NIS2 Compliance: What EU Companies Need to Know in 2026

What is the NIS2 Directive?

The NIS2 Directive (Directive 2022/2555) is the European Union’s updated cybersecurity legislation, replacing the original NIS Directive from 2016. It entered into force on January 16, 2023, and EU member states were required to transpose it into national law by October 17, 2024.

NIS2 significantly expands the scope of EU cybersecurity regulation. Where the original directive covered a relatively narrow set of operators of essential services, NIS2 casts a much wider net — covering an estimated 160,000 entities across 18 sectors. It introduces stricter security requirements, faster incident reporting obligations, and substantially higher penalties for non-compliance.

If your organization operates in the EU or provides services to EU-based customers, NIS2 is not optional. It is the most consequential cybersecurity regulation in Europe since GDPR, and it demands concrete technical and organizational measures.

Who does NIS2 apply to?

NIS2 uses a size-based threshold combined with sector classification. The directive applies to medium-sized and large entities operating in designated sectors. A medium-sized entity is defined as one with at least 50 employees or an annual turnover exceeding 10 million euros.

Essential entities

Essential entities face the strictest requirements and the most active regulatory supervision. These include:

• Energy — electricity, oil, gas, district heating, hydrogen
• Transport — air, rail, water, road
• Banking — credit institutions
• Financial market infrastructure — trading venues, central counterparties
• Health — hospitals, reference laboratories, medical device manufacturers, pharmaceutical companies
• Drinking water — suppliers and distributors
• Waste water — collection, disposal, and treatment operators
• Digital infrastructure — DNS providers, TLD registries, cloud computing, data centers, CDNs, trust service providers, electronic communications networks
• ICT service management (B2B) — managed service providers and managed security service providers
• Public administration — central government entities
• Space — operators of ground-based infrastructure

Important entities

Important entities have the same baseline obligations but face lighter supervisory regimes (reactive rather than proactive oversight). These include:

• Postal and courier services
• Waste management
• Chemical manufacturing, production, and distribution
• Food production, processing, and distribution
• Manufacturing — medical devices, computers, electronics, optical products, electrical equipment, machinery, motor vehicles, trailers, and other transport equipment
• Digital providers — online marketplaces, search engines, social networking platforms
• Research — research organizations

Size exceptions

Regardless of size, certain entities are always in scope: qualified trust service providers, top-level domain registries, DNS service providers, electronic communications providers, and public administration entities. Member states can also designate additional entities based on national criticality assessments.

The 18 sectors at a glance

NIS2 covers 11 sectors classified as “highly critical” (Annex I) and 7 sectors classified as “other critical” (Annex II). Together, these 18 sectors represent a dramatic expansion from the original NIS Directive, which covered only 7 sectors.

The practical implication is straightforward: if your company touches critical infrastructure, essential services, or the digital supply chain in any EU member state, you are very likely in scope.

What NIS2 requires: Article 21 measures

Article 21 of NIS2 mandates that in-scope entities implement “appropriate and proportionate technical, operational, and organisational measures” to manage cybersecurity risks. The directive specifies a minimum set of measures:

1. Risk analysis and information security policies

Establish and maintain policies for risk analysis and information system security. This overlaps substantially with the requirements of ISO 27001, making certification a practical way to demonstrate compliance.

2. Incident handling

Implement procedures for preventing, detecting, and responding to cybersecurity incidents. NIS2 imposes specific incident reporting timelines:

• 24 hours — early warning to the national CSIRT or competent authority after becoming aware of a significant incident
• 72 hours — full incident notification with an initial assessment of severity and impact
• 1 month — final report with a detailed description of the incident, root cause, mitigation measures, and cross-border impact

These timelines are significantly tighter than many organizations are accustomed to. Without a pre-established incident response process, meeting the 24-hour early warning deadline is extremely difficult.

3. Business continuity and crisis management

Develop and test business continuity plans, including backup management, disaster recovery, and crisis management procedures.

4. Supply chain security

Assess and manage cybersecurity risks in your supply chain and supplier relationships. This includes evaluating the security practices of your direct suppliers and service providers. For many organizations, this is the most challenging requirement — it means you need visibility into your vendors’ security posture.

5. Security in network and information systems acquisition, development, and maintenance

Integrate security into the lifecycle of your systems, including vulnerability handling and disclosure.

6. Policies and procedures to assess cybersecurity risk management effectiveness

Implement processes to evaluate whether your security measures are actually working. Regular testing, auditing, and metrics are expected.

7. Basic cyber hygiene and training

Ensure staff receive cybersecurity awareness training and that basic cyber hygiene practices are in place across the organization.

8. Cryptography and encryption

Implement policies and procedures for the use of cryptography and, where appropriate, encryption.

9. Human resources security and access control

Manage access rights, implement asset management practices, and address human resources security including background checks and role-based access.

10. Multi-factor authentication and secure communications

Use multi-factor authentication, continuous authentication solutions, and secured voice, video, and text communications where appropriate.

Penalties for non-compliance

NIS2 introduces a penalty framework modeled on GDPR, with meaningful financial consequences:

Essential entities face fines of up to 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher.

Important entities face fines of up to 7 million euros or 1.4 percent of total worldwide annual turnover, whichever is higher.

Beyond financial penalties, NIS2 introduces personal accountability for senior management. Article 20 requires that “management bodies” of in-scope entities approve and oversee cybersecurity risk management measures. Management body members can be held personally liable and may face temporary suspension from exercising managerial functions if the entity fails to comply.

This personal liability provision is a significant departure from previous cybersecurity regulation and puts cybersecurity squarely on the boardroom agenda.

Transposition status across EU member states

The transposition deadline was October 17, 2024. As of early 2026, the implementation landscape across EU member states is uneven:

Fully transposed and enforcing: Belgium, Croatia, Hungary, Italy, Latvia, Lithuania, and a handful of other early movers have completed transposition and begun active enforcement.

Transposed with ongoing refinement: Germany, France, the Netherlands, and several other large member states have passed national legislation but are still refining implementing guidance, sector-specific requirements, and supervisory structures.

Still in progress: A number of member states missed the deadline and are at various stages of legislative process. The European Commission has initiated infringement proceedings against several laggards.

Regardless of your member state’s transposition status, the directive’s requirements are clear. Waiting for national implementation before beginning compliance efforts is a risky strategy — when enforcement begins, authorities expect to find measures already in place, not just getting started.

How NIS2 relates to existing frameworks

If your organization already holds ISO 27001 certification or has implemented controls aligned with ISO 27001 Annex A, you have a substantial head start on NIS2 compliance. The overlap between Article 21 measures and ISO 27001 controls is significant:

NIS2 Article 21 requirement	ISO 27001 Annex A mapping
Risk analysis and security policies	A.5.1, A.5.2, A.6.1
Incident handling	A.5.24, A.5.25, A.5.26
Business continuity	A.5.29, A.5.30
Supply chain security	A.5.19, A.5.20, A.5.21
Access control and MFA	A.5.15, A.5.16, A.8.5
Cryptography	A.8.24
Training and awareness	A.6.3

Similarly, organizations with SOC 2 attestation will find that many SOC 2 Trust Services Criteria map to NIS2 requirements, particularly in the areas of security, availability, and confidentiality.

GDPR compliance also overlaps — especially around incident notification (72-hour window), data protection impact assessments, and organizational security measures.

The key gap for most ISO 27001 or SOC 2 certified organizations will be NIS2-specific requirements around incident reporting timelines (the 24-hour early warning is stricter than most frameworks require) and supply chain security obligations.

Practical steps to start NIS2 compliance

Step 1: Determine if you are in scope

Review the sector classifications in Annex I and Annex II against your business activities. Check the size thresholds (50+ employees or 10M+ euros turnover). If you are in scope, determine whether you classify as an essential or important entity — this affects the supervisory regime and penalty levels.

Step 2: Identify your member state obligations

Determine which EU member states you operate in and check the local transposition status. If you operate across multiple member states, you may need to register with and report to multiple national authorities — though NIS2 generally designates the member state of your main establishment as the primary jurisdiction.

Step 3: Run a gap analysis

Map your current security posture against the 10 categories of Article 21 measures. Identify where you already meet requirements (especially if you hold ISO 27001 or similar certifications) and where gaps exist. AuditFront’s self-assessment templates can help you structure this analysis systematically.

Step 4: Prioritize supply chain security

For most organizations, supply chain security is the biggest gap. Build a register of your critical suppliers, assess their cybersecurity posture, incorporate security requirements into contracts, and establish a process for ongoing vendor monitoring.

Step 5: Build or update your incident response capability

Ensure you can detect, classify, and report incidents within the NIS2 timelines. This means having a defined incident response team, clear escalation procedures, pre-drafted notification templates, and regular tabletop exercises. Test specifically against the 24-hour early warning requirement.

Step 6: Engage senior management

NIS2 explicitly requires management body approval and oversight of cybersecurity measures. Brief your board or executive team on NIS2 obligations, including personal liability provisions. Schedule regular management reviews of cybersecurity risk — this should become a standing agenda item.

Step 7: Document everything

Like ISO 27001, NIS2 compliance is evidence-based. Maintain documented policies, risk assessments, incident logs, training records, and supplier assessments. When a regulator or auditor asks to see evidence of compliance, you need to be able to produce it.

Step 8: Plan for ongoing compliance

NIS2 is not a one-time project. Build cybersecurity risk management into your operational processes. Schedule regular risk assessments, policy reviews, training cycles, and internal audits. Treat compliance as continuous, not a destination.

Common mistakes to avoid

1. Assuming you are out of scope — NIS2’s expanded sector definitions catch many organizations that did not fall under the original NIS Directive. When in doubt, seek a formal determination.

2. Treating NIS2 as purely a technical exercise — the directive requires organizational and governance measures alongside technical controls. Policies, training, management oversight, and supply chain management are equally important.

3. Waiting for national transposition — the directive’s requirements are defined at EU level. Delaying action because your member state hasn’t finalized legislation leaves you exposed when enforcement begins.

4. Ignoring the supply chain provisions — many organizations focus on their own controls while neglecting supplier assessment obligations. This is a major area of regulatory focus.

5. Underestimating incident reporting timelines — the 24-hour early warning is aggressive. Without practiced processes, most organizations cannot meet it reliably.

Get started with NIS2 compliance

NIS2 compliance doesn’t have to start from zero. If you already have structured security practices — whether through ISO 27001, SOC 2, or GDPR — you likely have meaningful coverage of NIS2 requirements. The key is identifying your gaps and addressing them systematically.

AuditFront provides structured self-assessment templates that map to major compliance frameworks, helping you identify gaps, track remediation, and maintain evidence — without the spreadsheet chaos.

Start your free assessment and see where your organization stands against NIS2 requirements today.