NIS2 Has Changed the Rules for Cybersecurity in Europe
If your organization operates in the EU or sells to European customers, the NIS2 directive is something you cannot afford to ignore. It represents the most sweeping update to EU cybersecurity regulation in nearly a decade, and enforcement is now fully active across member states.
The original NIS Directive from 2016 was a starting point. NIS2 is a different beast entirely. It covers more sectors, imposes stricter requirements, introduces personal liability for executives, and backs everything up with penalties that can reach EUR 10 million or 2 percent of global turnover.
This guide breaks down what NIS2 actually requires, who falls under its scope, and how organizations are using compliance automation to meet these requirements without grinding their operations to a halt.
What Exactly Is NIS2?
NIS2, formally known as Directive (EU) 2022/2555, establishes a baseline for cybersecurity across all EU member states. It replaced the original NIS Directive because the threat landscape outpaced the protections that directive provided.
Three things make NIS2 different from its predecessor. First, it creates harmonized requirements across all member states. No more navigating a patchwork of national implementations when you operate in multiple countries. Second, it introduces supply chain security obligations that ripple through entire business ecosystems. Even organizations not directly in scope may need to demonstrate compliance to keep their contracts. Third, it holds management personally accountable, not just the organization.
What Changed From NIS1 to NIS2
The scope expanded from 7 sectors to 18. Size-based criteria now automatically bring medium and large companies into scope. Penalties are harmonized across member states with defined maximums. Management accountability is explicit, with personal liability for senior leadership. Incident reporting timelines are tighter, with a 24-hour early warning requirement. Supply chain security is no longer optional.
Who Must Comply With NIS2?
NIS2 categorizes affected organizations into two groups: essential entities and important entities. Both must implement the same security measures, but essential entities face stricter supervision and higher penalty caps.
Essential Entities
These include organizations in energy (electricity, oil, gas, hydrogen, district heating), transport (air, rail, water, road), banking and financial market infrastructure, healthcare (providers, reference laboratories, pharmaceutical manufacturing), drinking water and wastewater, digital infrastructure (internet exchange points, DNS providers, TLD registries, cloud computing services, data centers, CDNs, trust service providers, public electronic communications), ICT service management for B2B, public administration, and space operations.
Important Entities
The second tier covers postal and courier services, waste management, chemical manufacturing, food production and distribution, medical device manufacturing, electronics manufacturing, motor vehicle manufacturing, digital providers (online marketplaces, search engines, social networks), and research organizations.
Size Thresholds
NIS2 applies to medium-sized organizations (50+ employees or EUR 10M+ annual turnover) and larger in covered sectors. Some entities are in scope regardless of size: public electronic communications providers, trust service providers, TLD registries, DNS providers, and sole providers of essential services within a member state.
The Core Requirements Under Article 21
NIS2's Article 21 lays out the cybersecurity measures every in-scope organization must implement. The requirements are deliberately broad, giving organizations flexibility to tailor implementation to their risk profile.
Risk Analysis and Security Policies
You need comprehensive risk management policies covering your entire information system landscape. This means identifying and classifying assets, conducting regular risk assessments, defining treatment plans, and maintaining documentation that proves ongoing risk management. Policies must be approved by management and reviewed regularly.
For organizations running cloud infrastructure, an automated cloud asset inventory is the practical starting point. You cannot assess risk for assets you do not know exist.
Incident Handling and Response
Detection, management, and response capabilities are mandatory. You need monitoring tools that actually catch incidents, clear classification criteria, defined response procedures for different incident types, communication channels for reporting, and post-incident reviews that feed into continuous improvement.
This is where investment in cloud security posture management pays off. CSPM platforms provide the continuous monitoring that NIS2's incident detection requirements demand, catching misconfigurations and anomalies before they escalate into reportable incidents.
Business Continuity and Crisis Management
Backup management, disaster recovery, business continuity procedures, and crisis management frameworks are all required. The key word here is "tested." NIS2 expects organizations to regularly validate these procedures through tabletop exercises and simulations, not just document them and file them away.
Supply Chain Security
This requirement has the biggest ripple effect. You must assess your suppliers' security practices, build cybersecurity requirements into contracts, and monitor compliance on an ongoing basis. Even organizations outside NIS2's direct scope are feeling this, as their customers demand evidence of adequate security measures to satisfy their own supply chain obligations.
Network and Information System Security
The technical controls: vulnerability handling and disclosure, encryption policies, access control and identity management, multi-factor authentication, and secure communications. These must be proportional to your risk profile and regularly validated.
Organizations handling this well are using policy-as-code to enforce these controls automatically. Rather than relying on manual checks, every configuration change is validated against security policies before deployment.
Training, Awareness, and Human Resources Security
All staff need cybersecurity training that goes beyond annual checkbox exercises. Role-specific education, regular awareness campaigns, and practical exercises are expected. Background checks for sensitive roles, clear security responsibilities in job descriptions, and proper access management when employees change roles or leave are also required.
Incident Reporting: The Tightest Timelines in Any Regulation
NIS2's reporting requirements are among the strictest globally. Miss them and you compound your penalties on top of whatever the original incident cost you.
The Three-Stage Reporting Timeline
Within 24 hours: Submit an early warning to your national CSIRT or competent authority. This must indicate whether the incident appears malicious and whether it could have cross-border impact. You do not need a complete picture at this stage, but you do need to have detected and reported it.
Within 72 hours: Provide a full incident notification with an initial assessment of severity and impact, plus any indicators of compromise. This updates the early warning with enough detail for the authority to understand scope.
Within one month: Submit a final report with a detailed description, root cause analysis, mitigation measures applied, and cross-border impact. If the incident is still ongoing, a progress report is required, with the final report due within one month of resolution.
What Triggers Reporting?
Not every security event is reportable. A significant incident is one that has caused or could cause severe operational disruption or financial loss, or has affected or could affect others through material or non-material damage. Establishing clear internal classification criteria aligned with these definitions is essential.
Penalties That Get Board Attention
Essential entities: Up to EUR 10 million or 2 percent of worldwide annual turnover, whichever is higher.
Important entities: Up to EUR 7 million or 1.4 percent of worldwide annual turnover, whichever is higher.
But the penalties that really changed behavior are personal. Management bodies that fail to approve and oversee cybersecurity risk management can be held personally liable. Member states can impose temporary bans on individuals in managerial roles at essential entities. When executives face personal consequences, compliance stops being an IT project and becomes a board priority.
Automating NIS2 Compliance: The Only Sustainable Approach
The breadth of NIS2 requirements combined with the pace of modern IT operations makes manual compliance unsustainable. Organizations that try to manage NIS2 through spreadsheets and periodic audits find themselves perpetually behind.
Policy-as-Code for Continuous Verification
Policy-as-code transforms NIS2 requirements into machine-readable rules evaluated against your infrastructure in real time. Every configuration change is validated automatically. Deviations trigger alerts, block non-compliant changes, or initiate automated remediation depending on severity and your risk tolerance.
Pre-built policy packs mapped to NIS2 controls let organizations establish compliance baselines quickly. These cover infrastructure security, access management, encryption, logging, and vulnerability management across AWS, Azure, and GCP.
Automated Asset Discovery
NIS2 requires accurate understanding of your information systems. Automated cloud inventory eliminates manual cataloguing and ensures new assets are classified immediately upon deployment. In cloud environments where resources spin up and down continuously, manual tracking is a losing battle.
Continuous Vulnerability Management
NIS2's vulnerability handling requirements demand timely identification, assessment, and remediation. Automated scanning across infrastructure, containers, and code provides continuous visibility. Risk-based prioritization through VM scanning and container image scanning focuses effort on the vulnerabilities with greatest potential impact.
Automated Compliance Reporting
When a supervisory authority asks for evidence of compliance, you need to produce it quickly and accurately. Automated reporting generates audit-ready documentation showing current status, historical trends, and remediation activities. No more weeks of scrambling before audits.
Getting Started: A Practical NIS2 Roadmap
If your organization has not started its NIS2 compliance journey, here is a realistic path forward.
Step 1: Confirm your scope. Determine whether your organization falls within NIS2 based on sector and size criteria. If you supply to in-scope organizations, determine what requirements they will impose on you.
Step 2: Run a gap analysis. Assess your current posture against NIS2 requirements. Prioritize gaps by risk impact and implementation effort.
Step 3: Get management buy-in. NIS2 requires formal management approval of your cybersecurity approach. Given personal liability provisions, this conversation tends to go differently than it did under NIS1.
Step 4: Deploy automated monitoring. Implement CSPM and compliance automation for continuous visibility. This delivers immediate improvement in detection and response capability.
Step 5: Build incident response. Establish procedures that meet the 24-hour and 72-hour reporting timelines. Test them. Then test them again.
Step 6: Address supply chain. Identify critical suppliers, assess their security, and update contracts with cybersecurity requirements.
Step 7: Document continuously. NIS2 compliance requires evidence. Automated documentation makes this sustainable rather than a periodic fire drill.
NIS2 and Other Frameworks: How They Overlap
Organizations often face multiple compliance requirements simultaneously. The good news is that NIS2 aligns substantially with ISO 27001, SOC 2, and GDPR requirements. Work you have done for these frameworks carries over.
The Secrails compliance platform maps controls across frameworks, so a single implementation effort satisfies multiple requirements. This is particularly valuable for organizations operating across regulated industries where overlapping mandates can otherwise multiply compliance workload.
For a deeper look at how cloud security tools compare in meeting these requirements, see our analysis of Secrails versus Microsoft Defender for organizations evaluating their security tooling options.
Looking Ahead
NIS2 is not the ceiling. It is the floor. Organizations that treat compliance as an opportunity to genuinely strengthen their security posture, rather than a box-ticking exercise, will find that the investment delivers protection that extends well beyond regulatory requirements.
The practical path forward combines clear governance, automated monitoring, and a culture that treats security as everyone's responsibility. Start with visibility, automate what you can, and build from there. Your future audit self will thank you.
For practical guidance on securing the cloud infrastructure that underpins your NIS2 compliance program, read our cloud security best practices guide.