20.
For entities subject to both NIS2 and DORA: Acuna's cross-framework mapping engine identifies which controls satisfy both sets of requirements, so a single control implementation produces evidence for both frameworks. Teams already running DORA in Acuna extend into NIS2 without rebuilding the control library.
EXPLORE
Who NIS2 applies to: essential vs important entities, size thresholds, Annex I and II sectors, and the supply chain reach to non-EU entities.
How NIS2 and DORA overlap for financial entities, the lex specialis rule, which reporting channel applies, and how to run both in a shared control library.
Building the workflow behind the 24-hour early warning and 72-hour notification: classification criteria, escalation paths, and notification templates.
A structured 40-point checklist covering scope determination, Article 21 measures, incident reporting readiness, supply chain, and board accountability.
How the transposition has landed across key EU jurisdictions: national competent authorities, registration requirements, and enforcement postures.
Related answers
NIS2 (Directive (EU) 2022/2555) is the EU directive on cybersecurity for essential and important entities. It expands the scope of NIS1, introduces stricter security requirements under Article 21, and mandates incident reporting within 24 hours (early warning), 72 hours (notification), and one month (final report). Essential entities include energy, transport, banking, health, water, and digital infrastructure. Important entities cover postal, waste, chemicals, food, manufacturing, and digital providers with 50+ employees or EUR 10M+ turnover. Acuna maps NIS2 articles to controls, manages supply chain risk, and tracks incident reporting deadlines.
NIS2 (Directive (EU) 2022/2555) applies to public and private organisations that operate in one of the sectors listed in its annexes and meet a size threshold, generally medium-sized and larger organisations. In-scope organisations are classified as either essential entities or important entities, a distinction that determines the intensity of their supervision and the penalties they face, not whether the obligations apply. Because NIS2 is a directive, the precise scope is set by each member state's national transposition, so the exact boundaries can vary by country. NIS2 splits in-scope organisations into two tiers. Essential entities are the larger organisations in the highest-criticality sectors; important entities are the rest of those in scope. Both tiers must meet the same core risk-management and reporting obligations. The difference is supervisory: essential entities face proactive, ex-ante supervision, while important entities are supervised reactively, ex-post, typically after an incident or evidence of non-compliance. Penalty ceilings also differ between the tiers. NIS2 organises covered sectors into two annexes. Annex I lists sectors of high criticality such as energy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, ICT service management, public administration, and space. Annex II lists other critical sectors such as postal and courier services, waste management, chemicals, food, manufacturing of certain products, digital providers, and research. Whether you are essential or important depends on the combination of your sector and your size. As a general rule, NIS2 applies to medium-sized and larger organisations in the covered sectors, using the EU definition of enterprise size. But there are important exceptions where the directive applies regardless of size, for certain types of entity whose disruption would have outsized effect, so the size threshold is a starting point, not a complete test. National transposition can add further specifics. Scope is not a one-time determination. An organisation grows across a threshold, enters a covered sector through an acquisition, or its member state transposes the directive with a wider net than expected. Treating scope as settled is how organisations discover, late, that they were in scope all along.
NIS2 and DORA are two EU frameworks for cybersecurity and operational resilience that came into force around the same time and overlap heavily, but they are not interchangeable. NIS2 (Directive (EU) 2022/2555) is a cross-sector cybersecurity directive covering many industries; DORA (Regulation (EU) 2022/2554) is a finance-specific regulation for digital operational resilience. Where both could apply to the same organisation, DORA generally takes precedence for ICT risk in financial services as the more specific law, the lex specialis principle. A financial entity can therefore be in scope for both, with DORA governing its ICT risk and NIS2 relevant to the extent DORA does not cover. The two differ on instrument, scope, and specificity. NIS2 is a directive, so it is transposed into each member state's national law and its details can vary by country. DORA is a regulation, so it applies directly and uniformly across the EU without transposition. NIS2 spans many sectors; DORA is confined to financial entities and their ICT providers. DORA is also more prescriptive on ICT specifics, such as the register of information and threat-led penetration testing, than NIS2's more general risk-management measures. Where a financial entity would fall under both, DORA is treated as the more specific regime for its ICT risk, and it prevails on the matters it covers. NIS2 recognises this relationship, so the two are designed to fit together rather than duplicate. In practice, a bank manages its ICT risk under DORA and does not also apply NIS2's general measures to the same ground. For a financial entity in scope for both: determine your DORA obligations for ICT risk first, since they are the more specific and prescriptive. Then confirm what, if anything, NIS2 adds beyond DORA's coverage for your organisation, which depends partly on your member state's transposition. The efficient path is to map the shared requirements once, as most of the risk-management and supply-chain substance is common, and only maintain the genuinely distinct pieces separately.
Under Article 23 of NIS2, essential and important entities must report significant incidents to their national CSIRT or competent authority in stages: an early warning shortly after becoming aware of the incident, a fuller incident notification, and a final report once the incident is handled. An incident is significant if it has caused or is capable of causing serious operational disruption or financial loss, or has affected other people through considerable material or non-material damage. Because NIS2 is a directive, the exact deadlines and mechanics are shaped by each member state's transposition, so confirm the specifics against your applicable national law. The staged structure exists so authorities get an early signal quickly, then a complete picture as the situation resolves. The reporting clock only starts once you determine an incident is significant, which is why fast, accurate classification matters as much as the reporting itself. NIS2 sets out when an incident is significant, based on the disruption or loss it causes or could cause, and the harm to others. National transposition and guidance sharpen these thresholds. Classifying correctly is the gate: misjudge it and you either over-report routine events or, worse, miss the clock on a reportable one. Reporting is a sequence, not a single filing: an early warning soon after awareness, a subsequent notification with a fuller assessment, and a final report after the incident is resolved including root cause and mitigation. The precise timeframes are set by Article 23 and national implementation, so verify the current figures for your member state before relying on them.
A NIS2 compliance programme comes down to a handful of things done properly: confirm whether you are in scope and as which tier, put in place the Article 21 risk-management measures, stand up incident detection and staged reporting, address supply chain security, and get the management body to approve and oversee it all. The checklist below covers the core areas any programme must address; it is not a substitute for your member state's transposed requirements, which add the specifics. Determine scope and tier: confirm whether you are in scope, in which Annex I or II sector, and whether you are an essential or an important entity. Register with your authority: meet the registration and information obligations your member state's transposition sets for in-scope entities. Implement the Article 21 measures: put in place the ten categories of risk-management measures, covering risk analysis and security policy, incident handling, business continuity and crisis management, supply chain security, security in acquisition and development, policies to assess effectiveness, basic cyber hygiene and training, cryptography, human resources and access control, and multi-factor authentication and secured communications. Stand up incident reporting: build the detection, classification, and staged reporting process required under Article 23, and know who your CSIRT or competent authority is. Address supply chain security: assess and manage the security of your direct suppliers and service providers, as Article 21 requires. Secure management-body approval and oversight: under Article 20, the management body approves the risk-management measures, oversees them, and can be held liable. Training for management is part of this. Maintain evidence: keep the records that show the measures are real and operating, because supervision, proactive for essential entities, will look for them.
NIS2 is a directive, not a regulation, which means it does not apply directly. Instead, each EU member state must transpose it into national law, and it is that national law you actually comply with. The transposition deadline was 17 October 2024, but member states have transposed at different speeds and with different specifics, so the precise obligations, the designated authority, and some thresholds can vary depending on where you operate. For a multi-country organisation, this is the defining practical feature of NIS2. This is the single biggest difference in character between NIS2 and DORA. DORA, a regulation, is uniform across the EU. NIS2, a directive, is a common baseline that each country implements in its own law, so complying with NIS2 really means complying with the NIS2 transposition in each country where you are in scope. A directive sets the objectives every member state must achieve but leaves the form and method to national governments. That allows NIS2 to fit each country's existing legal and regulatory structures, but it means the operative detail lives in national law. Two organisations in the same sector in different member states can face variations in registration, reporting specifics, and supervisory approach. Member states were required to adopt and publish their transposing measures by 17 October 2024. In practice, transposition has been uneven. Because the position by country changes over time, confirm the current status and the operative national law for each member state where you are in scope rather than relying on a general statement. For a single-country organisation: identify your national transposing law and your competent authority, and comply with that. For a multi-country organisation: map the common NIS2 baseline once, then track the national deltas per member state. The baseline is largely shared; the variation is in the specifics, which is a manageable overlay rather than a separate programme per country.
NIS2 COMPLIANCE
Acuna maps NIS2 Article 21 obligations to your entity type, runs Article 21 risk management alongside ISO 27001 and DORA in one shared control library, and keeps the evidence trail competent authorities actually inspect.