The Network and Information Security Directive 2 (NIS2) entered into force in January 2023 and required transposition into national law by October 2024. It replaces the original NIS Directive of 2016 with a substantially expanded scope, more detailed technical requirements, and — most significantly from a governance perspective — personal liability provisions for management bodies. For European businesses in affected sectors, NIS2 is not merely an IT compliance matter but a legal and governance obligation that sits at board level.
From NIS1 to NIS2: What Changed and Why
The original NIS Directive was widely criticised for producing inconsistent outcomes across member states, with significant variations in which entities were identified as operators of essential services and in how vigorously the regulation was enforced. The incident reporting thresholds were vague, and the sectoral coverage did not keep pace with the increasing digitisation of the economy. Several high-profile ransomware attacks on European critical infrastructure — including hospitals, energy networks, and logistics operators — underscored the need for a more robust framework.
NIS2 responds to these criticisms by expanding the sectoral scope substantially, introducing a size-based default inclusion threshold that removes the discretion member states previously had to identify which entities were in scope, tightening incident reporting timelines, and most notably creating a personal liability and sanctions regime that applies to individual members of management bodies.
Scope: Essential and Important Entities
NIS2 distinguishes between essential entities and important entities, applying the same fundamental obligations to both but providing for different enforcement intensity and penalty levels. Essential entities are those in sectors listed in Annex I of the directive: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Important entities are those in sectors listed in Annex II: postal services, waste management, manufacture of critical products, food, chemicals, digital providers including online marketplaces, search engines, and social networking platforms, and certain other sectors.
The key change from NIS1 is the introduction of a default size threshold: any entity in a covered sector that exceeds the EU definition of a medium-sized enterprise — more than 50 employees and annual turnover or balance sheet exceeding EUR 10 million — is automatically in scope. Member states may bring smaller entities into scope where they assess the risk to be significant, and certain entities such as top-level domain registries and trust service providers are in scope regardless of size.
This size-based approach means that thousands of European companies that were previously outside NIS1’s scope are now subject to NIS2 obligations. Mid-market technology companies, logistics operators, energy sector participants, healthcare providers, and manufacturers of critical goods must assess whether they fall within the directive’s scope and, if so, ensure compliance with the national transposition measures in each member state where they have relevant operations.
Technical and Organisational Measures Required
NIS2 requires that in-scope entities take appropriate and proportionate technical, operational, and organisational measures to manage the risks posed to network and information systems. The directive specifies minimum measures that must be included in any compliant programme: risk analysis and information system security policies; incident handling; business continuity and crisis management; supply chain security; security in network and information system acquisition, development, and maintenance; policies and procedures for assessing the effectiveness of cybersecurity measures; basic cyber hygiene practices and cybersecurity training; policies on cryptography and, where appropriate, encryption; human resources security, access control policies, and asset management; and the use of multi-factor authentication and secured communication systems.
The emphasis on supply chain security is new and significant. Entities must assess the cybersecurity practices of their direct suppliers and service providers and must consider the overall risk exposure from the supply chain when designing their security programmes. This creates downstream compliance obligations for technology vendors, SaaS providers, and IT service companies that supply to NIS2-regulated entities: their customers will increasingly require contractual representations about security practices and the right to conduct or commission security assessments as a condition of procurement.
Incident Reporting Obligations
NIS2 tightens incident reporting requirements significantly compared to NIS1. Entities must report significant incidents to their national competent authority or computer security incident response team (CSIRT) in a phased manner. An early warning must be provided within 24 hours of becoming aware of a significant incident. A more detailed incident notification must follow within 72 hours, including an initial assessment of the incident’s severity and impact. A final report must be submitted within one month of the initial incident notification, covering a detailed description of the incident, its root cause, mitigating measures taken, and cross-border impact if applicable.
A significant incident is defined as one that has caused or is capable of causing severe operational disruption or financial loss to the entity, or that has caused or is capable of causing considerable material or non-material damage to other natural or legal persons. This is a relatively low threshold that is likely to capture many cyber incidents beyond major breaches: ransomware attacks that disrupt operations, distributed denial of service attacks that affect service availability, and significant data exfiltration events will typically qualify.
Entities operating in multiple EU member states must navigate the question of which national authority to report to. The general rule is that the report goes to the member state where the entity is established, but for entities established in multiple member states the rules become more complex, particularly for digital service providers who are required to report to the member state of their main EU establishment as determined by their head office location.
Management Body Liability: The Critical New Dimension
The most operationally disruptive innovation in NIS2 from a governance perspective is the personal liability of management body members. The directive requires member states to ensure that management bodies of essential and important entities can be held personally liable for infringements of the entity’s NIS2 obligations. This requires that management bodies approve the entity’s cybersecurity risk management measures, oversee their implementation, and receive training on cybersecurity risks and risk management practices.
The specific liability mechanisms are left to member state implementation, but the directive makes clear that the intent is to make cybersecurity a board-level responsibility with personal consequences for non-compliance. In jurisdictions where directors’ liability under company law already extends to regulatory non-compliance, NIS2 creates an additional exposure. In jurisdictions with separate regulatory enforcement regimes, competent authorities may be empowered to issue public statements naming responsible individuals, impose temporary bans on management functions, or impose direct personal fines.
In practice, this means that company secretaries, compliance functions, and general counsel must now include NIS2 status on the board agenda with the same regularity as financial reporting and GDPR compliance. Management bodies that cannot demonstrate that they have approved a cybersecurity policy, received training, and overseen the implementation of required measures will be in a structurally weak position if an enforcement action arises from a cyber incident.
Penalties
NIS2 establishes minimum penalty levels that member states must implement. For essential entities, fines of up to EUR 10 million or 2% of total worldwide annual turnover — whichever is higher — must be available. For important entities, the minimum maximum is EUR 7 million or 1.4% of worldwide annual turnover. These figures are minimum floors; member states may implement higher penalties. The GDPR-style turnover-based calculation was deliberately chosen to make the penalty regime meaningful even for large multinational operators.
Supply Chain Implications: Vendor Obligations and Contractual Clauses
For technology companies and managed service providers that are not themselves directly regulated by NIS2 but supply to regulated entities, the directive creates significant indirect obligations. NIS2-regulated customers will seek contractual representations about the supplier’s cybersecurity practices, the right to conduct security audits, notification obligations in the event of a security incident affecting the customer’s systems or data, and in some cases minimum certification standards such as ISO 27001 or alignment with the EU’s forthcoming cybersecurity certification schemes under the EU Cybersecurity Act.
Suppliers who cannot meet these contractual requirements risk losing regulated enterprise customers or being excluded from procurement processes. Technology vendors and SaaS providers operating in sectors that supply essential or important entities should proactively align their security programmes with NIS2 requirements and be prepared to evidence this alignment contractually. The EU’s European Union Agency for Cybersecurity (ENISA) has published guidance documents that can assist vendors in understanding what regulated customers are likely to require.
Interaction with GDPR and Sectoral Legislation
NIS2 operates alongside GDPR but serves a different purpose. GDPR focuses on personal data protection; NIS2 focuses on operational resilience and network security. A single cyber incident may trigger obligations under both: a ransomware attack that exfiltrates personal data triggers both GDPR’s 72-hour personal data breach notification obligation and NIS2’s phased incident reporting obligations. Organisations must ensure their incident response procedures address both regulatory frameworks simultaneously, which requires close coordination between the DPO function and the CISO function.
For financial sector entities, the Digital Operational Resilience Act (DORA) applies from January 2025 and establishes sector-specific digital resilience requirements for financial institutions, their critical third-party service providers, and ICT service providers. DORA creates a lex specialis that takes precedence over NIS2 for financial sector entities. The interaction between NIS2 and DORA means that financial institutions and their technology suppliers must understand both frameworks and comply with whichever imposes the higher standard on each particular obligation.
Conclusion
NIS2 marks a fundamental shift in how the EU approaches cybersecurity regulation. It is no longer a sector-specific niche obligation but a mainstream business law requirement affecting thousands of companies across the European economy. The combination of expanded scope, supply chain obligations, detailed technical requirements, tightened incident reporting, and personal management liability creates a regulatory environment in which cybersecurity governance must sit at the highest level of corporate decision-making. Businesses that treat NIS2 compliance as an IT department matter rather than a board-level legal obligation do so at significant legal and reputational risk.