For the best web experience, please use IE11+, Chrome, Firefox, or Safari

What is the NIS2 Directive?

The Network and Information Systems Directive II (NIS2 Directive or NIS2) is a European Union (EU) regulation that strengthens cybersecurity requirements for organizations across the bloc. Aimed at enhancing collective resilience against cyber threats, it mandates stricter risk management, incident response and reporting, and information security practices.

The NIS2 framework

The NIS2 Directive (Directive (EU) 2022/2555), published in the Official Journal of the EU, is a landmark piece of legislation that establishes the first horizontal instrument for cybersecurity across the EU. A horizontal instrument is one that applies to all sectors and industries, not just a select few.

Cybersecurity legislation in EU

Prior to NIS2, the original NIS directive laid the foundation for cybersecurity cooperation in the EU. However, the rapid pace of digital transformation and the stark realities exposed by the COVID-19 pandemic exposed the predecessor’s limitations, including:

  • Insufficient overall cyber resilience: Many businesses operating within the EU were still vulnerable to cyber threats.
  • Inconsistent resilience across member states and sectors: The level of preparedness varied significantly between member states and sectors.
  • Limited understanding of threats: Member states lacked a shared perspective on the evolving cyber threat landscape, including the latest threats and vulnerabilities.
  • Fragmented crisis response: The absence of a coordinated approach hampered collective response efforts during cyberattacks.

Recognizing these limitations, the European Commission saw the need for a future-proof solution and formulated the NIS2 Directive to enhance the overall security posture of the EU.

The NIS2 requirements

Here’s a breakdown of the key requirements of NIS2:

  • Risk management: Organizations must implement a comprehensive risk management program to identify, analyze and prioritize potential threats to their critical infrastructure. This can involve threat modeling, vulnerability assessments and penetration testing. For example, an energy provider would need to assess the risks associated with a cyberattack disrupting their electricity grid.
  • Security measures: Organizations must establish and maintain a baseline of technical and essential security measures that address areas like access control, incident response, business continuity and supply chain security.
  • Management oversight: An organization's management body (e.g., Board of Directors, CEO) is responsible for overseeing and approving the cybersecurity risk management program, security measures and incident response plans. Management personnel can be held liable for significant breaches of these requirements.
  • Incident reporting: Organizations must promptly notify relevant authorities of any significant security incidents that impact their operations or services. Within 24 hours, an "early warning" report is required, indicating if the incident appears malicious. This is followed by a more detailed "incident notification" report within 72 hours, outlining the severity, impact and any indicators of compromise. Finally, within one month, a comprehensive "final report" must be submitted, detailing the entire incident, its root cause and the remediation steps taken.
  • Information sharing: NIS2 mandates better information sharing among member states to facilitate coordinated responses to large-scale cyberattacks. This includes sharing information about cyber threats, vulnerabilities and best practices.

Guidance provided by national regulators outlines the top 10 measures:

  1. Risk analysis and information system security
  2. Incident handling
  3. Business continuity measures (back-up, disaster recovery, crisis management)
  4. Supply Chain Security
  5. Security in system acquisition, development and maintenance, including vulnerability handling and disclosure
  6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures
  7. Basic computer hygiene and trainings
  8. Policies on appropriate use of cryptography and encryption
  9. Human resources security, access control policies and asset management
  10. Use of multi-factor, secured voice/video/text communication and secured emergency communications

According to guidance, all measures must be proportionate to risk, size, cost and impact&severity of incidents, and must take into account the state-of-the-art, and where applicable relevant European and international standards.


Here’s a table that compares the key features of NIS and NIS2:


NIS Directive

NIS2 Directive


Focused on Operators of Essential Services (OES) in specific sectors like energy, transport and healthcare.

Expands to include not only Essential Entities, but also Important Entities (IEs).

Security requirements

Established a baseline for risk management and incident reporting.

Mandates stricter and more specific security measures across technical, operational and organizational aspects.

Incident reporting

Required reporting of significant incidents, but timeframes and details were unclear.

Imposes stricter timeframes for reporting significant incidents and requires more detailed information to be reported.


Member states have flexibility in implementation.

Harmonized approach across the EU with stricter enforcement mechanisms and potential for significant fines for non-compliance.

Supply chain security

No specific requirements.

Requires organizations to assess the cybersecurity posture of their suppliers.

Information sharing

Limited cooperation among member states.

Encourages stronger information sharing and cooperation between member states and authorities.

The NIS2 requirements

NIS2 violations, investigations and penalties

To ensure ongoing compliance with NIS2, national regulatory authorities have the power to investigate potential violations. During such investigations, they may use any of the following measures:

  • On-site inspections: Regulators can visit an entity's physical location to assess its cybersecurity posture firsthand.
  • Security audits: They can perform security audits to evaluate an entity's security infrastructure and identify potential vulnerabilities.
  • Requests for information: They can request detailed information from an entity, such as its cybersecurity risk management plans, incident response protocol and evidence of implemented security measures.
  • Security scans: They can conduct network or system scans to identify any exploitable security weaknesses or misconfigurations.
  • Access to information: Regulators can request information about a company's cybersecurity measures, including how they're implemented and related documents.

It's important to note that for important entities, these investigative measures can only be taken after an incident has occurred. However, for essential entities, considered more critical infrastructure, regulators may use these measures, as and when needed to ensure ongoing adherence to NIS2 requirements – even before any breach happens.

The penalties for non-compliance are as follows:

  • Essential entities will be required to pay at least €10 million or 2% of global annual turnover, whichever is higher.
  • Important entities will be required to pay at least €7 million or 1.4% of global annual turnover, whichever is higher.

Who does NIS2 apply to?

NIS2 imposes security measures on all organizations designated as “essential” or “important” under the directive. In simpler terms, if the public is dependent on an organization’s products or services on a day-to-day basis, then the organization must adhere to the NIS2 rules.

Examples of essential entities are: energy, transport, banking, financial market infrastructure, health, drinking water, waste, water and digital infrastructure.

Examples of important entities are: postal and courier services, chemicals, food, manufacturing, waste management and research.

In addition to essential and important organizations in the EU, NIS2 also applies to certain non-EU entities that offer services in the bloc. These include: DNS service providers, cloud computing and data center service providers, Top-level domain (TLD) name registries, Managed service providers (MSPs), Content delivery network (CDN) providers and providers of online marketplaces.


NIS2 is a comprehensive cybersecurity directive that aims to improve the overall security outlook of the EU. If yours is an organization that qualifies as an important or essential entity under NIS2, consider implementing stricter cybersecurity measures to protect your critical systems and services. This will not only make you more resilient to cyberattacks, but also contribute to a more secure digital landscape across the European Union.

EU member states are now in the process of transposing (adopting) the NIS2 directive to their own regulations with the deadline of October 17, 2024, with the rules coming into effect from the next day, October 18, 2024. These national regulations are expected to contain greater details on the technical aspects of the directive, and provide further guidance on compliance.

Start your Virtual Trial with One Identity Safeguard

One Identity Safeguard provides frictionless security for privileged access that scales and transforms with your business.