Platform
Solutions
Partners
Why NMT
Resources
Contact Us
GuidesFrameworks & Standards

What is NIS2?

The EU's NIS2 Directive widens who must meet baseline cybersecurity obligations, and raises the stakes for getting them wrong.

6 min read

NIS2 is the European Union's updated Network and Information Security Directive. It significantly expands the earlier NIS rules, bringing far more sectors and organisations into scope and setting stronger, more consistent cybersecurity and incident-reporting obligations across member states.

If you operate in the EU in a covered sector, or supply organisations that do, NIS2 likely reaches you. This guide covers who it applies to and what it requires.

Key takeaways
  • NIS2 expands EU cybersecurity obligations to many more sectors and organisations.
  • It splits covered organisations into "essential" and "important" entities.
  • It mandates risk-management measures, governance accountability, and prompt incident reporting.
  • Management can be held accountable, and penalties are significant.

Who it applies to

NIS2 covers "essential" and "important" entities across sectors such as energy, transport, banking, health, digital infrastructure, public administration, and key manufacturing and digital providers, generally above certain size thresholds. The two tiers face similar obligations but differ in supervision and penalties. Suppliers to these entities are often pulled in through supply-chain requirements.

Core requirements

NIS2 sets baseline risk-management measures, including:

  • Risk analysis and information-system security policies.
  • Incident handling and prompt reporting on defined timelines.
  • Business continuity and crisis management.
  • Supply-chain security.
  • Governance: management bodies are accountable and must be trained.

How to prepare

Confirm whether you are in scope, then assess your posture against the risk-management measures, tighten incident detection and reporting, and address supply-chain risk. Continuous monitoring, third-party oversight, and clear governance are central, and management accountability makes this a board-level topic, well beyond IT.

Frequently asked questions

How is NIS2 different from the original NIS Directive?
NIS2 covers far more sectors and entities, harmonises requirements across the EU, strengthens incident-reporting and supply-chain rules, and adds management accountability and tougher penalties.
What are essential vs important entities?
Both must meet NIS2 obligations, but essential entities face proactive supervision while important entities are supervised more reactively, and penalty ceilings differ.
How does NIS2 relate to DORA?
DORA is the sector-specific rulebook for financial entities; NIS2 is the broader, cross-sector baseline. Financial entities generally follow DORA as the more specific regime.
How does NMT help with NIS2?
NMT supports risk-management visibility, continuous monitoring and detection, incident readiness, and supply-chain/third-party risk, which map to the NIS2 baseline measures.

Get ahead of NIS2

Baseline measures start with knowing your exposure and your suppliers. Run a free check.

Run a free check
Related
Guide: What is DORA? Guide: What is Third-Party Risk Management? Guide: What is the NIST Cybersecurity Framework?