NIS2 Directive: Network & Information Security
If you provide essential services (energy, transport, health, banking) or important digital services, NIS2 requires you to implement robust cybersecurity measures and report incidents within 24 hours.
Important: NIS2 is Now in Effect
While many EU member states are still finalizing their national implementations (only 9 out of 27 have fully transposed as of Feb 2025), organizations must comply with NIS2 requirements immediately. The EU has opened infringement procedures against 23 member states and issued reasoned opinions to 19 countries for delayed transposition.
Don't wait for your country's full implementation - start your compliance journey now to avoid penalties when enforcement begins.
NIS2 in Plain English
NIS2 is the EU's cybersecurity law for organizations that provide essential services (like hospitals, power plants, banks) or important digital services (like cloud providers, online marketplaces). If hackers attack your systems and disrupt services that people depend on, you must report it within 24 hours and have robust defenses in place.
Sponsored Content
Start Here - Pick What Fits You Best
Choose your path based on your sector and readiness level
Quick Assessment
Check if NIS2 applies to you and what you need in 5 minutes
Browse NIS2 Articles
Read all 46 NIS2 articles with highlights and notes
Sector Check
Verify if your industry sector is covered by NIS2
Download Checklist
Get a complete NIS2 compliance checklist to work offline
Incident Response Kit
Get templates for 24-hour incident reporting
Get Expert Help
Work with our cybersecurity compliance specialists
Learn the Timeline
Understand implementation status across EU member states
Your 8-Step Path to NIS2 Compliance
Follow these steps to achieve full compliance. Each step builds on the previous one, creating a comprehensive compliance program.
1. Check If NIS2 Applies to You
Determine if your organization qualifies as an essential or important entity under NIS2
Key Actions
- Check if you're in a covered sector (energy, transport, banking, health, digital, etc.)
- Count your employees and annual turnover
- Determine if you're "essential" or "important" entity
- Identify which member state(s) you operate in
Available Tools
Real Examples
2. Set Up Cybersecurity Governance
Establish management-level oversight and clear cybersecurity responsibilities
Key Actions
- Get board/management approval for cybersecurity program
- Appoint a cybersecurity responsible person or team
- Define roles and responsibilities clearly
- Set up regular cybersecurity reporting to management
Available Tools
Real Examples
3. Perform Risk Assessment
Identify and evaluate cybersecurity risks to your networks and information systems
Key Actions
- Map all critical systems and data flows
- Identify potential threats and vulnerabilities
- Assess impact and likelihood of incidents
- Prioritize risks and create treatment plans
Available Tools
Real Examples
4. Implement Security Measures
Put in place technical and organizational measures to manage identified risks
Key Actions
- Deploy security controls (firewalls, antivirus, encryption)
- Set up access controls and authentication
- Implement network segmentation
- Establish backup and recovery procedures
Available Tools
Real Examples
5. Create Incident Response Plan
Prepare procedures for detecting, responding to, and recovering from incidents
Key Actions
- Define what counts as a security incident
- Create step-by-step response procedures
- Set up 24-hour incident reporting to authorities
- Establish recovery time objectives
Available Tools
Real Examples
6. Secure Your Supply Chain
Manage cybersecurity risks from suppliers and service providers
Key Actions
- List all critical suppliers and dependencies
- Assess supplier security practices
- Add security requirements to contracts
- Monitor third-party risks continuously
Available Tools
Real Examples
7. Train Your Staff
Ensure all employees understand cybersecurity risks and their responsibilities
Key Actions
- Create cybersecurity awareness program
- Train staff on phishing and social engineering
- Conduct regular security exercises
- Test employee readiness with simulations
Available Tools
Real Examples
8. Demonstrate Compliance
Document and prove your compliance with NIS2 requirements to authorities
Key Actions
- Document all security policies and procedures
- Keep evidence of security measures implementation
- Prepare for potential audits or inspections
- Register with national authorities if required
Available Tools
Real Examples
What NIS2 Actually Requires You to Do
Risk Management
Identify, assess, and manage cybersecurity risks
- • Risk assessments
- • Security policies
- • Risk treatment plans
Incident Response
Detect, respond to, and report incidents quickly
- • 24-hour early warning
- • 72-hour incident report
- • Monthly final report
Business Continuity
Ensure services can continue during incidents
- • Backup systems
- • Disaster recovery
- • Crisis management
Supply Chain Security
Manage risks from suppliers and partners
- • Vendor assessments
- • Security contracts
- • Third-party monitoring
Security Measures
Implement appropriate technical controls
- • Access controls
- • Encryption
- • Security monitoring
Training & Awareness
Educate staff on cybersecurity
- • Regular training
- • Phishing awareness
- • Security exercises
Sponsored Content
Free NIS2 Compliance Tools
Gap Analysis Tool
Find out exactly what you need for compliance
Compliance Checklist
Track all requirements in one place
Incident Response Template
Ready-to-use incident handling procedures
Risk Assessment Guide
Identify and evaluate your cyber risks
Sector Checker
Check if your industry is covered
Policy Templates
Security policies ready to customize
Sponsored Content
Common NIS2 Questions
What's the difference between NIS and NIS2?
NIS2 significantly expands the original NIS directive:
- Covers more sectors (18 vs 7)
- Includes medium-sized companies, not just large
- Stricter incident reporting (24 hours vs 72 hours)
- Personal liability for management
- Mandatory security measures, not just recommendations
What if I operate in multiple EU countries?
You'll need to identify your 'main establishment' - usually where you have:
- Your headquarters or main decision-making center
- The largest number of employees
- The highest turnover
How does NIS2 relate to GDPR?
NIS2 and GDPR complement each other:
- NIS2: Focuses on network and system security
- GDPR: Focuses on personal data protection
- A cyberattack affecting personal data triggers both NIS2 incident reporting and GDPR breach notification
- Many security measures help comply with both (encryption, access controls, incident response)
What counts as a reportable incident?
You must report incidents that:
- Cause or could cause substantial operational disruption
- Lead to financial losses above your threshold
- Affect other organizations or citizens
- Create public safety risks
Which countries have implemented NIS2?
As of February 2025, only 9 out of 27 EU countries have fully transposed NIS2:
- Fully implemented: Belgium, Croatia, Lithuania, Greece, Hungary, Italy, Latvia, Romania, Slovakia
- Partial implementation: Germany, France, Netherlands, Sweden
- 19 countries received EU reasoned opinions in May 2025 for incomplete transposition
- Organizations must comply regardless of national implementation status
Ready to Get NIS2 Compliant?
Start with our free Gap Analysis to understand exactly what you need to do.