What is NIS2?
NIS2 (Directive EU 2022/2555) is the European Union’s revised Network and Information Security directive. It replaces the original NIS Directive from 2016 and significantly expands both the scope and the depth of mandatory cybersecurity requirements across the EU.
The directive establishes a common baseline of cybersecurity risk management obligations for organisations operating in sectors critical to society and the economy. It requires covered entities to implement appropriate technical and organisational security measures, report significant incidents promptly, and take responsibility for their supply chain security.
NIS2 is not optional guidance — it is a legal obligation enforceable by national competent authorities, with significant financial penalties for non-compliance. If your SME operates in a covered sector and meets the size thresholds, you are legally required to comply.
Essential entities vs important entities
NIS2 creates two tiers of covered organisations. Both tiers must meet the same Article 21 security requirements — the difference lies primarily in how supervision is conducted by national authorities.
Essential entities
Large organisations in highly critical sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space.
Subject to proactive (ex-ante) supervision — authorities actively audit and inspect.
Important entities
Medium-sized organisations in the same sectors, plus additional sectors: postal and courier services, waste management, manufacture of critical products, food production and distribution, digital providers, and research organisations.
Subject to reactive (ex-post) supervision — authorities investigate when an incident or complaint occurs.
Excluded: micro-enterprises
Organisations with fewer than 10 employees and annual turnover or balance sheet under €2 million are generally excluded. Exceptions apply for providers of critical infrastructure regardless of size.
SME size thresholds under NIS2
NIS2 uses the EU’s standard enterprise size definitions. Whether your SME is in scope depends on both your organisation’s size and the sector in which you operate.
- Medium enterprises (important entities) — 50 or more employees, or annual turnover / balance sheet of €10 million or more.
- Large enterprises (essential entities) — 250 or more employees, or annual turnover of €50 million or more AND balance sheet of €43 million or more.
- Sector exceptions (any size) — Top-level domain registries, DNS providers, public electronic communications networks, trust service providers, and sole providers of a service critical to a member state are covered regardless of size.
If your organisation operates in a covered sector and meets the size threshold, you are likely subject to NIS2 obligations. Your national competent authority maintains a registry of covered entities — contact your national cybersecurity agency for country-specific confirmation.
The ten Article 21 security measures
Article 21 of NIS2 requires covered entities to take “appropriate and proportionate” technical, operational, and organisational measures to manage cybersecurity risks. The ten mandatory measure areas are:
Risk analysis and information system security policies
Document your approach to identifying and managing cybersecurity risks. A structured risk assessment is the mandatory foundation for all other measures.
Incident handling
Establish procedures for detecting, responding to, and recovering from cybersecurity incidents. Significant incidents must be reported to your national authority within 24 hours of detection.
Business continuity and crisis management
Maintain backup systems, disaster recovery plans, and crisis management procedures to ensure service continuity after a disruptive incident.
Supply chain security
Assess and manage the cybersecurity risks introduced by suppliers, software vendors, and third-party service providers. Document dependencies and contractual security requirements.
Security in acquisition and development
Apply security throughout the procurement and development lifecycle of network and information systems, including vulnerability handling and disclosure policies.
Effectiveness assessment
Regularly test and evaluate whether your security measures are working as intended. This includes audits, vulnerability testing, and continuous monitoring.
Cyber hygiene and training
Implement basic cybersecurity practices across your organisation and provide regular security awareness training to staff at all levels, including management.
Cryptography and encryption
Apply encryption and cryptographic controls where appropriate to protect data in transit and at rest, and maintain policies governing their use.
Human resources security, access control, and asset management
Control access to systems on a need-to-know basis, manage HR security procedures for onboarding and offboarding, and maintain an inventory of information assets.
Multi-factor authentication and secure communications
Enforce MFA for privileged and remote access. Use encrypted communications channels for sensitive internal and external communications.
NIS2 implementation timeline
NIS2 has already passed its key EU-level milestones. National implementation is underway across member states.
- 16 January 2023 — NIS2 Directive entered into force.
- 17 October 2024 — Deadline for member states to transpose NIS2 into national law.
- 17 January 2025 — ENISA published EU-level guidelines; member states required to have registered covered entities.
- Now — Supervision and enforcement is active in most member states. If you are in scope, you should already be working on compliance.
Transposition timelines vary between member states. Contact your national cybersecurity agency (ENISA maintains a list of national authorities) for country-specific guidance on current obligations and registration requirements.
What NIS2 does and does not require
“We are too small to be covered”
Many SMEs in covered sectors with 50 + employees or €10M + turnover are in scope. Size alone does not exclude you — the sector you operate in is equally decisive.
“ISO 27001 certification satisfies NIS2”
ISO 27001 is helpful evidence of a security management system, but it does not automatically satisfy NIS2. NIS2 has specific requirements around incident reporting timelines, supply chain assessment, and management personal liability that go beyond ISO 27001 scope.
“A risk assessment alone is enough”
A risk assessment is the mandatory starting point, but NIS2 also requires incident handling procedures, business continuity plans, supply chain assessments, and regular effectiveness testing. The risk assessment informs and justifies all other measures.
NIS2 SME questions
Generally no. NIS2 explicitly excludes micro-enterprises (fewer than 10 employees and annual turnover or balance sheet under €2 million) unless they operate in specific critical sectors such as providers of public electronic communications networks or trust service providers.
Essential entities are large organisations in highly critical sectors. Important entities include medium-sized organisations in the same sectors plus additional sectors. Both tiers must comply with the same Article 21 security requirements. The key difference is supervision: essential entities face proactive (ex-ante) supervision; important entities face reactive (ex-post) supervision triggered by incidents or complaints.
NIS2 (Directive EU 2022/2555) entered into force on 16 January 2023. EU member states were required to transpose it into national law by 17 October 2024. Implementation timelines and enforcement activity vary by member state.
Non-compliant essential entities can face fines of up to €10 million or 2% of global annual turnover (whichever is higher). Important entities face fines of up to €7 million or 1.4% of global annual turnover. National authorities can also issue binding instructions, require immediate remediation, and in serious cases temporarily ban management from exercising leadership roles.
Start your NIS2 risk assessment today
Free, browser-based, and aligned with NIS2 Article 21. No sign-up required.
Open the Tool →