The Network and Information Security Directive 2, Directive (EU) 2022/2555 (NIS2) reshapes cybersecurity compliance across the European Union. The Directive aims to enhance cybersecurity and resilience within the Union, imposing uniform risk management and reporting obligations on both “essential” and “important” entities, and expanding the scope beyond traditional critical infrastructure providers. Companies that fall within scope may need to review and align their internal processes, controls, and governance structures with NIS2 — or risk enforcement consequences. The status of NIS2 implementation varies across EU Member States. For example, in Germany, the final law could take effect before the end of 2025; Italy has incorporated NIS2 into national legislation; and France is still in the process of enacting the necessary laws.

Who Is in Scope of NIS2?

NIS2 expands coverage to a wider range of sectors than the previous NIS Directive (Directive (EU) 2016/1148), including postal and courier services, as well as the chemical and food sectors. The Directive applies to both EU-established entities and, in some cases, non-EU service providers offering services within the EU. Entities are categorized as essential or important based on size, criticality, sector, or importance to the Member States. Sectors affected include:

• Sectors of high criticality, e.g., energy, transport, banking, digital infrastructure, public administration, healthcare.
   
• Other critical sectors, e.g., digital services (online marketplaces, cloud computing, and search engines), waste management, postal services, manufacturing of critical products.

Companies are considered in scope if they fall within these sectoral definitions and exceed specific size thresholds (typically medium-sized enterprises and above, i.e., more than 50 employees and €10 million turnover). Certain digital infrastructure and trust service providers are subject to NIS2 obligations regardless of size.

Enforcement and Accountability

Unlike the original NIS Directive, NIS2 introduces stronger enforcement powers for national authorities, including regular audits, security inspections, binding instructions, and — crucially — administrative fines of up to €10 million or 2% of global annual turnover, whichever is higher. Moreover, management bodies are personally accountable for compliance, and governance failures may result in temporary bans or disqualification of individuals from leadership roles.

The Directive’s intent is clear: cybersecurity is no longer a back-office technical issue — it is a board-level accountability matter and a core element of operational risk management.

Immediate Considerations for In-Scope Entities

Entities preparing for NIS2 may wish to consider the following areas:

• Executive Governance and Cybersecurity Culture: Management bodies are explicitly responsible for compliance, including approval and oversight of cybersecurity strategies and regular training for executives and employees to establish an informed and security-aware culture throughout the organization.
   
• Cybersecurity Risk Management Framework: Regular risk assessments to identify vulnerabilities and develop proportionate protective measures. Companies must implement both technical and organizational measures tailored to specific risks, operational complexity, and service criticality, including access controls, security-by-design principles, encryption, and network resilience tools.
   
• Incident Detection, Response, and Reporting: Ability to detect and respond to cybersecurity incidents swiftly. A robust incident response plan must be in place, with well-defined roles and responsibilities. Where a “significant incident” occurs, a mandatory reporting timeline applies: an early warning within 24 hours, an initial assessment within 72 hours, and a final report within one month.
   
• Business Continuity and Recovery Planning: Preparation and regular testing of business continuity and crisis management plans, including backups and disaster recovery systems, specifically covering cyberattack scenarios (Art. 21(2)(c)). These plans are not theoretical: regulators will expect documentation and practical evidence of testing and effectiveness.
   
• Supply Chain and Third-Party Risk Management: Management of cybersecurity risks in the supply chain, including risk assessments of third-party service providers and software vendors, contractual obligations, and ongoing monitoring (Art. 21(2)(d), 21(3)). This requirement is particularly significant for managed security service providers (MSSPs) and companies dependent on cloud-based infrastructure and outsourced IT operations.
   
• Security in Development and Procurement: Embedding cybersecurity in the design, development, and acquisition of systems and products. Whether acquiring new software, developing internal tools, or integrating third-party services, organizations must ensure security-by-design and security-by-default principles are followed.
   
• Vulnerability and Patch Management: Establishment of a formal vulnerability handling process, including intake and response protocols for vulnerabilities reported by researchers, internal monitoring for timely patch deployment, and coordination with national CSIRTs and the European vulnerability database.
   
• Access and Identity Controls: Limiting system access to authorized personnel through measures such as multi-factor authentication (MFA), role-based access control (RBAC), and periodic reviews of user rights. These measures contribute to the integrity and resilience of the information systems.
   
• Asset Management and Communications Security: Maintaining an accurate inventory of IT assets and securing communications, particularly where sensitive or personal data is transmitted. Encryption and secure protocols are essential features of a compliant security architecture
   
• Awareness, Training, and Human Risk Mitigation: Ongoing security awareness and training programs across all levels of the organization, including measures to mitigate risks such as phishing.
   
• Internal Auditing and Documentation: Mapping internal controls against NIS2 obligations, conducting regular audits, and maintaining appropriate documentation for national supervisory authorities on request. Supervisory authorities are empowered to conduct targeted audits and request evidence of compliance.

Implementation of NIS2 in other EU Member States

EU Member States were required to transpose NIS2 into national law by October 17, 2024. The status of implementation varies, with some countries (e.g., Belgium, Denmark, Greece, Hungary, Italy, Malta, Slovakia) having enacted NIS2 legislation, while others (e.g., Germany, France) are still in the process. National implementations may contain specific deviations or additional requirements, so each national law should be assessed individually. The European Commission has launched infringement proceedings against EU Member States who failed to meet the implementation deadline.

Examples of National Implementation Laws and Draft Laws

• Germany: The German implementation law, currently in the parliamentary process, largely transposes the requirements of the NIS 2 and is expected to affect approximately 30,000 companies nationwide. Organizations must establish comprehensive cybersecurity risk management frameworks as stipulated under NIS2, including, e.g., access and identity management and risk assessments. However, deviations from NIS 2 arise in the following areas:

  Scope of Application: The current German draft law allows for business activities deemed “negligible” in relation to a company’s overall operations to be excluded from the scope of the law. This provision is intended to prevent companies from being unnecessarily classified as important or highly important due to minor activities. To determine what is “negligible”, the explanatory memorandum to the draft bill states that factors such as the number of employees or generated revenue can be considered. However, although such criteria provide guidance on how to interpret “negligible”, legal uncertainties arise, as the term is not exhaustively defined in the draft, and there is a general question whether the EU framework allows for such exception at all.
   

• Belgium: The Belgian NIS2 law has been in force since October 2024. While closely mirroring the NIS2 requirements, there are a few deviations from the EU framework:

  Scope of Application: The list of sectors subject to the law can be expanded by royal decree, allowing to include additional sectors beyond those currently covered (such as energy and transport sectors as referenced in Annex I of the Belgian law).

  Cybersecurity Measures: The Belgian law also introduces cybersecurity obligations that specify the requirements of NIS2. For instance, organizations are required to implement a “coordinated vulnerability disclosure policy”. In terms of vulnerability reporting, the national cybersecurity authority (CSIRT) serves as a trusted intermediary, facilitating communication between the individual or organization reporting a potential vulnerability and the manufacturer or supplier of the affected product or service. All reports must be submitted in writing, in accordance with the procedure outlined on the CSIRT website.
   

• Italy: Italy’s implementation law took effect in October 2024 and is closely aligned with the requirements of NIS2, with the National Cybersecurity Agency empowered to oversee compliance and enforcement. Deviations from NIS2 arise regarding the scope of application. For instance, legal services for large grocery retailers and the cultural sector are covered by the law, capturing a large number of additional companies operating in Italy.

Monitoring National Implementation of NIS2

Inconsistencies in national implementation create challenges, particularly for companies operating cross-border in the EU. For example, telecommunications companies may need to comply with NIS2 laws in every EU country where they provide services, whereas cloud and data center providers are generally subject only to the laws of their main establishment. However, many EU Member States are moving beyond the minimum requirements of NIS2, introducing more customized security obligations and liability for company leadership which creates compliance risks for companies. Therefore, this evolving landscape warrants continuous monitoring of legal developments in the relevant countries.

Conclusion

The NIS2 Directive sets out minimum harmonization standards, and EU Member States may adopt additional or stricter national requirements. Entities subject to NIS2 should consider reviewing their risk management, operational practices, and corporate governance in light of these obligations and monitor the legislative transposition process in each EU jurisdiction where they operate.