Jump to Section
NIS2 Directive Obligations Overview
The NIS2 Directive establishes comprehensive requirements across 46 articles. Below are the key obligations extracted directly from the legislative text.
Key Obligations
Member States must adopt national cybersecurity strategies
Member States must designate/establish competent cybersecurity authorities
Member States must establish CSIRTs (Computer Security Incident Response Teams)
Entities listed in Annex I or II must implement risk-management measures
Entities must comply with incident reporting obligations
Entities must follow cybersecurity information sharing rules
Medium-sized and larger entities in Annex I or II sectors must comply with NIS2 requirements
All public electronic communications providers and trust service providers must comply regardless of size
Entities identified as critical under the Critical Entities Resilience Directive must comply
Domain name registration service providers must comply regardless of size
Entities must respect confidentiality rules when exchanging information with authorities
Personal data processing must comply with GDPR and relevant privacy laws
Essential Requirements
Subject matter
NIS2 sets EU-wide rules to improve cybersecurity across all member states. It requires countries to establish cybersecurity authorities and forces certain businesses to implement security measures and report incidents.
Key Requirements:
- Member States must adopt national cybersecurity strategies
- Member States must designate/establish competent cybersecurity authorities
- Member States must establish CSIRTs (Computer Security Incident Response Teams)
- Entities listed in Annex I or II must implement risk-management measures
- Entities must comply with incident reporting obligations
- Entities must follow cybersecurity information sharing rules
Applies to:
Member States of the EU, entities listed in Annex I or II of the directive, and entities identified as critical under Directive (EU) 2022/2557
Scope
NIS2 applies to medium and large entities in critical sectors (listed in Annexes I and II), regardless of size for certain essential services like telecom and trust services, and to entities critical for public safety or national infrastructure. It doesn't apply to organizations focused purely on national security, defense, or law enforcement activities.
Key Requirements:
- Medium-sized and larger entities in Annex I or II sectors must comply with NIS2 requirements
- All public electronic communications providers and trust service providers must comply regardless of size
- Entities identified as critical under the Critical Entities Resilience Directive must comply
- Domain name registration service providers must comply regardless of size
- Entities must respect confidentiality rules when exchanging information with authorities
- Personal data processing must comply with GDPR and relevant privacy laws
Applies to:
Medium and large enterprises in Annex I/II sectors, all providers of public electronic communications, trust services, domain name services, entities critical for public safety/security/health, entities causing systemic risk, critical regional/national entities, certain public administrations, and optionally local governments and educational institutions
Essential and important entities
This article defines which organizations are classified as 'essential' or 'important' entities under NIS2, creating two tiers of compliance requirements. Companies in critical sectors (listed in Annexes I and II) above certain size thresholds are 'essential' while smaller ones are 'important', and all must register with authorities by April 2025.
Key Requirements:
- Submit registration information to competent authorities including name, contact details, IP ranges, sectors, and countries of operation
- Notify authorities of any changes to registration details within two weeks
- Participate in Member State entity listing process by April 17, 2025
- Provide updated information for regular reviews every two years
Applies to:
Large companies in critical sectors (energy, transport, health, digital infrastructure, etc.), qualified trust service providers, DNS providers, telecom providers above medium-size thresholds, certain public administrations, and any entities previously designated as critical infrastructure operators
Sector-specific Union legal acts
This article creates a 'no double regulation' rule - if you're already complying with equivalent cybersecurity requirements under other EU laws specific to your sector, you don't have to follow NIS2's requirements as well. However, the sector-specific rules must be at least as strong as NIS2's requirements for risk management and incident reporting.
Key Requirements:
- Entities must determine if they are covered by sector-specific EU laws with equivalent cybersecurity requirements
- If covered by equivalent sector-specific laws, they follow those instead of NIS2
- Entities not covered by sector-specific laws must comply with NIS2
- Risk management measures must be at least as strong as NIS2 Article 21(1) and (2)
- Incident notification requirements must be at least as strong as NIS2 Article 23(1) to (6)
- Incident notifications must provide CSIRTs/authorities with immediate access (automatic and direct where appropriate)
Applies to:
Essential and important entities that are subject to sector-specific EU laws with cybersecurity requirements (e.g., financial services, aviation, energy sectors with their own regulations)
Definitions
This article provides official definitions for all key terms used throughout the NIS2 directive, establishing what constitutes network systems, cybersecurity incidents, various types of service providers, and essential digital infrastructure. These definitions determine which organizations fall under NIS2 scope and what security requirements apply to them.
Key Requirements:
- Understanding and applying these definitions to determine if your organization falls under NIS2 scope
- Using these definitions to properly classify incidents, risks, and cyber threats
- Identifying which category of entity your organization belongs to (DNS provider, cloud service, data center, etc.)
- Appointing a representative in the EU if you're a non-EU provider of covered services
Applies to:
All entities covered by NIS2 including: DNS service providers, TLD registries, cloud computing services, data centers, content delivery networks, online marketplaces, search engines, social networks, public administration entities, managed service providers, and any organization needing to understand NIS2 terminology
National cybersecurity strategy
Each EU member country must create a comprehensive national cybersecurity strategy that outlines how they'll protect critical infrastructure and improve overall cyber resilience. This strategy must include specific objectives, governance frameworks, risk assessments, and policies covering everything from supply chain security to public awareness campaigns.
Key Requirements:
- Adopt a national cybersecurity strategy with defined objectives and resources
- Establish governance frameworks clarifying roles and responsibilities
- Identify and assess cybersecurity risks for relevant national assets
- Develop incident response and recovery measures
- Create policies for supply chain security and vulnerability management
- Implement cybersecurity requirements in public procurement
- Develop education, training and awareness programs
- Support SMEs with cybersecurity guidance and assistance
- Review and update the strategy at least every 5 years
- Notify the strategy to the European Commission within 3 months of adoption
Applies to:
EU Member States (national governments) - this is a state-level obligation that sets the framework for how each country will implement NIS2 requirements
Operator Obligations
Reporting obligations
Organizations must report significant cyber incidents to authorities within strict timeframes (24-72 hours) and provide detailed follow-up reports. They must also notify affected customers when incidents could impact their services.
- • Report significant incidents to CSIRT or competent authority without undue delay
- • Submit early warning within 24 hours of becoming aware of incident
- • Submit incident notification within 72 hours with initial assessment
Processes & Procedures
Computer security incident response teams (CSIRTs)
EU member states must establish specialized cybersecurity teams (CSIRTs) to handle security incidents affecting critical infrastructure and important organizations. These teams must have adequate resources, secure communication systems, and cooperate both within the EU and internationally to respond to cyber threats.
Coordinated vulnerability disclosure and a European vulnerability database
EU member states must designate a CSIRT team to handle vulnerability reports and help coordinate between security researchers who find vulnerabilities and the companies whose products are affected. Additionally, ENISA will maintain a European-wide database where vulnerabilities in ICT products can be voluntarily registered and accessed by all stakeholders.
Conformity & Enforcement
Union level coordinated security risk assessments of critical supply chains
The EU can assess the security risks of critical technology supply chains at a European level. They will look at both technical security issues and other risks to identify vulnerabilities in important ICT products and services used across Europe.
Next Steps
These requirements are extracted from the official legislative text. For detailed implementation guidance: