NIS2 Directive: Network & Information Security
If you provide essential services (energy, transport, health, banking) or important digital services, NIS2 requires you to implement robust cybersecurity measures and report incidents within 24 hours.
Important: NIS2 is Now in Effect
While many EU member states are still finalizing their national implementations (only 9 out of 27 have fully transposed as of Feb 2025), organizations must comply with NIS2 requirements immediately. The EU has opened infringement procedures against 23 member states and issued reasoned opinions to 19 countries for delayed transposition.
Don't wait for your country's full implementation - start your compliance journey now to avoid penalties when enforcement begins.
NIS2 in Plain English
NIS2 is the EU's cybersecurity law for organizations that provide essential services (like hospitals, power plants, banks) or important digital services (like cloud providers, online marketplaces). If hackers attack your systems and disrupt services that people depend on, you must report it within 24 hours and have robust defenses in place.
This isn't just another compliance exercise. NIS2 recognizes that our digital economy depends on interconnected services—when one organization gets breached, it can cascade across entire sectors. That's why the directive focuses on collective resilience rather than individual compliance checkboxes.
What makes NIS2 different? Unlike previous cybersecurity guidelines, NIS2 has serious enforcement mechanisms. Management can be held personally liable, meaning board members and executives can face individual consequences for cybersecurity failures. This creates direct accountability at the highest organizational levels and ensures cybersecurity gets the attention it deserves.
End-to-End Compliance Framework: NIS2 compliance is best achieved through established standards: ISO/IEC 27001 as the governance backbone, ISO/IEC 27035 and 22301 for incident management and business continuity, NIST CSF 2.0 or CIS Controls for practical implementation, and ENISA guidance for EU-specific interpretation.
Start Here - Pick What Fits You Best
Choose your path based on your sector and readiness level
ISO 27001 Compliance Mapper
Map your existing ISO 27001 ISMS to NIS2 requirements
Quick Assessment
Check if NIS2 applies to you and what you need in 5 minutes
Browse NIS2 Articles
Read all 46 NIS2 articles with highlights and notes
Sector Check
Verify if your industry sector is covered by NIS2
Download Checklist
Get a complete NIS2 compliance checklist to work offline
Incident Response Kit
Get templates for 24-hour incident reporting
Get Expert Help
Work with our cybersecurity compliance specialists
Step-by-Step Guide
Follow our detailed implementation roadmap
Why NIS2 Compliance Matters for Your Business
Beyond avoiding penalties, NIS2 compliance represents a strategic advantage. Companies that implement security by design reduce their risk of costly breaches, build customer trust, and gain competitive differentiation in an increasingly security-conscious market.
What NIS2 Actually Requires You to Do
The NIS2 establishes essential cybersecurity requirements that apply throughout your product's lifecycle. These aren't just theoretical guidelines—they're practical obligations with legal consequences.
Think of it this way: Just as you need safety standards for physical products (crash tests for cars, fire safety for electronics), the NIS2 creates mandatory security standards for digital products. Every requirement serves a specific purpose in protecting end users and the broader digital ecosystem.
Risk Management (ISO 27001 ISMS)
ISO/IEC 27001 risk management as governance backbone
This means integrating security considerations from the very first design sketches. No more 'we'll add security later'—it must be part of your core product development process from day one.
Specific Requirements:
💡 Practical Tip:
Start by conducting threat modeling sessions during your product planning phase. Many teams find Microsoft's STRIDE methodology helpful for systematic threat identification.
Incident Response (ISO 27035)
ISO/IEC 27035 incident management for NIS2 reporting
You must establish a coordinated vulnerability disclosure process, maintain security throughout the product lifecycle, and respond quickly to security issues. This isn't just about fixing bugs—it's about professional incident response.
Specific Requirements:
💡 Practical Tip:
Set up a security@yourcompany.com email address and establish SLAs for response times. Consider partnering with vulnerability disclosure platforms like HackerOne or Bugcrowd.
Business Continuity (ISO 22301)
ISO/IEC 22301 business continuity for resilience obligations
Clear, accessible documentation helps users understand security features and configure products safely. This reduces support calls and prevents security misconfigurations that could lead to breaches.
Specific Requirements:
💡 Practical Tip:
Create user-friendly security guides alongside your regular documentation. Include clear setup instructions, common security mistakes to avoid, and troubleshooting guidance.
Supply Chain Security
Manage risks from suppliers and partners
Products must be assessed for their potential impact if compromised. Critical infrastructure products face stricter requirements than consumer apps, reflecting their different risk profiles.
Specific Requirements:
💡 Practical Tip:
Use risk assessment frameworks like NIST Cybersecurity Framework to systematically evaluate your product's risk level. Document your reasoning for audit purposes.
Security Implementation (NIST/CIS)
NIST CSF 2.0 or CIS Controls for 'state of the art' implementation
You're responsible for the security of all components in your product, including third-party libraries and dependencies. This creates accountability throughout the entire supply chain.
Specific Requirements:
💡 Practical Tip:
Implement Software Bill of Materials (SBOM) tracking from the start. Tools like Syft, CycloneDX, or SPDX can help automate component inventory management.
Training & Awareness
Educate staff on cybersecurity
CE marking for cybersecurity works like CE marking for other product safety aspects. It's your declaration that the product meets EU security requirements and is safe to place on the market.
Specific Requirements:
💡 Practical Tip:
Work with a notified body early in your process to understand specific conformity assessment requirements for your product category and risk level.
The Bottom Line
NIS2 requirements aren't just compliance checkboxes—they represent cybersecurity best practices that protect your customers, your business, and the broader digital ecosystem. Companies that implement these requirements early often find they reduce long-term security costs while building stronger, more trustworthy products.
Free NIS2 Compliance Tools
Get started with our comprehensive toolkit designed to simplify your compliance journey. Each tool is built by experts and validated against official requirements.
Assessment & Planning
ISO 27001 Compliance Mapper
Map your existing ISMS to NIS2 requirements
Standards-Based Gap Analysis
Assess compliance using ISO/NIST/ENISA frameworks
Compliance Checklist
Track all requirements in one place
Implementation & Documentation
ISO 27035 Incident Framework
ISO 27035 incident management with NIS2 reporting
Risk Assessment Guide
Identify and evaluate your cyber risks
Sector Checker
Check if your industry is covered
NIST CSF 2.0 / CIS Implementation
Practical implementation guides for technical teams
ENISA Guidance Toolkit
EU interpretation layer for compliance
Common NIS2 Questions
Which standards framework should I choose for NIS2 compliance?
Your choice depends on your organization's needs and existing certifications:
- Formal certification path: ISO/IEC 27001 (backbone) + ISO/IEC 22301 (BC) + ISO/IEC 27035 (incidents)
- Practical implementation: NIST CSF 2.0 or CIS Controls for technical teams
- EU interpretation: Always reference ENISA guidance for EU-specific requirements
- Mixed approach: ISO 27001 for governance + NIST/CIS for implementation + ENISA for compliance
What's the difference between NIS and NIS2?
NIS2 significantly expands the original NIS directive:
- Covers more sectors (18 vs 7)
- Includes medium-sized companies, not just large
- Stricter incident reporting (24 hours vs 72 hours)
- Personal liability for management
- Mandatory security measures, not just recommendations
What if I operate in multiple EU countries?
You'll need to identify your 'main establishment' - usually where you have:
- Your headquarters or main decision-making center
- The largest number of employees
- The highest turnover
How does NIS2 relate to GDPR?
NIS2 and GDPR complement each other:
- NIS2: Focuses on network and system security
- GDPR: Focuses on personal data protection
- A cyberattack affecting personal data triggers both NIS2 incident reporting and GDPR breach notification
- Many security measures help comply with both (encryption, access controls, incident response)
What counts as a reportable incident?
You must report incidents that:
- Cause or could cause substantial operational disruption
- Lead to financial losses above your threshold
- Affect other organizations or citizens
- Create public safety risks
Which countries have implemented NIS2?
As of February 2025, only 9 out of 27 EU countries have fully transposed NIS2:
- Fully implemented: Belgium, Croatia, Lithuania, Greece, Hungary, Italy, Latvia, Romania, Slovakia
- Partial implementation: Germany, France, Netherlands, Sweden
- 19 countries received EU reasoned opinions in May 2025 for incomplete transposition
- Organizations must comply regardless of national implementation status