The Network and Information Security Directive 2 (NIS2), Directive (EU) 2022/2555, replaced the original NIS Directive in January 2023 and required EU member states to transpose it into national law by 17 October 2024. NIS2 substantially expands the scope of EU cyber security obligations, bringing many more sectors and organisations within its remit and significantly strengthening the security measures, incident reporting, and enforcement provisions that apply. For organisations in scope, a structured NIS2 audit provides clarity on compliance status and a defensible record of accountability.
Essential vs Important Entities
NIS2 introduces a two-tier classification:
- Essential entities: Large organisations in highly critical sectors — energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure (IXPs, DNS, TLD registries, cloud providers, data centres, content delivery networks, trust service providers, electronic communications), space, and public administration. Stricter supervisory regime applies, including ex-ante supervision.
- Important entities: Organisations in additional sectors including postal and courier services, waste management, manufacture of chemicals, food, medical devices, electronics, motor vehicles, and digital providers (online marketplaces, online search engines, social networking platforms). Subject to ex-post (reactive) supervision.
The classification also depends on organisation size — medium and large organisations in these sectors are generally in scope; micro and small enterprises may qualify for exemptions (with specific exceptions for critical services).
10 Minimum Security Measures
Article 21 of NIS2 requires entities to implement risk-proportionate technical, operational, and organisational measures. The ten minimum measures are:
- Policies on risk analysis and information system security
- Incident handling (detection, analysis, containment, and recovery)
- Business continuity and crisis management including backup and disaster recovery
- Supply chain security including relationships with direct suppliers and service providers
- Security in network and information systems acquisition, development, and maintenance, including vulnerability handling and disclosure
- Policies and procedures to assess the effectiveness of cyber security risk management measures
- Basic cyber hygiene practices and cyber security training
- Policies and procedures regarding the use of cryptography and encryption
- Human resources security, access control policies, and asset management
- Use of multi-factor authentication or continuous authentication solutions, secured voice/video/text communications, and secured emergency communication systems
Incident Reporting: 24h and 72h Requirements
NIS2 introduces mandatory incident reporting timelines that are significantly tighter than previous requirements:
- Early warning (24 hours): Any significant incident must be reported to the national CSIRT or competent authority within 24 hours of becoming aware, without undue delay.
- Incident notification (72 hours): A more detailed notification must follow within 72 hours, including an initial assessment of severity, impact, and indicators of compromise.
- Intermediate report: Where requested, an updated report within one month of the early warning.
- Final report (one month): A final incident report within one month of the incident notification, providing a full description, root cause, mitigation measures applied, and cross-border impact.
A "significant incident" is one that has caused or is capable of causing severe operational disruption or financial loss, or that has affected or is capable of affecting other persons by causing considerable material or non-material damage.
Supply Chain Security and Penalties
NIS2 places particular emphasis on supply chain security — entities must assess and manage cyber security risks arising from their relationships with suppliers and service providers. This includes conducting security assessments of critical suppliers and including security requirements in procurement contracts.
Enforcement is significantly strengthened compared to NIS1. For essential entities, maximum penalties are at least €10 million or 2% of global annual turnover (whichever is higher). For important entities, the maximum is at least €7 million or 1.4% of global annual turnover. Member state supervisory authorities also have powers to conduct on-site inspections and order remediation.
A NIS2 audit maps your organisation against the Article 21 requirements, identifies gaps in your incident handling, business continuity, supply chain, and technical security measures, and provides a prioritised remediation roadmap. It also tests your incident reporting procedures against the 24-hour and 72-hour timelines — a common area of unpreparedness.