Skip to main content
NIS2 Manager LogoNIS2 Manager
Directive (EU) 2022/2555

What is NIS2?

The NIS2 Directive is the European legislative framework for cybersecurity of network and information systems, establishing harmonized requirements across all EU member states.

About the NIS2 Directive

NIS2 (Network and Information Security Directive 2) is a European directive establishing cybersecurity requirements for organizations in critical sectors. It replaces the original NIS1 directive from 2016, bringing stricter requirements and an expanded scope.

Each EU member state transposes NIS2 into national law with their designated competent authority. Deadlines and specific requirements may vary by country, but all follow the core directive principles.

Main objectives
  • Increase EU cyber resilience
  • Harmonize security requirements
  • Improve cooperation between member states
  • Hold management accountable
Changes from NIS1
  • Expanded covered sectors
  • Stricter sanctions (up to ā‚¬10M)
  • Personal liability for management
  • Incident reporting in 24-72 hours

Who is affected by NIS2?

Essential entities

Organizations in highly critical sectors (Annex I):

  • Energy (electricity, oil, gas)
  • Transport (air, rail, water, road)
  • Banking sector
  • Financial market infrastructure
  • Healthcare
  • Drinking water and wastewater
  • Digital infrastructure
  • Public administration
  • Space

Criteria: >250 employees or turnover >ā‚¬50M

Important entities

Organizations in other critical sectors (Annex II):

  • Postal and courier services
  • Waste management
  • Manufacture and distribution of chemicals
  • Food production and distribution
  • Manufacturing (medical devices, electronics, etc.)
  • Digital service providers
  • Research organizations

Criteria: >50 employees or turnover >ā‚¬10M

Main NIS2 requirements

Risk management measures

Implementing appropriate technical and organizational measures for security risk management, including security policies, incident management, business continuity, and supply chain security.

Incident reporting

Notifying significant incidents to the competent authority within 24 hours (early warning) and 72 hours (full notification). Final report due within 1 month.

Authority registration

All entities in scope must register with their national competent authority, providing information about services, NIS contact person, and implemented measures. Deadlines vary by member state.

Management responsibility

Organization management is responsible for ensuring compliance, approving security measures, and overseeing implementation. They can be personally sanctioned for failure to meet requirements.

Sanctions for non-compliance

Essential entities
ā‚¬10M

or 2% of global annual turnover

(whichever is higher applies)

Important entities
ā‚¬7M

or 1.4% of global annual turnover

(whichever is higher applies)

Warning: Personal liability

Organization management can be personally sanctioned, including temporary bans from holding management positions, in case of serious non-compliance with NIS2 requirements.

Implementation timeline

January 2023

NIS2 Directive enters into force

EU Directive 2022/2555 officially enters into force

October 2024

Transposition deadline

Member states must transpose NIS2 into national law

2025-2026

Entity registration

Deadlines vary by member state. Check your national authority.

Ongoing

Incident reporting

24-72 hour incident reporting obligation now in effect

Annual

Compliance reporting

Annual compliance reports to national authorities

National competent authorities

Each EU member state has designated a national authority responsible for NIS2 implementation. Contact your national authority for country-specific requirements.

šŸ‡©šŸ‡Ŗ

Germany

Transposed

BSI

Bundesamt fur Sicherheit in der Informationstechnik

šŸ‡«šŸ‡·

France

Transposed

ANSSI

Agence Nationale de la Securite des Systemes d'Information

šŸ‡®šŸ‡¹

Italy

Transposed

ACN

Agenzia per la Cybersicurezza Nazionale

šŸ‡³šŸ‡±

Netherlands

Transposed

NCSC-NL

Nationaal Cyber Security Centrum

šŸ‡§šŸ‡Ŗ

Belgium

Transposed

CCB

Centre for Cybersecurity Belgium

šŸ‡·šŸ‡“

Romania

Transposed

DNSC

Directoratul National de Securitate Cibernetica

šŸ‡µšŸ‡±

Poland

Pending

MC

Ministerstwo Cyfryzacji

šŸ‡ŖšŸ‡ø

Spain

Pending

CCN

Centro Criptologico Nacional

šŸ‡¦šŸ‡¹

Austria

Transposed

CERT.at

Nationales Computer Emergency Response Team

šŸ‡ØšŸ‡æ

Czech Republic

Transposed

NUKIB

Narodni urad pro kybernetickou a informacni bezpecnost

šŸ‡øšŸ‡Ŗ

Sweden

Transposed

MSB

Myndigheten for samhallsskydd och beredskap

šŸ‡®šŸ‡Ŗ

Ireland

Transposed

NCSC-IE

National Cyber Security Centre

Last updated: March 2026

Sources: Directive (EU) 2022/2555 (NIS2), ENISA NIS2 Implementation Guidance 2024, national transposition laws per member state.

Built by

BetterQA

Romanian software testing company with over 10 years of cybersecurity experience. Certified ISO 27001:2022, ISO 9001:2015, and ISO 13485.

50+
engineers
2018
founded
ISO
27001:2022

Check if your organization is affected

Use our free calculator to find out if you fall under NIS2 scope and what your next steps should be.

Check eligibilityCreate free account