This article focuses specifically on explaining the NIS2 Directive's practical compliance requirements and implementation challenges. It provides actionable guidance on NIS2 requirements with real-world compliance strategies and implications for noncompliance.
What is the NIS2 Directive?
The NIS2 Directive is the European Union's (EU) most comprehensive cybersecurity law to date. It is the second version of the Network and Information Systems (NIS) Directive. NIS2 reworked the original legislation to eliminate vagaries, introduce more comprehensive security requirements, and expand its reach, with more harmonized implementation across more sectors.
Understanding the NIS2 Directive: Fundamentals and scope
The NIS2 Directive introduces a standard set of cybersecurity requirements across all EU member states to strengthen the overall cybersecurity and resilience of essential entities and important entities across member states. Its purpose is to identify and mitigate the increasing complexity and frequency of cyber threats facing these entities by establishing a common baseline of risk management practices, cybersecurity controls, accountability, governance, and collaboration.
Objectives of NIS2
With NIS2, legislators sought to remedy inconsistent implementation and uneven levels of security across sectors by:
- Creating management accountability with requirements for boards and executives to oversee and approve cybersecurity measures, with potential personal liability for noncompliance.
- Enhancing cross-border collaboration through mechanisms such as the European Cyber Crises Liaison Organisation Network (EU-CyCLONe).
- Establishing incident reporting protocols with strict timelines for notifying authorities of significant incidents.
- Expanding the scope to cover more sectors and types of entities, to include those that were previously not regulated.
- Harmonizing rules for enforcement and penalties across the EU.
- Introducing risk-based security requirements, including the adoption of appropriate technical, operational, and organizational measures to manage cybersecurity risks.
Key sectors and entities affected by NIS2
The NIS2 Directive has size-cap rules to ensure that regulatory efforts focus on entities whose failure or compromise would have a widespread effect, while still allowing flexibility to capture smaller but highly critical operators. The main sectors and entities are medium and large organizations. However, smaller organizations may also be covered by NIS2 if they are the sole providers of a critical service in a region or if their disruption could significantly impact public security or health.
Organizations that are classified as medium or large by the EU standards. However, these parameters do not apply to organizations in specific sectors, such as those that are:
- Deemed critical infrastructure
- Providers of public services (e.g., electronic communication networks)
- Providers of a service where an interruption could impact public safety, security, or health, or cause systemic risks
- Sole providers of a service to a government
Categories of entities under the NIS2 Directive
Organizations, companies, and suppliers affected by the NIS2 Directive are divided into two categories—essential entities and important entities. This is a material distinction, with different supervisory and enforcement regimes applying to each, fostering resilience and security across the core areas of the EU's critical infrastructure.
Obligations of important entities and essential entities under NIS2
Both EEs and IEs are required to comply with the core NIS2 Directive requirements, including:
- Risk management measures
- Incident response and crisis management plans
- Business continuity and disaster recovery
- Supply chain and third-party risk management
- Network and information system security
- Security policies for data handling and vulnerability disclosure
- Policies on secure development, testing, and maintenance
- Cyber hygiene and cybersecurity training for staff
- Incident reporting
- Governance and accountability
- Boards and senior management must approve cybersecurity measures
- Management can be held personally liable for noncompliance
- Mandatory management-level training and awareness programs
- Supervision and enforcement
Key dates and timeline for NIS2 implementation
The NIS2 Directive came into force in January 2023. EU Member States were required to adopt and publish the provisions of legislation necessary to comply with the NIS2 Directive by October 17, 2024. After this deadline, EU member states had until April 17, 2025, to identify the essential entities and important entities described in the NIS2 Directive. Entities bound by the NIS2 Directive are required to register in any EU member state where they provide services before each of their deadlines, and file updates at least every two years thereafter.
NIS1 vs. NIS2: What's new?
The following tables illustrate comparisons of NIS and NIS2 by the European Commission.
NIS capabilities | NIS2 capabilities |
---|---|
EU member states improve their cybersecurity capabilities. | More stringent supervision measures and enforcement are introduced. A list of administrative sanctions, including fines for breaches of the cybersecurity risk management and reporting obligations, is established. |
NIS cooperation | NIS2 cooperation |
---|---|
EU-level cooperation has increased. | The European Cyber Crises Liaison Network (EU-CyCLONe) is established to support the coordinated management of large-scale cybersecurity incidents at the EU level. Information sharing and cooperation between member state authorities are increased with the enhanced role of the Cooperation Group. Coordinated vulnerability disclosure for newly discovered vulnerabilities across the EU is established. |
NIS cybersecurity risk management | NIS2 cybersecurity risk management |
---|---|
Operators of Essential Services (OES) and Digital Service Providers (DSP) have to adopt risk management practices and notify their national authorities about significant incidents. | Security requirements are strengthened with a list of focused measures, including incident response and crisis management, vulnerability handling and disclosure, policies and procedures to assess the effectiveness of cybersecurity risk management measures, basic computer hygiene practices and cybersecurity training, the effective use of cryptography, human resources security, access control policies, and asset management. The cybersecurity of the supply chain for key information and communication technologies is strengthened. Incident reporting obligations are strengthened with more precise reporting processes, content, and timeline provisions. |
Additional changes included in the NIS2 Directive are:
- Reinforced obligations for essential entities and important entities to implement technical, operational, and organizational measures to manage the risks
- Significant expansion of incident reporting requirements
- More stringent penalties for failure to comply with NIS2
NIS2 compliance requirements: Actions, reporting, and legal implications
The NIS2 Directive creates a number of obligations and liabilities for covered entities and specifies detailed legal processes for oversight and maintaining compliance, including the following. It is noteworthy that the NIS2 Directive does not explicitly specify any technological changes that must be enacted. Instead, it outlines concepts and best practices for enhancing organizations' security postures.
Technical and organizational security measures
- Put in place proportionate technical, operational, and organizational measures that match the entity's risks (e.g., size, exposure, likelihood, and impact).
- Formalize and maintain policies for security systems as well as risk identification, assessment, and treatment.
- Define incident handling processes, roles, tooling, and playbooks to detect, triage, contain, eradicate, and recover from incidents.
- Develop plans for business continuity and crisis management to ensure the quick restoration of critical services.
- Assess and manage risks from third parties (e.g., direct suppliers and service providers).
- Establish policies and procedures to evaluate the efficacy of risk management measures (e.g., testing, metrics, and audits).
- Maintain high levels of cyber hygiene, such as patching, hardening, least privilege, and event logging.
- Conduct regular cybersecurity and risk awareness training for all users.
- Create rules for when and how to use cryptography (e.g., data at rest or in transit and key management).
- Employ and enforce a joiner–mover–leaver process with role-appropriate screening, mandatory security training, confidentiality obligations, and defined disciplinary measures.
- Apply least privilege and need-to-know access restrictions with multi-factor authentication (MFA), role-based access controls (RBAC), periodic access reviews, privileged access management (PAM) for administrators, and secure remote access.
- Maintain an inventory of hardware, software, and data assets on premises, in the cloud, and in SaaS applications. Additionally, assign owners and classifications for all assets, and track their lifecycle.
- Secure communication (e.g., email, voice, video, and SMS) channels.
What must be reported
Significant incidents must be reported. This includes any incident that has caused, or could cause, severe operational disruption or financial loss, or that could harm others or disrupt services.
Reporting timelines
The clock starts when the entity becomes aware of an incident. Within 24 hours, an early warning must be sent to the CSIRT or competent authority indicating the suspected cause and potential cross-border impact.
An incident notification, including the initial assessment, severity, impact, and indicators of compromise (IoCs), must be filed within 72 hours. A final report (or update if the incident is ongoing) must be filed within a month of filing the incident notification.
What constitutes a significant incident
With the NIS2 Directive, incident significance is a qualitative assessment of severity, disruption, financial loss, or harm to others. However, there are several hard thresholds, including:
- Financial loss— ≥ €500,000 or 5% of annual turnover (whichever is lower)
- Unavailability— >30 minutes complete outage for cloud, CDN, and MSP/MSSP (other entity-specific rules may vary)
- Degraded availability— service limited for >5% of EU users or >1 million users for >1 hour
- Data compromise— integrity, confidentiality, or authenticity compromised
- Unauthorized access— capable of causing severe disruption or recurring incidents
Who to notify and how coordination works
- Notify the national CSIRT or the competent authority
- For incidents touching multiple Member States, the CSIRT, competent authority, or national Single Point of Contact (SPOC) must inform other affected Member States and the European Union Agency for Cybersecurity (ENISA) without undue delay
- Where necessary in the public interest (e.g., to prevent or manage an ongoing incident), authorities may inform the public or require entities to do so
- Each country's SPOC submits quarterly summaries with aggregated and anonymized reports to ENISA
Governance and documentation expectations
Governance
- Board oversight and accountability with management formally approving the cyber risk program, reviewing the results at least annually, and after major incidents
- Defined roles with named owners
- Policies and standards that are regularly reviewed and updated as needed
- Risk tolerance statements and risk acceptance guidelines
- Inclusion of all third parties in policies
Risk assessment
- Documented methodology run at least annually and upon significant change (e.g., new system, supplier, or incident)
- Threat-led risk analysis processes
- Risk register with ownership, target dates, chosen treatments, and links to specific controls
Documentation
- Core program docs, including information security policy, risk management policy, asset and configuration management protocols, identity and access control rules, and change management processes
- Incident response plan that may include playbooks
- Backup and recovery plans
- Secure software development lifecycle (SDLC) rules
- Supplier management rules
- Security and risk awareness training records
Auditing
Essential entities face proactive audits and inspections, while important entities are checked after incidents or complaints. Authorities can order on-site or off-site inspections, technical security scans, and targeted independent audits. NIS2 audit considerations include:
- Annual cycle of internal audits, technical tests (e.g., vulnerability scans and configuration compliance), and independent penetration testing
- Records of metrics and evidence of compliance, such as policies, risk assessments, asset inventories, incident records, disaster recovery tests, training logs, supplier due diligence, and change, patch, identity and access management, and cryptography artifacts
Management liabilities
The NIS2 Directive holds management accountable for:
- Ensuring that cybersecurity risk assessments are carried out
- Implementing technical and organizational security measures
- Managing risks appropriately
- Supporting cybersecurity through training and risk management programs
How to address real-world NIS2 implementation challenges
The following are several recommended steps that organizations should take to be prepared to implement the requirements of the NIS2 Directive.
Adopt a proactive approach to security
Continuously perform risk analyses to identify potential threats proactively. This allows organizations to address any issues and ensure that they are prepared to meet the compliance requirements of the NIS2 Directive.
Encrypt all critical data
To meet the strict cybersecurity standards of the NIS2 Directive, encryption should be used to protect critical data, including databases, communications, documents, servers, and critical infrastructure.
Foster a security-oriented culture
An organization's top leadership should make cybersecurity a top priority for every department. A cyber-oriented culture starts with leadership and is infused into the organization by requiring a minimum level of security awareness among employees. Security training should be customized to help employees understand how their roles and responsibilities can impact security.
Identify critical services, processes, and assets that relate to the essential service as defined in the NIS2 Directive
Determining what will require extra protections to ensure NIS2 compliance can be done by conducting an impact assessment. This helps identify which systems and processes fall under the NIS2 Directive's scope.
Implement compliant risk and information security management systems to meet the NIS2 Directive's requirements
Many organizations find that they need to upgrade or change information security management systems in order to comply with the NIS2 Directive. The organization must be able to:
- Demonstrate defined responsibilities
- Ensure that key processes are operational, such as information system security policies, incident handling and management, business continuity (e.g., backup systems and disaster recovery plans), third-party risk management, vulnerability management, and employee security awareness training
- Identify, remediate, and monitor security risks
Make multi-factor authentication mandatory for all users
Implementing multi-factor authentication (MFA) to secure all accounts, in lieu of passwords alone, plays an integral part in protecting assets and meeting the requirements of the NIS2 Directive.
Prepare for incident reporting
In the event of an incident, time is of the essence for NIS2 compliance. Steps to ensure a timely response to an incident include:
- Pre-staging templates for 24-hour, 72-hour, and 30-day reports
- Having a Computer Security Incident Response Team (CSIRT) contact sheet
- Defining "awareness" internally, since the clock starts after the initial assessment confirms a significant incident
- Conducting training for all parties that will be engaged in executing the incident response plan
Understand the NIS2 Directive's requirements and prepare to meet them
This means taking time to study the requirements and assess the organization's readiness to comply. It includes identifying gaps and putting plans in place to fill them in advance of the compliance deadline.
Another component of preparedness is securing support from leadership, buy-in from stakeholders, and the necessary budget and resources. Starting early is imperative as delays are near inevitable, and the deadlines will not accommodate delays.
Real-world examples of NIS2 compliance in the EU
Cross-border NIS2 compliance
For cross-border entities, NIS2 compliance relies on a "main establishment" principle, where one EU Member State acts as the lead regulator. However, cooperation networks (e.g., EU-CyCLONe and the NIS Cooperation Group) ensure that incidents affecting multiple countries are managed consistently, avoiding fragmented enforcement. The following cloud service provider example illustrates how cross-border NIS2 compliance plays out in the EU.
A U.S.-headquartered cloud provider with data centers in Germany, France, and Ireland is subject to NIS2 as an Essential Entity. In this case, the provider must designate its main EU establishment (e.g., Ireland HQ) as the lead jurisdiction. Then, the Irish regulator would become the primary supervisory authority. This includes coordinating incident handling and oversight with German and French authorities. For instance, if a security incident in Germany disrupts services across the EU, the provider reports through Ireland's Single Point of Contact (SPOC), which shares information with other Member States.
Coordinating with third-party providers for NIS2 compliance
Third-party and supply-chain risk management are a key part of NIS2. Under NIS2, entities remain responsible for security even when outsourcing. That means robust vendor assessments, contractual safeguards, monitoring, and reporting obligations must be in place for third-party providers. The role of third parties in manufacturing supply chains is demonstrated in the following example.
A medical device manufacturer, which is classified as an Important Entity, sources IoT components from multiple suppliers across the EU. The manufacturer is required to map the entire supplier ecosystem to identify critical dependencies and have a business continuity plan that includes alternate sourcing agreements if one supplier is compromised. Additionally, suppliers must adhere to ISO/IEC 27001 or equivalent standards and provide cybersecurity audit reports.
The NIS2 Directive—Part of a growing trend
The NIS2 Directive establishes a mandatory, harmonized cybersecurity baseline across the EU. It expands the range of covered sectors, sets stricter risk management and reporting obligations, and holds leadership accountable for compliance.
The NIS2 Directive represents a growing trend for cybersecurity and cyber resilience to be baked into legislation. With the NIS2 Directive, every EU member state is required to adopt it as law.
The NIS2 Directive has a far reach into organizations of all types with the intention of shoring up defenses against escalating cyber threats. The good news about the NIS2 Directive and similar initiatives is that they help organizations improve their overall cybersecurity posture, which has positive impacts on all aspects of operations.
DISCLAIMER: THE INFORMATION CONTAINED IN THIS ARTICLE IS FOR INFORMATIONAL PURPOSES ONLY, AND NOTHING CONVEYED IN THIS ARTICLE IS INTENDED TO CONSTITUTE ANY FORM OF LEGAL ADVICE. SAILPOINT CANNOT GIVE SUCH ADVICE AND RECOMMENDS THAT YOU CONTACT LEGAL COUNSEL REGARDING APPLICABLE LEGAL ISSUES.