What Is the NIS2 Directive and Who Does It Apply To?

Understanding the NIS2 Directive

The NIS2 Directive (Directive 2022/2555) is the EU's updated cybersecurity framework that significantly expands the scope and requirements of the original NIS Directive. It applies to over 160,000 entities across the EU (source: EU NIS2 Directive impact assessment).

Who Must Comply?

NIS2 covers two categories of entities:

Essential Entities (stricter oversight):

• Energy (electricity, oil, gas, hydrogen)
• Transport (air, rail, water, road)
• Banking and financial market infrastructure
• Health sector
• Drinking water and wastewater
• Digital infrastructure
• ICT service management (B2B)
• Public administration
• Space

Important Entities (lighter oversight):

• Postal and courier services
• Waste management
• Chemical manufacturing
• Food production and distribution
• Manufacturing of medical devices, machinery, motor vehicles
• Digital providers (online marketplaces, search engines, social networks)

Size Thresholds

NIS2 generally applies to medium-sized and large entities:

• Medium: 50+ employees or €10M+ annual turnover
• Large: 250+ employees or €50M+ annual turnover

Some entities are covered regardless of size (e.g., domain name registries, DNS providers, trust service providers).

Key Requirements

1. Risk Management (Article 21) — Implement appropriate cybersecurity risk management measures, including policies on risk analysis, incident handling, business continuity, and supply chain security.

1. Incident Reporting (Article 23) — Report significant incidents to the national CSIRT within strict timelines:

- 24 hours: Early warning

- 72 hours: Incident notification

- 30 days: Final report

1. Supply Chain Security — Assess and manage cybersecurity risks in the supply chain, including direct suppliers and service providers.

1. Management Body Accountability — Senior management must approve and oversee cybersecurity measures and can be held personally liable.

Market Impact

According to ENISA NIS360 2024:

• 74% of SMBs lack a dedicated compliance budget
• 89% report needing additional headcount for compliance
• 65% haven't started incident readiness preparations
• Only 24% have certified compliance staff

National Transposition

Each EU Member State must transpose NIS2 into national law. Key examples:

• Germany: NIS2UmsuCG (NIS2 Implementation Act)
• Italy: Legislative Decree transposing NIS2
• Netherlands: Cyberbeveiligingswet (Cybersecurity Act)

Convergence with EU AI Act

Companies deploying high-risk AI systems in NIS2-regulated sectors face dual compliance obligations. The cybersecurity requirements of the AI Act (Article 15) align with NIS2's risk management framework, creating opportunities for integrated compliance approaches.

Sources

• NIS2 Directive — Directive (EU) 2022/2555
• ENISA NIS360 2024 Report
• European Commission NIS2 Fact Sheet