What is NIS2?
The EU's NIS2 Directive widens who must meet baseline cybersecurity obligations, and raises the stakes for getting them wrong.
NIS2 is the European Union's updated Network and Information Security Directive. It significantly expands the earlier NIS rules, bringing far more sectors and organisations into scope and setting stronger, more consistent cybersecurity and incident-reporting obligations across member states.
If you operate in the EU in a covered sector, or supply organisations that do, NIS2 likely reaches you. This guide covers who it applies to and what it requires.
- NIS2 expands EU cybersecurity obligations to many more sectors and organisations.
- It splits covered organisations into "essential" and "important" entities.
- It mandates risk-management measures, governance accountability, and prompt incident reporting.
- Management can be held accountable, and penalties are significant.
Who it applies to
NIS2 covers "essential" and "important" entities across sectors such as energy, transport, banking, health, digital infrastructure, public administration, and key manufacturing and digital providers, generally above certain size thresholds. The two tiers face similar obligations but differ in supervision and penalties. Suppliers to these entities are often pulled in through supply-chain requirements.
Core requirements
NIS2 sets baseline risk-management measures, including:
- Risk analysis and information-system security policies.
- Incident handling and prompt reporting on defined timelines.
- Business continuity and crisis management.
- Supply-chain security.
- Governance: management bodies are accountable and must be trained.
How to prepare
Confirm whether you are in scope, then assess your posture against the risk-management measures, tighten incident detection and reporting, and address supply-chain risk. Continuous monitoring, third-party oversight, and clear governance are central, and management accountability makes this a board-level topic, well beyond IT.
Frequently asked questions
Get ahead of NIS2
Baseline measures start with knowing your exposure and your suppliers. Run a free check.
Run a free check