The Network and Information Systems Directive (NIS) was introduced in 2016 to raise baseline cybersecurity expectations across the EU. In 2022, the EU adopted an updated version—commonly called NIS 2—to expand scope, clarify responsibilities, and strengthen enforcement.

If your organization operates in the EU (or supports organizations that do), you may be asking the same question many security and compliance teams are asking right now: What is NIS 2, and what do we need to do to be ready?

This guide covers:

NIS 2’s purpose, scope, and likely penalties for non-compliance
The security and governance requirements you need to operationalize
Incident reporting expectations you should treat as “day-one” readiness items
A practical, high-level compliance process
Common challenges teams run into (and how to avoid them)

Related guides:

When “quick compliance” turns into a program

GIF via GIPHY

Key takeaways

NIS 2 is an EU directive: Member States transpose it into national law, so the exact obligations and enforcement details can vary by country.
NIS 2 expands scope beyond the original NIS and introduces clearer expectations for governance, risk management, supply chain security, and incident reporting.
Entities are generally categorized as “essential” or “important”, which affects how supervision and enforcement may be applied.
Incident reporting readiness is critical: NIS 2 introduces a fast reporting timeline (commonly referenced as 24 hours) for early notification of significant incidents.
A solid mapping to a prescriptive standard helps: Many teams pair NIS 2 with an operational framework such as ISO 27001 to make implementation more concrete.

What is NIS 2?

NIS 2 is the EU’s updated cybersecurity directive intended to improve resilience across sectors that are critical to the economy and society.

Compared to the original NIS directive, NIS 2 places stronger emphasis on:

Governance and accountability (including senior management responsibility)
Risk management measures that must be implemented and maintained
Supply chain security
More consistent incident reporting
Stronger, more uniform enforcement (even though national implementation details can differ)

NIS 2 was adopted in 2022. It became applicable through each Member State’s national implementation, and it is widely treated as a time-sensitive compliance priority because reporting and readiness expectations can be enforced quickly once local rules are in place.

Why NIS 2 matters

For in-scope organizations, NIS 2 matters for two reasons:

It’s mandatory once transposed into national law (and enforcement can include substantial financial and non-financial measures).
It reduces ambiguity compared to the original directive by sharpening expectations around governance, reporting, and baseline cybersecurity practices.

Beyond avoiding penalties, the upside is practical: if you build a repeatable NIS 2-ready program (scope → controls → evidence → reporting), you also strengthen your overall operational resilience and make it easier to satisfy overlapping obligations (for example, ISO 27001, SOC 2, or sector-specific requirements).

What is the scope of NIS 2?

NIS 2 applies across many sectors. The directive distinguishes between:

Essential entities: generally mid-sized and large organizations in high-criticality sectors
Important entities: generally mid-sized and large organizations in sectors where disruptions may be serious, but typically viewed as lower criticality than “essential” sectors

At a high level, sectors commonly discussed as essential include:

Energy
Transport
Finance
Public administration
Health
Space
Water supply (drinking and wastewater)
Digital infrastructure

Sectors commonly discussed as important include:

Postal services
Waste management
Chemicals
Research
Food
Manufacturing
Digital providers

Size matters, but it’s not the only factor. Certain organizations can be treated as in-scope regardless of size when they play a critical role (for example, some core internet and naming services).

If you’re unsure whether you’re in scope, treat scoping as a fast, structured exercise:

Identify which legal entity (or entities) in your org operate in the EU
Map the services you provide to NIS 2-covered sectors
Confirm whether you meet size/criticality thresholds and any special-category rules in the relevant Member State
Document your conclusion and assumptions (so you can revisit them if guidance changes)

NIS 2 non-compliance penalties (and management accountability)

NIS 2 introduces meaningful administrative fines that vary by entity type and country implementation. NIS 2 commonly distinguishes penalties for:

Essential entities
Important entities

While the exact figures can vary depending on national transposition, NIS 2 is often summarized with maximum fine levels in the range of:

Essential entities: up to (€10,000,000) or 2% of global annual revenue (whichever is higher)
Important entities: up to (€7,000,000) or 1.4% of global annual revenue (whichever is higher)

Beyond fines, Member States’ supervisory authorities may apply non-monetary measures such as:

Binding instructions to remediate deficiencies
Compliance orders and deadlines
Public notifications that an entity is non-compliant (depending on national rules)

NIS 2 also increases the focus on management accountability. Practically, that means leadership needs to actively support the program—budget, staffing, and risk decisions—because the directive expects cybersecurity risk to be treated as a governance responsibility, not an “IT problem.”

Key security requirements in NIS 2

NIS 2’s security expectations are commonly operationalized across three themes:

Business continuity
Corporate accountability
Effective incident reporting

While NIS 2 does not provide a one-to-one “control catalog,” it describes minimum measures organizations should implement. Teams often translate those measures into a control set covering:

Information security policies and risk analysis
Incident handling
Business continuity (backup management, crisis management, disaster recovery)
Supply chain security (including vendor and service-provider relationships)
Secure acquisition, development, and maintenance of network and information systems
Cybersecurity risk management evaluation (testing effectiveness, reviews, and continuous improvement)
Security training and cyber hygiene
Cryptography and encryption
Asset management, access control, and HR security
Appropriate technical safeguards (for example, multi-factor authentication and secure communications)

Practical tip: If your team finds NIS 2 “not prescriptive enough,” map NIS 2 obligations to a standard like ISO 27001 and run a structured gap assessment. That turns high-level requirements into implementable controls, owners, and evidence.

Incident reporting: what to operationalize

Incident reporting is one of the areas where teams benefit from turning NIS 2 requirements into concrete operating procedures.

In many summaries and national implementations, NIS 2 reporting includes an early notification window commonly referenced as 24 hours for significant incidents, followed by additional reporting milestones.

To operationalize this without chaos, define (and test) the full reporting loop:

Significant incident criteria: What triggers the NIS 2 reporting clock?
Decision rights: Who makes the “report / don’t report” call, and who approves?
Data collection: What information must be available within hours (scope, impact, affected services, mitigations)?
Communication paths: Legal, security, ops, execs, external communications, and regulators
Evidence trail: A consistent way to log incident timeline, decisions, and outputs

If you already have an incident response plan, NIS 2 readiness often comes down to tightening the classification criteria and ensuring you can meet the fastest reporting milestone under stress.

NIS 2 compliance process at a glance

Your exact path depends on your current maturity and whether you’re an essential or important entity, but most teams follow a repeatable sequence:

Set compliance goals: Decide whether you’re pursuing NIS 2 directly or anchoring implementation to a prescriptive framework (like ISO 27001).
Confirm scope and ownership: Identify in-scope entities, systems, and critical services; assign accountable owners.
Assess current state: Perform a structured review of policies, technical controls, and operational processes (including incident response and vendor oversight).
Identify gaps and plan remediation: Map gaps to specific owners, timelines, and evidence requirements.
Implement and operationalize controls: Focus on repeatability—controls that exist only “on paper” won’t hold up during supervision.
Run readiness checks: Tabletop incident reporting exercises, backup/restore tests, supplier reviews, and control effectiveness reviews.
Maintain evidence continuously: Keep artifacts current so you’re not rebuilding your program at the next deadline.

Some jurisdictions may add additional assurance expectations. Stay current on country-specific implementation guidance and supervisory authority expectations.

Common NIS 2 compliance challenges (and how to avoid them)

NIS 2 programs tend to stall for predictable reasons:

Limited clarity translates to “random acts of compliance”

When requirements feel high-level, teams may implement controls without a clear mapping to obligations. Fix this by choosing a baseline (often ISO 27001), mapping controls, and tracking evidence the same way you would for an audit.

Incident reporting isn’t practiced under time pressure

It’s easy to say “we can report within 24 hours” and hard to do it during an ongoing incident. Run a tabletop exercise and verify that the right people can make decisions quickly with incomplete information.

Supply chain coverage is incomplete

Vendor oversight breaks when vendor inventories are out-of-date or when risk tiering is inconsistent. Define risk tiers, minimum evidence per tier, and reassessment triggers (like service changes or incidents).

Evidence collection becomes a second job

Even without a formal third-party audit requirement, supervisory authorities may request documentation. If evidence lives across email threads and scattered folders, response time suffers.

Streamline NIS 2 readiness with SecureSlate

NIS 2 readiness is much easier to sustain when your requirements, controls, vendors, incidents, and evidence don’t live in separate systems.

SecureSlate helps you operationalize NIS 2 by centralizing the work:

Map requirements to controls so your program stays coherent as guidance evolves
Assign owners and track remediation so gaps close predictably
Centralize evidence for supervisory requests, internal reviews, and incident follow-ups
Support supply chain oversight with vendor inventory workflows and consistent evidence expectations

If you’re building an NIS 2 program, the goal is resilience you can demonstrate—without turning evidence and reporting into a recurring fire drill.

Get started for free: Create your SecureSlate account

FAQ: NIS 2 basics

Is NIS 2 a directive or a regulation?

NIS 2 is a directive, meaning each EU Member State transposes it into national law. Implementation details can vary by country.

Who does NIS 2 apply to?

NIS 2 applies to organizations in covered sectors that meet size/criticality thresholds, commonly categorized as essential or important entities. Some organizations can be in scope regardless of size due to their critical role.

Does ISO 27001 compliance mean we’re NIS 2 compliant?

Not automatically. ISO 27001 can provide a strong control framework foundation, but you still need to ensure NIS 2-specific scope, reporting expectations, and national implementation requirements are met.

What should we prioritize first?

Most teams start with scope confirmation, a gap assessment, and incident reporting operationalization (classification criteria, decision rights, and the ability to produce regulator-ready notifications quickly).

Disclaimer (legal note)

SecureSlate is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to NIS 2 and related laws and regulations, consult a licensed attorney.

What is NIS 2? A guide to navigating compliance requirements