The NIS 2 directive is the most ambitious reform of the European regulatory framework on cybersecurity since 2016. Adopted on 14 December 2022 and published in the Official Journal of the European Union (Directive (EU) 2022/2555), it expands in an unprecedented way the perimeter of entities subject to security requirements, strengthens the obligations, doubles the sanctions and introduces, for the first time, personal liability for management.
Member states had until 17 October 2024 to complete transposition into national law. By mid-2026, the picture is uneven: some states have completed transposition (Belgium, Croatia, Italy, Latvia), several large economies including France and Germany are still finalising their texts, and the European Commission has opened infringement proceedings against the laggards. This guide explains who is concerned, what the 10 measures of Article 21 require, where transposition stands, and how to build your compliance roadmap; wherever in the EU (or supplying the EU from the UK) your organisation operates.
What is the NIS 2 directive?
NIS 2 directive in brief
Directive (EU) 2022/2555 of 14 December 2022, on measures for a high common level of cybersecurity across the Union. It replaces and substantially expands the framework set by the first NIS directive adopted in 2016.
NIS 2 succeeds the original NIS directive of 2016, whose scope was limited to a few hundred Operators of Essential Services and Digital Service Providers. NIS 2 transforms this restricted perimeter into a framework potentially covering tens of thousands of entities across the EU; estimates of around 10,000 entities in France alone, and similar orders of magnitude in Germany, Italy and Spain.
NIS 2 vs NIS 1: three structural changes
- Unprecedented scope: 18 sectors covered (compared to 7 under NIS 1), with two categories of entities, essential and important, subject to the same security requirements.
- Harmonised obligations: 10 minimum mandatory measures defined in Article 21, applicable to all concerned entities without exception.
- Personal liability: for the first time, members of management bodies are personally accountable for compliance and can be sanctioned individually.
Does NIS 2 apply to UK companies?
Post-Brexit, the UK is no longer subject to EU directives. NIS 2 therefore does not apply directly to UK-headquartered companies operating only in the UK. The UK continues to operate under the Network and Information Systems Regulations 2018 (the UK's transposition of the original NIS directive). The UK government has indicated its intention to update this framework; through the Cyber Security and Resilience Bill announced in the 2024 King's Speech; but no replacement aligned with NIS 2 has been formally adopted as of 2026.
UK exposure to NIS 2 remains significant, in three scenarios:
- UK groups with EU subsidiaries: a UK-headquartered group operating subsidiaries in EU member states must apply NIS 2 to those subsidiaries. If security functions are mutualised from the UK head office, NIS 2 requirements flow back to the parent.
- UK suppliers to EU essential or important entities: under Article 21(2)(d), EU regulated entities must manage the security of their supply chain. They pass these requirements down contractually to all suppliers, including UK ones. Audit clauses, evidence of security controls, incident notification obligations: UK ICT providers serving EU clients renegotiate or lose contracts.
- UK groups exposed to EU customers: data centres, cloud platforms, managed service providers and SaaS vendors with EU customer bases face the same downstream obligations, even without an EU legal entity. The Article 21(2)(d) supply-chain reach is the practical mechanism through which NIS 2 extends into the UK economy.
Anticipating UK alignment: the Cyber Security and Resilience Bill
The Cyber Security and Resilience Bill, expected to be introduced before the UK Parliament, is anticipated to broadly align the UK's NIS framework with the principles of NIS 2; expanded scope, stronger incident reporting, management accountability; though without legally adopting the EU directive itself. UK firms preparing for NIS 2 obligations through their EU operations therefore lay groundwork that is likely to apply domestically within 12–24 months.
Who is concerned by the NIS 2 directive?
Essential entities (11 sectors)
Essential entities operate in sectors deemed critical to the functioning of society. They face proactive supervision by national competent authorities, checks can be carried out without a prior incident. Maximum sanctions reach 10 million euros or 2% of worldwide turnover.
- Energy (electricity, natural gas, oil, hydrogen)
- Transport (air, rail, maritime, inland waterway, road, urban transport)
- Banking sector (credit institutions)
- Financial market infrastructures (trading venues, central counterparties)
- Health (healthcare providers, reference laboratories, manufacturers of critical pharmaceutical and medical devices, R&D)
- Drinking water (suppliers and distributors)
- Wastewater (collection, treatment and discharge)
- Digital infrastructure (internet exchange points, DNS, TLDs, cloud services, data centres, CDNs, qualified trust services)
- ICT service management (managed service providers and managed security service providers)
- Public administration (central, regional and local administrations according to national thresholds)
- Space (operators of ground-based infrastructure supporting space services)
Important entities (7 sectors)
Important entities are subject to the same 10 security measures as essential entities, but face reactive supervision: competent authorities intervene primarily after notification or incident. Maximum sanctions reach 7 million euros or 1.4% of worldwide turnover.
- Postal and courier services
- Waste management
- Manufacture, production and distribution of chemicals
- Production, processing and distribution of food
- Manufacturing (medical devices, computer products, electronics, electrical equipment, machinery, motor vehicles)
- Digital providers (online marketplaces, search engines, social networks)
- Research organisations
The size criterion: who is actually targeted?
Operating in a covered sector is not enough; you must also exceed the size threshold. The general rule distinguishes three cases:
- Large enterprise: 250 employees or more, OR turnover above EUR 50 million and balance sheet above EUR 43 million.
- Medium enterprise: 50 employees or more, OR turnover above EUR 10 million. Medium enterprises in a covered sector are subject to NIS 2.
- Small enterprise (under 50 employees, under EUR 10 million turnover): in principle outside the NIS 2 perimeter, with exceptions for certain specifically identified critical infrastructure.
Are you concerned by NIS 2?
You are concerned if your organisation exceeds at least two of these three thresholds: 50 employees, EUR 10 million annual turnover, EUR 10 million balance sheet total; and if you operate in one of the 18 covered sectors.
Essential entities vs important entities under NIS 2
Criterion: Sectors
Criterion: Supervision
Criterion: Maximum sanction
Criterion: Management liability
Criterion: Article 21 measures
NIS 2 and suppliers: the invisible impact of Article 21(d)
One of the most frequent questions is: "We are below the size thresholds; are we really out of scope?" The answer is nuanced. Article 21(2)(d) of the directive requires all essential and important entities to manage the security of their supply chain, including their direct suppliers and service providers. Concretely, this means that the regulated entity will pass these requirements contractually to its suppliers, regardless of their size. Being below the thresholds protects you from the direct obligation; not from the contractual obligation imposed by your customers.
Particularly concerned are managed service providers (MSPs), system integrators, business software publishers, hosting providers, cloud providers, and any supplier with access to the information systems of an essential or important entity. These organisations are not formally subject to NIS 2 but they will be evaluated and contractually audited by their customers. The security level imposed; risk management policy, documented incident procedure, access control; becomes a commercial prerequisite, not merely a regulatory one.
Are you a supplier to a NIS 2 entity?
Even if your organisation is below the size thresholds, your essential and important entity customers must evaluate your security level. Anticipating by structuring your documentation (risk policy, incident procedure, access control) gives you a decisive commercial advantage during tenders and contract renewals.
Professionals tasked with leading NIS 2 compliance on the supplier side; CISOs, procurement leads, compliance officers; find in the NIS 2 Lead Implementer certification the reference that structures their competence in third-party risk management and supply chain security, two areas at the core of Article 21(d). For organisations managing many suppliers, TPRM platforms such as Supplier Shield allow these assessments to be structured and automated at scale.
NIS 2 transposition across the EU: state of play 2026
The NIS 2 directive set 17 October 2024 as the deadline for transposition into national law across all member states. By mid-2026, the picture is uneven. Several member states completed their transposition on time or shortly after: Belgium, Croatia, Italy and Latvia were among the first. Several large economies; including France (Loi Résilience), Germany (NIS 2 Umsetzungsgesetz), and Spain; were still finalising their texts well into 2026. The European Commission opened infringement proceedings against the laggards in 2025.
This uneven landscape means national details; exact sector thresholds, sanction ceilings in national law, the inclusion or exclusion of public bodies and local authorities; vary by jurisdiction. The directive itself sets the minimum baseline that applies across the EU regardless of transposition status. Multinational groups operating in several member states must therefore build a compliance framework that satisfies the directive's baseline, then layer national specifics on top.
Around 110,000–160,000 entities concerned across the EU
Estimates suggest NIS 2 covers approximately 110,000 to 160,000 entities across the EU; compared to a few thousand under NIS 1. France alone estimates around 10,000 entities; Germany expects a similar order of magnitude. The figure includes private companies, public administrations and, in several member states, local authorities and research organisations.
The 10 mandatory measures of Article 21
Article 21 of the NIS 2 directive defines the minimum measures that all essential and important entities must implement. The directive sets out 10 categories of measures (a to j), each comprising in practice several sub-requirements to be applied proportionally to the risk profile, size and sector of the organisation. These requirements are not recommendations: they are verified during competent authority checks and their absence constitutes a breach liable to trigger sanctions.
- a) Policies on risk analysis and information system security
- b) Incident handling (detection, reporting, response and lessons learned)
- c) Business continuity, backup management, disaster recovery and crisis management
- d) Supply chain security; relationships with direct suppliers and service providers
- e) Security in network and information systems acquisition, development and maintenance, including vulnerability handling
- f) Policies and procedures to assess the effectiveness of cybersecurity risk management measures
- g) Basic cyber hygiene practices and cybersecurity training for all staff
- h) Policies and procedures regarding the use of cryptography and, where appropriate, encryption
- i) Human resources security, access control policies and asset management
- j) Use of multi-factor authentication (MFA) or continuous authentication solutions, secured communications and secured emergency communication systems
These measures are mandatory minimums
Article 21 defines the floor, not the ceiling. Entities with a high risk profile must generally go beyond. The proportionality principle applies: measures must be adapted to the size, risk exposure and potential impact of an incident.
Incident notification deadlines: 24h, 72h, 1 month
NIS 2 introduces binding notification deadlines which constitute one of the most important operational changes for security teams. As soon as a significant incident is identified, the following timeline applies vis-à-vis the competent national authority (ANSSI in France, BSI in Germany, NCSC-IE in Ireland, CSIRT.IT in Italy, etc.):
Diagram showing the three notification stages imposed by NIS 2: early warning at 24 hours, full notification at 72 hours, final report at 1 month.
- Early warning, 24 hours: initial notification to the competent authority indicating the type of incident and whether malicious activity is suspected.
- Full notification, 72 hours: initial assessment of severity, impact and indicators of compromise (IoC).
- Final report, 1 month: root cause, corrective measures implemented, potential cross-border impact.
What is a significant incident?
A significant incident is one that has caused or is likely to cause serious operational disruption, substantial financial losses, or damage to other natural or legal persons. These deadlines require having tested incident response procedures and an established contact with the national authority before an incident occurs.
Personal liability of management: the key change
NIS 2 imposes direct involvement of management bodies in cybersecurity governance, without precedent in earlier European regulation. The directive requires that management approve the security measures and oversee their implementation, with a framework of accountability whose concrete arrangements depend on national transposition provisions. At a minimum, members of management bodies must:
- Approve the cybersecurity risk management measures implemented by the entity
- Oversee the implementation of these measures and be accountable for any breach
- Undertake cybersecurity training adapted to their role, and encourage their staff to do the same; this training obligation is explicitly written into the directive
In case of a significant incident resulting from non-compliance, competent authorities can call into question the personal liability of members of management. In serious or repeated cases, temporary prohibitions from holding management positions can be imposed. This provision transforms NIS 2 into a governance matter at board level. As the directive explicitly imposes management training, the NIS 2 Foundation training is the appropriate path for decision-makers who must master the regulatory stakes and the obligations that fall personally upon them.
NIS 2 and ISO 27001: alignment and gaps
Organisations already certified ISO 27001:2022 have a significant head start on their NIS 2 compliance journey. Most of the 10 measures in Article 21 map directly to clauses in the body of the standard or to controls in Annex A.
Mapping between NIS 2 measures (Article 21) and ISO 27001:2022
NIS 2 measure (Article 21): a) Risk analysis
NIS 2 measure (Article 21): b) Incident handling
NIS 2 measure (Article 21): c) Continuity and recovery
NIS 2 measure (Article 21): d) Supply chain security
NIS 2 measure (Article 21): g) Training and hygiene
NIS 2 measure (Article 21): h) Cryptography
NIS 2 measure (Article 21): i) Access and assets
NIS 2 measure (Article 21): j) MFA and authentication
Where NIS 2 goes beyond ISO 27001
- Legal notification deadlines: ISO 27001 does not impose 24h / 72h / 1 month deadlines. These obligations exist only under NIS 2 (and GDPR for personal data).
- Personal liability of management: ISO 27001 binds the organisation, not individuals. NIS 2 creates personal liability that goes beyond certification.
- Regulatory reporting to national authorities: ISO 27001 does not require notifications to a national competent authority. NIS 2 introduces this direct link with regulators.
NIS 2 and GDPR: two distinct regimes, one shared risk
NIS 2 and GDPR pursue different objectives: NIS 2 aims at the operational resilience of information systems, GDPR protects the personal data of individuals. But for organisations processing personal data; which is almost all NIS 2 entities; a single cyber incident can simultaneously trigger obligations under both regimes, with different deadlines and authorities.
Two distinct notification obligations after an incident
NIS 2 (Article 23): early warning to the national competent authority within 24 hours, for any significant incident on information systems. GDPR (Article 33): notification to the relevant data protection authority within 72 hours, only if the incident involves a personal data breach. A ransomware attack on patient data triggers both obligations in parallel; with different notification contents for each authority.
Sectors most exposed to this dual regime are healthcare (medical data), banking and insurance (personal financial data), and public administrations (citizen data). For these organisations, incident response procedures must distinguish the two streams from the moment of detection: who notifies what, to which authority, within what deadline.
NIS 2 and DORA: complementary regimes for the financial sector
DORA, Digital Operational Resilience Act
Regulation (EU) 2022/2554, directly applicable since 17 January 2025. DORA specifically targets financial sector entities (banks, insurers, payment service providers, crypto-asset platforms...) and imposes reinforced requirements on digital operational resilience, TIBER-EU penetration testing, and management of third-party ICT risks. Distinct from NIS 2, it does not exempt financial entities from NIS 2 obligations on aspects DORA does not cover.
NIS 2 and DORA are two distinct but complementary regimes. NIS 2 sets the general cybersecurity framework applicable to 18 sectors; DORA is a directly applicable regulation targeting financial entities. For banks, insurers and payment institutions across the EU, both apply simultaneously, with DORA prevailing as lex specialis on ICT risk, incident reporting, resilience testing and third-party ICT management. For a full read of DORA, including the five pillars, sanctions, and FINMA / UK operational resilience cross-references, see our complete DORA compliance guide.
How much does NIS 2 compliance cost?
ENISA data, NIS Investments Report 2023
+22%: this is the average increase in cybersecurity budgets observed in organisations entering the NIS 2 perimeter to reach initial compliance. Source: ENISA NIS Investments Report 2023 (enisa.europa.eu).
Field feedback from specialised consultancies converges around ranges based on size and starting maturity. For a medium-sized organisation (50-250 employees) in an important sector, starting without a formal security policy, initial compliance costs typically range between EUR 50,000 and EUR 200,000 over 18 months. For a large essential entity with complex information systems, the budget can reach several hundred thousand euros to several million depending on the breadth of measures to be implemented. These ranges cover gap analysis, technical upgrades, documentation, and mandatory training for teams and management.
Organisations already certified ISO 27001 reduce these costs by 30 to 50% thanks to their existing documentary base; most of the 10 measures of Article 21 map directly to ISO 27001 controls. A NIS 2 gap analysis led by a specialised consulting firm allows the remaining effort to be precisely qualified before committing to any implementation budget. For in-house teams driving compliance, the NIS 2 Lead Implementer certification is the most cost-effective investment: it structures the approach, reduces reliance on external consultants and demonstrates competence to customers and regulators.
Achieving NIS 2 compliance: the 4 phases
Four-phase diagram of NIS 2 compliance: Phase 1 evaluation 1-3 months, Phase 2 planning 1-2 months, Phase 3 implementation 6-12 months, Phase 4 continuous control.
Phase 1, Evaluation (1 to 3 months)
Determine whether your organisation falls within the NIS 2 perimeter, inventory the information systems concerned, and perform a gap analysis between your current security level and the 10 measures of Article 21. This phase identifies priorities and calibrates the overall effort.
Phase 2, Planning (1 to 2 months)
Define a risk treatment plan, a prioritised roadmap, internal responsibilities and the budget. Pay particular attention to supply chain security: Article 21(d) requires you to assess and control the risks associated with your direct suppliers and service providers. Third-party risk management platforms such as Supplier Shield allow this dimension of your NIS 2 programme to be structured and automated.
Phase 3, Implementation (6 to 12 months)
Implement the 10 measures of Article 21, set up incident notification procedures with established contact with the competent authority, secure the supply chain, and document everything for regulatory checks. Training of staff, including management, is explicitly required by the directive.
Phase 4, Continuous control
Regularly test procedures (incident exercises, internal audits), maintain authority reporting and drive continuous improvement of the programme. Organisations seeking compliance support can rely on specialised consultancies such as Abilene Advisors, expert in Swiss and European regulatory compliance (NIS 2, DORA, ISO 27001).
In practice, an organisation starting from zero should plan 12 to 18 months from evaluation to a state of readiness for regulatory checks. Organisations already certified ISO 27001 significantly reduce this timeline thanks to their existing documentary base.
NIS 2 training and certification at Abilene Academy
Abilene Academy, a PECB Titanium Partner based in Morges, Switzerland, has supported security and compliance teams at organisations including The Global Fund (Geneva), UNICC (United Nations), and Deloitte Denmark. Both NIS 2 certifying trainings are designed and delivered by practitioners who work on real compliance programmes:
NIS 2 Directive Foundation (2 days)
The NIS 2 Directive Foundation training covers the structure of the directive, the perimeter criteria (companies, public sector, suppliers), the 10 measures of Article 21, the notification obligations and the supervision mechanisms of national competent authorities. It is intended for security managers, IT managers, legal counsel and members of management who need to understand NIS 2 requirements before committing to the compliance programme.
NIS 2 Directive Lead Implementer (5 days)
The NIS 2 Directive Lead Implementer training covers the full compliance cycle: gap analysis, risk treatment, control implementation, supplier security management, incident management procedures and preparation for regulatory checks. The PECB NIS 2 Lead Implementer certification demonstrates independent, recognised competence to customers, contracting parties and supervisory authorities. What we systematically observe in session: experienced professionals master the technical measures of Article 21 but have never simulated a 24-hour notification to the competent authority. That is precisely the gap; procedural, not technical; that the training drills under realistic conditions.
Both trainings are available in Geneva, Lausanne and Paris in classroom and virtual-live format, in English and French. They are delivered by practitioners with direct experience of NIS 2, ISO 27001 and DORA implementations in international environments.
The field perspective from Alexis Hirschhorn, Senior Trainer, Abilene Academy
"The paradox we encounter at our clients is simple: CIOs and CISOs understand the technical requirements of NIS 2, but boards of directors have not yet absorbed that national transposition now engages their personal liability. As long as resilience stays delegated to IT, compliance is cosmetic and the risk is very real."
Sources and references
- Directive (EU) 2022/2555: NIS 2 (EUR-Lex, European Parliament and Council, 14 December 2022).
- ENISA, NIS Investments Report 2023 (European Union Agency for Cybersecurity, data on cybersecurity investment trends across the EU).
- UK Network and Information Systems Regulations 2018 (UK Statutory Instruments, current UK transposition of original NIS directive).
- European Commission, Cybersecurity policy and NIS 2 (DG CONNECT, transposition tracking and infringement proceedings).
- PECB NIS 2 Lead Implementer: certification fact sheet (PECB, official certification reference).
