Regulation Guide

NIS2 - Network and Information Security Directive 2

Comprehensive guide to NIS2 (Directive EU 2022/2555). Understand cybersecurity obligations, incident reporting, supply chain security, and management accountability for essential and important entities. Reversa helps you achieve NIS2 compliance.

Key Figures

18Sectors covered by NIS2

€10MMaximum fine for essential entities

160,000+Estimated entities in scope across the EU

24hEarly warning deadline for incidents

Overview

What is this regulation?

The NIS2 Directive (Directive EU 2022/2555) is the cornerstone of EU cybersecurity legislation, significantly expanding the scope and stringency of cybersecurity requirements across the European Union. Replacing the original NIS Directive from 2016, NIS2 addresses the dramatically increased cyber threat landscape and the growing dependence of European society and economy on network and information systems. The directive covers 18 sectors and introduces a two-tier classification of entities: essential entities (including energy, transport, banking, health, water, digital infrastructure, ICT service management, and public administration) and important entities (including postal services, waste management, chemicals, food, manufacturing, digital providers, and research). NIS2 requires all in-scope entities to implement comprehensive cybersecurity risk management measures covering at least 10 specific areas, from incident handling and business continuity to supply chain security and encryption. One of NIS2's most significant innovations is the introduction of personal accountability for management bodies - board members and senior management can be held personally liable for cybersecurity compliance failures. The directive also establishes strict incident reporting obligations: a 24-hour early warning, a 72-hour notification, and a one-month final report to the relevant CSIRT or competent authority. NIS2 harmonizes enforcement across the EU with significant penalties and strengthens cooperation mechanisms between member states through the EU-CyCLONe network for coordinated crisis management.

Who does it affect?

Organizations and roles impacted by this regulation

Essential entities: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space sectors

Important entities: postal services, waste management, chemicals, food production and distribution, manufacturing, digital providers, and research organizations

Medium and large enterprises (50+ employees or EUR 10M+ turnover) in covered sectors

Smaller entities providing critical services (DNS, TLD registries, trust services, unique national service providers)

Key Obligations

Core compliance requirements organizations must address

Cybersecurity Risk Management

Entities must adopt comprehensive cybersecurity risk management measures proportionate to the risks, covering at least 10 areas: risk analysis and information security policies, incident handling, business continuity and crisis management, supply chain security, network security, vulnerability handling and disclosure, cybersecurity assessment, cryptography and encryption, human resources security, and multi-factor authentication.

Incident Reporting

Significant incidents must be reported through a three-stage process: an early warning within 24 hours, a notification within 72 hours providing initial assessment, and a final report within one month detailing root cause analysis, mitigation measures, and cross-border impact.

Supply Chain Security

Entities must address cybersecurity risks within their supply chains, taking into account the vulnerabilities specific to each direct supplier and service provider and the overall quality of products and cybersecurity practices of their suppliers.

Management Accountability

Management bodies must approve cybersecurity risk management measures and oversee their implementation. They can be held personally liable for infringements. Members must undergo regular cybersecurity training.

Registration and Information Sharing

Entities must register with the competent authority or CSIRT, providing information about their operations, IP ranges, and contact details. The directive encourages voluntary cybersecurity information sharing between entities.

Penalties for Non-Compliance

NIS2 introduces a harmonized penalty framework across the EU. For essential entities, maximum fines are at least EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities, maximum fines are at least EUR 7 million or 1.4% of total worldwide annual turnover, whichever is higher. Beyond financial penalties, competent authorities can impose compliance orders, binding instructions, security audit orders, and temporary suspension of certifications or authorizations. For essential entities, competent authorities can even request temporary suspension of management functions. The personal liability dimension for management body members represents a fundamental shift in cybersecurity accountability.

Implementation Timeline

Key milestones and compliance deadlines

Dec 2020

European Commission publishes the NIS2 Directive proposal

Jan 2023

NIS2 Directive enters into force - 21-month transposition period begins

Oct 2024

Transposition deadline - member states must adopt NIS2 into national law

Apr 2025

Member states must establish list of essential and important entities

How Reversa Helps

Purpose-built tools for navigating this regulation with confidence

Regulatory Radar

24/7 monitoring of hundreds of official sources - ENISA, national CSIRTs, and member state authorities. Receive same-morning notifications when NIS2 transposition measures, guidance, or implementing acts are published across jurisdictions.

AI-Powered Analysis

Deep-dive regulatory impact analysis with sector-specialized AI agents that extract concrete NIS2 obligations across the 10 risk management areas relevant to your entity classification and sector.

Legislative Twins

Map NIS2 obligations to your organization's specific context - creating digital representations of how the directive affects your entity based on your sector, size, and essential or important classification.

Automated Reporting

Generate newsletters, compliance radars, and reports for committees and stakeholders automatically - keeping your team aligned on NIS2 transposition progress and cybersecurity requirements without manual effort.

Frequently Asked Questions

Common questions about this regulation

What is the difference between essential and important entities?

Essential entities operate in 11 high-criticality sectors (energy, transport, banking, health, water, digital infrastructure, etc.). Important entities operate in 7 other critical sectors (postal, waste, chemicals, food, manufacturing, etc.). Essential entities face proactive supervision and higher fines (EUR 10M / 2%), while important entities face reactive supervision and lower maximum fines (EUR 7M / 1.4%).

Can management be personally liable under NIS2?

Yes. NIS2 explicitly requires that management bodies approve cybersecurity risk management measures and oversee their implementation. The directive states that member states shall ensure that management body members can be held liable for infringements. This personal accountability extends to approving the cybersecurity strategy, allocating adequate resources, ensuring appropriate training, and maintaining effective oversight.

How does NIS2 relate to DORA?

DORA is lex specialis to NIS2 for the financial sector. Financial entities covered by DORA generally follow DORA requirements instead of NIS2 where the two overlap. However, some NIS2 requirements may still apply to aspects not covered by DORA. The key takeaway is that financial entities primarily follow DORA, while entities in other NIS2 sectors follow NIS2 directly.

What are the NIS2 incident reporting timelines?

NIS2 establishes a three-stage process: (1) Early warning within 24 hours; (2) Incident notification within 72 hours with initial assessment; (3) Final report within one month with root cause analysis and mitigation measures. For ongoing incidents at the final report deadline, a progress report is required with the final report due one month after resolution.

How can Reversa help with NIS2 compliance?

Reversa supports NIS2 compliance through its Regulatory Radar (24/7 monitoring of NIS2 transposition across member states, ENISA guidance, and CSIRT publications), AI-Powered Analysis (sector-specialized agents that extract concrete NIS2 obligations from regulatory texts), Legislative Twins (mapping how NIS2 requirements affect your specific entity based on sector and classification), and Automated Reporting (generating compliance radars and reports for committees and stakeholders). As NIS2 national transpositions vary across member states, Reversa tracks the specific requirements applicable in each jurisdiction where you operate.

Strengthen Your Cybersecurity Compliance with Reversa

From risk management to incident reporting - navigate NIS2 with confidence across every jurisdiction.

Related Regulations

DORA EU AI Act GDPR