Skip to content

AI-generated content: Responses are generated by AI, automatically assembled and may contain errors. Conformi is a research tool and does not replace legal advice or case-by-case legal review. All responses should be verified using the linked original sources.

Conformi/Knowledge Base/Cybersecurity/NIS2
🛡️Cybersecurity & IT

NIS 2 Directive — Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union

Analysis from 17 April 20263 sourcesConsolidated version of 27.12.2022 (original text with corrigendum C1)EUR-Lex Original

Does our organisation fall under NIS 2, and what happens if we miss the 24-hour incident notification window?

Any medium-sized or larger entity in 18 critical sectors must comply since 18 October 2024 — essential entities face fines up to EUR 10 million or 2 % of global turnover, and the CISO must file the first incident alert within 24 hours [Art. 23(4)].

Short Answer

The NIS 2 Directive replaces the original NIS Directive and dramatically expands the scope of EU cybersecurity obligations from a few hundred operators to tens of thousands of entities across 18 sectors listed in Annexes I and II [Art. 2(1)]. Management bodies must personally approve and oversee cybersecurity risk-management measures and can be held liable for non-compliance [Art. 20(1)]. The Directive mandates a structured incident-reporting cascade: early warning within 24 hours, full notification within 72 hours, and a final report within one month [Art. 23(4)]. Supply-chain security is now an explicit legal requirement, covering direct suppliers and service providers [Art. 21(2)(d)].

Who is affected

Public or private entities qualifying as medium-sized enterprises (50+ employees or EUR 10 million+ turnover) or larger, operating in one of the 11 highly critical sectors of Annex I (energy, transport, banking, financial market infrastructure, health, drinking water, waste water, digital infrastructure, ICT service management B2B, public administration, space) or the 7 other critical sectors of Annex II (postal services, waste management, chemicals, food, manufacturing, digital providers, research). Certain entities are caught regardless of size: trust service providers, TLD registries, DNS service providers, public electronic communications providers, sole providers of essential services, and entities identified as critical under Directive (EU) 2022/2557 [Art. 2(2)-(3)].

Deadline

Enforcement is live since 18 October 2024 [Art. 41(1)]. Member States had to establish lists of essential and important entities by 17 April 2025 [Art. 3(3)]. Ongoing: every significant incident must trigger an early warning within 24 hours and a full notification within 72 hours [Art. 23(4)(a)-(b)].

Risk

Essential entities: administrative fines up to EUR 10 000 000 or 2 % of total worldwide annual turnover, whichever is higher [Art. 34(4)]. Important entities: up to EUR 7 000 000 or 1.4 % of global turnover [Art. 34(5)]. Beyond fines, competent authorities may suspend certifications or authorisations and temporarily ban senior managers from exercising managerial functions [Art. 32(5)]. Personal liability for management-body members who fail to approve and oversee cybersecurity measures is explicitly provided [Art. 20(1), Art. 32(6)].

Proof

Legal status

  • In force
  • as of 2026-04-17
  • Consolidated version of 27.12.2022 (original text with corrigendum C1)

Primary sources

What to do now

Legal / DPO

  • Map your entity classification — determine whether you qualify as essential or important under [Art. 3(1)-(2)] based on Annex I/II sector, size thresholds, and special-category rules (trust services, DNS, telecoms).
  • Draft management-body liability clauses — [Art. 20(1)] requires board-level approval of cybersecurity risk-management measures, and members can be held personally liable; update D&O policies and board mandates accordingly.
  • Review cross-border jurisdiction rules — if you operate across multiple Member States, identify the single competent authority under [Art. 26(1)-(2)] and, for digital-infrastructure entities, determine main establishment per the NIS 2 hierarchy.

Compliance

  • Implement the 10 minimum risk-management measures in [Art. 21(2)(a)-(j)] — from risk-analysis policies and incident handling through supply-chain security, cryptography, and multi-factor authentication.
  • Build the four-step incident-reporting workflow required by [Art. 23(4)]: early warning within 24 hours, incident notification within 72 hours, intermediate reports on request, and a final report within one month.
  • Register the entity with the national competent authority by submitting name, contact details, sector classification, and Member States of service provision [Art. 3(4), Art. 27(2)].

IT / Security

  • Conduct a supply-chain risk assessment covering direct suppliers and service providers, including their secure development procedures, as required by [Art. 21(2)(d)] and [Art. 21(3)].
  • Deploy multi-factor authentication, secured communications, and encrypted emergency communication channels where appropriate, per [Art. 21(2)(j)].
  • Establish vulnerability-handling and disclosure processes aligned with [Art. 21(2)(e)] and coordinate with the CSIRT and ENISA European vulnerability database framework under [Art. 12].

Product / Engineering

  • Evaluate whether your ICT products or services require European cybersecurity certification under schemes adopted pursuant to [Art. 24(1)] to demonstrate compliance with [Art. 21].
  • Integrate security-by-design into development and maintenance workflows to meet the network and information systems acquisition requirements of [Art. 21(2)(e)].
  • Ensure business-continuity planning covers backup management, disaster recovery, and crisis management for all products and services in scope [Art. 21(2)(c)].

Key Terms

Essential entity
An entity in a highly critical sector (Annex I) exceeding medium-sized enterprise thresholds, or belonging to special categories such as qualified trust service providers and DNS service providers, subject to the stricter supervisory regime [Art. 3(1)].
Important entity
An entity of a type listed in Annex I or II that falls within the scope of the Directive but does not qualify as essential — subject to lighter, ex-post supervision [Art. 3(2)].
Significant incident
An event that has caused or is capable of causing severe operational disruption or financial loss for the entity, or that has affected or could affect other persons by causing considerable material or non-material damage [Art. 23(3)].
CSIRT
Computer Security Incident Response Team — a nationally designated team responsible for receiving incident notifications, providing initial feedback within 24 hours, and offering technical support to affected entities [Art. 10, Art. 23(5)].
All-hazards approach
A risk-management methodology that aims to protect network and information systems and their physical environment from all types of incidents, forming the basis for the ten minimum measures in [Art. 21(2)].
Management body
The governing body of an essential or important entity (e.g. board of directors, executive board) that must approve cybersecurity measures, undergo training, and can be held personally liable for non-compliance [Art. 20].
Near miss
An event that could have compromised the availability, authenticity, integrity or confidentiality of data or services but was successfully prevented or did not materialise [Art. 6(5)].
?

Frequently Asked Questions

How do I know if my organisation is 'essential' or 'important'?
Entities in Annex I sectors that exceed the medium-sized enterprise ceiling (250+ employees or EUR 50 million+ turnover) are essential [Art. 3(1)(a)]. Qualified trust service providers, TLD registries, DNS providers, and medium-sized telecoms providers are essential regardless of size [Art. 3(1)(b)-(c)]. All other in-scope entities from Annexes I or II that meet the medium-enterprise threshold but not the large-enterprise threshold are classified as important [Art. 3(2)].
What exactly must be reported within the first 24 hours after detecting a significant incident?
An early warning indicating whether the incident is suspected of being caused by unlawful or malicious acts and whether it could have cross-border impact [Art. 23(4)(a)]. This is not a detailed technical report — the full incident notification with severity assessment and indicators of compromise follows within 72 hours [Art. 23(4)(b)].
Can management-body members be personally sanctioned?
Yes. Management bodies must approve and oversee cybersecurity risk-management measures under [Art. 20(1)] and can be held liable for infringements of [Art. 21]. For essential entities, if enforcement measures remain ineffective, competent authorities may temporarily prohibit individuals at CEO or legal-representative level from exercising managerial functions [Art. 32(5)(b)].
Does NIS 2 apply to small enterprises?
Generally no — the Directive applies to medium-sized enterprises and larger [Art. 2(1)]. However, several categories are caught regardless of size: providers of public electronic communications networks or services, trust service providers, TLD registries, DNS service providers, sole providers of essential services, and entities whose disruption could have significant systemic or cross-border impact [Art. 2(2)].
What are the supply-chain security obligations?
Entities must address security-related aspects of relationships with each direct supplier and service provider [Art. 21(2)(d)]. They must consider vendor-specific vulnerabilities, overall product quality, and the cybersecurity practices of suppliers, including secure development procedures [Art. 21(3)]. Entities must also account for coordinated supply-chain risk assessments conducted at EU level under [Art. 22].
How does NIS 2 interact with the GDPR?
The Directive applies without prejudice to the GDPR [Art. 2(12)]. Where a cybersecurity infringement also entails a personal data breach, the competent authority must inform the relevant data protection supervisory authority [Art. 35(1)]. Double penalties are avoided: if a GDPR fine is imposed for the same conduct, no additional NIS 2 administrative fine is imposed for that specific overlap [Art. 35(2)].
Is cybersecurity training mandatory?
Yes. Members of management bodies of essential and important entities are required to follow cybersecurity training, and the entities are encouraged to offer similar training to employees on a regular basis [Art. 20(2)]. Basic cyber hygiene practices and cybersecurity training are also listed among the minimum risk-management measures [Art. 21(2)(g)].
3

Assessment Factors & Checklist

Premium
Start 7-day free trial
4

Questions for Your Lawyer

Premium
Start 7-day free trial
5

Conclusion & Summary

Premium
Start 7-day free trial

Detailed analysis with source links.

Schalten Sie die KI-Analyse frei — mit markierten Fundstellen und direkten Links zu EUR-Lex. 7 Tage kostenlos testen.

Start 7-day free trial

Keine Kreditkarte heute. Kündigung jederzeit.