The EU’s new cybersecurity directive is changing the rules for thousands of businesses. Here’s what it means, who it affects, and what you need to do.
What is NIS2?
NIS2 (Network and Information Security Directive 2) is European cybersecurity legislation that came into force in October 2024. It replaces the original NIS Directive from 2016 and is designed to raise the minimum level of cybersecurity across the EU.
The reasoning is straightforward: cyberattacks are increasing in scale and sophistication, and the original directive didn’t go far enough. Too many organisations were left out of scope, requirements varied wildly between member states, and enforcement was inconsistent. NIS2 fixes that by casting a much wider net and setting clearer, stricter rules.
Who does it apply to?
NIS2 divides organisations into two categories: essential entities and important entities. Both must comply with the same cybersecurity requirements, but essential entities face stricter government oversight and higher penalties.
The general rule: if your organisation has 50 or more employees, or an annual turnover of €10 million or more, and you operate in one of the 18 covered sectors, NIS2 applies to you.
Those sectors include energy, transport, healthcare, banking, water supply, digital infrastructure, public administration, postal services, waste management, food production, chemical manufacturing, and more. The full list is significantly broader than the original directive.
Smaller organisations are generally excluded, with a few exceptions. Providers of DNS services, domain name registries, and public electronic communications networks fall under NIS2 regardless of size.
What about small businesses?
If your company has fewer than 50 employees and less than €10 million in turnover, you probably don’t fall under NIS2 directly. But that doesn’t mean it won’t affect you.
Organisations that do fall under NIS2 are required to secure their entire supply chain. That means they will start demanding proof of proper cybersecurity from their suppliers, subcontractors, and service providers. If you deliver services to a larger company in a covered sector, expect to face new security requirements as a condition of doing business.
Beyond the supply chain, cyber insurers and business partners are also raising the bar. The standard for what counts as “reasonable security” is shifting upward across the board, driven in large part by NIS2.
What do you need to comply with?
NIS2 sets requirements in four core areas.
Risk management. You must conduct regular risk assessments and implement appropriate technical and organisational measures. This includes incident detection and response, network security, access control, encryption, and supply chain security. The directive takes an “all hazards” approach, meaning you need to protect against cyberattacks, but also physical events, power outages, and human error.
Corporate accountability. This is one of the biggest shifts. Senior management is directly responsible for cybersecurity. Leadership must approve and oversee cybersecurity strategies, undergo training, and can be held personally liable for failures. In severe cases, executives can face temporary bans from management roles. Cybersecurity is no longer something you can fully delegate to the IT department.
Incident reporting. When a significant incident occurs, you must notify your national authority within 24 hours with an early warning. A full incident report is due within 72 hours, and a final report including root cause analysis and recovery measures within one month.
Business continuity. You need a documented plan for how your organisation continues operating and recovers after a cyber incident. This includes backup management, disaster recovery procedures, and crisis management processes.
What are the penalties?
The penalties are substantial. Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities risk fines up to €7 million or 1.4% of turnover.
Beyond financial penalties, national authorities have the power to issue binding instructions, order security audits, and in extreme cases, suspend services. The personal liability for management adds another layer of consequences that didn’t exist under the original directive.
Where does implementation stand?
Member states were required to transpose NIS2 into national law by October 2024. In practice, many countries missed this deadline. As of early 2026, most EU member states have adopted or are finalising their national implementations, but the specifics vary by country. Registration deadlines, enforcement timelines, and some sector definitions differ between member states.
In January 2026, the European Commission proposed targeted amendments to simplify certain compliance requirements, particularly for smaller entities. The core obligations remain unchanged, but some administrative burdens are being reduced.
Regardless of where your member state stands in the process, the direction is clear. Organisations should not wait for final national implementation to start preparing.
What should you do now?
If you think NIS2 might apply to your organisation, or if you supply services to organisations that fall under it, there are a few practical steps to take.
First, determine whether you fall within scope. Check your employee count, turnover, and sector against the directive’s criteria. If you operate across multiple EU member states, you may need to register in each one.
Second, assess your current cybersecurity posture. Do you have documented risk assessments? Incident response plans? A business continuity plan? Multi factor authentication? If any of these are missing, that’s where to start.
Third, review your supply chain. Understand which of your suppliers and service providers handle critical data or systems, and assess their security practices.
Fourth, involve your leadership team. NIS2 makes cybersecurity a board level responsibility. Management needs to be informed, trained, and actively involved in oversight.
The organisations that treat NIS2 as an opportunity to strengthen their security posture rather than a regulatory burden will come out ahead. The directive isn’t perfect, but the threats it’s designed to address are very real.
Sources: European Commission, ENISA, NIS Cooperation Group, EU Official Journal Directive 2022/2555