Eleanor StoneThe NIS2 Directive (EU) 2022/2555 is the European Union's overhauled cybersecurity framework, replacing NIS1 and expanding mandatory obligations to more than 160,000 entities across 18 critical sectors [European Commission, 2022]. From 30 June 2026, active enforcement applies to any business that operates in — or provides services to — the EU and European Economic Area. Essential Entities face fines of up to €15 million or 2.5% of global annual turnover; Important Entities, up to €10 million or 2%. Non-EU companies that serve EU customers are explicitly not exempt. Compliance requires six documented steps covering governance, risk management, incident reporting, and supply chain security. This guide walks through each one with the specificity regulators will expect.
Who Must Comply with NIS2? Understanding Scope and Classification
NIS2 distinguishes between two tiers of in-scope organisations — Essential Entities (EE) and Important Entities (IE) — and your classification determines both your level of oversight and the severity of potential penalties.
Essential Entities operate in sectors where disruption would have a catastrophic societal or economic impact: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (including Internet Exchange Points and DNS providers), ICT service management, public administration, and space.
Important Entities cover a second ring of critical sectors: postal and courier services, waste management, chemicals, food production and distribution, manufacturing of medical devices, computers, machinery, motor vehicles, and digital providers (online marketplaces, search engines, social networks).
Size thresholds matter: any entity in those sectors with 50+ employees or €10 million+ annual turnover is presumed in scope. Smaller organisations can also fall under NIS2 if they are deemed critical by national authorities.
Six-Step NIS2 Compliance Checklist for the 30 June 2026 Deadline
The following steps represent the minimum documented compliance posture that national supervisory authorities will assess. Each step must produce evidence that can withstand audit scrutiny.
Step 1: Confirm Your Classification and Register with National Authorities
Determine whether your organisation qualifies as an Essential Entity or Important Entity based on sector membership and size thresholds. Once classified, register with the competent national authority in each EU or EEA Member State where you operate. NIS2 Article 3 requires this registration; failure to register is itself a sanctionable breach. Keep a dated record of every registration submission.
Step 2: Conduct a Formal Risk Assessment
Perform an all-hazards risk assessment covering your information systems, operational technology (OT), data assets, and third-party dependencies. The assessment must evaluate threats to confidentiality, integrity, and availability — not just cyberthreats but also physical and environmental risks. Document the methodology used, assets assessed, identified risks, likelihood and impact ratings, and the risk treatment plan. Reviewers should be able to trace every control back to a specific risk finding.
Step 3: Implement the Ten Technical and Organisational Measures
Article 21 of NIS2 specifies the minimum security measures all in-scope entities must implement. These are not optional best practices — they are legal requirements:
- Cybersecurity risk management policies
- Incident handling procedures
- Business continuity and crisis management plans
- Supply chain security (vendor risk assessments, contractual security clauses)
- Network and information system security (network segmentation, patching)
- Access control and privileged access management, including multi-factor authentication (MFA)
- Cryptography and encryption of data at rest and in transit
- Human resources security and staff cybersecurity training
- Use of secure communication systems
- Vulnerability disclosure and patching procedures
Each measure requires a written policy and evidence of implementation — not a plan to implement.
Step 4: Build and Test Your Incident Response Protocol
NIS2 mandates strict incident reporting timelines (detailed in the next section). Your protocol must therefore include: automated detection tooling, escalation paths to management and legal teams, a designated contact for national authority notifications, and documented procedures that have been tested in a tabletop exercise within the past 12 months. Untested plans do not satisfy the "appropriate and proportionate" standard in Article 21(1).
Step 5: Map and Audit Your Supply Chain
Supply chain attacks are the principal enforcement focus for regulators in 2026. Article 21(2)(d) requires entities to address security risks arising from third-party relationships. Practically, this means: a full inventory of critical suppliers, written security questionnaires or independent audits for those suppliers, and contractual clauses specifying minimum security standards, audit rights, and breach notification obligations. Any supplier that processes personal data or connects to your systems without a signed security addendum is an audit finding waiting to happen.
Step 6: Secure Management-Body Accountability
NIS2 Article 20 holds the management body — not just the CISO or IT department — personally accountable for approving and overseeing cybersecurity policies. Management members must complete cybersecurity training sufficient to identify and govern principal risks. Document the training completion dates, the policies that management has formally approved, and the reporting cadence between the security function and the board. Without this paper trail, regulators can hold individual executives personally liable.
Incident Reporting Timelines You Cannot Miss
The reporting cascade in NIS2 Article 23 is one of the most operationally demanding changes from the previous directive. When a "significant incident" occurs — defined as any event that causes or could cause severe operational disruption or financial loss — the following deadlines are absolute:
| Notification | Deadline | Content Required |
|---|---|---|
| Early warning | 24 hours from awareness | Confirmation of incident, suspected cause, initial impact |
| Intermediate notification | 72 hours from awareness | Updated assessment, indicators of compromise, mitigation steps taken |
| Final report | 1 month from intermediate notification | Full incident description, root cause, impact scope, measures implemented |
A "significant incident" is triggered when it causes actual or potential severe disruption to service delivery, financial loss to the entity, or material impact on other organisations. Internally, this threshold should be pre-defined in your incident response protocol, with specific examples calibrated to your sector, so on-call teams can make the call at 2 a.m. without escalating unnecessarily.
"The 24-hour window is the hardest deadline for most organisations because detection-to-awareness lag is often the gap. If your logging and alerting infrastructure cannot reliably surface a breach within a few hours, the 24-hour clock is unachievable in practice," notes a senior cybersecurity counsel advising EU critical infrastructure operators [2026].
Penalties for Non-Compliance: Why the Stakes Are Different from GDPR
NIS2 fines are calculated on global annual turnover — not EU revenue — and can run concurrently with GDPR penalties if a cybersecurity incident also constitutes a personal data breach. For Essential Entities, the ceiling is €15 million or 2.5% of total worldwide annual turnover, whichever is higher. Important Entities face €10 million or 2%, whichever is higher [EU 2022/2555, Article 34].
Consider a mid-size German automotive parts manufacturer with €400 million global revenue that qualifies as an Important Entity under NIS2's manufacturing sector provisions. A significant incident caused by an unsecured supplier connection, reported 96 hours after awareness rather than within 72, could trigger two overlapping violations: a late-reporting fine and a supply chain control failure. At 2% of €400 million, the exposure is €8 million — before adding any GDPR Article 83 penalty for breached personal data.
Beyond financial penalties, NIS2 grants national authorities the power to publicly name non-compliant entities, impose temporary service suspension orders on Essential Entities, and hold management personally liable. The reputational and operational consequences of a named public enforcement action typically exceed the monetary fine.
À retenir: Non-compliance with NIS2 is not a single fine risk — it is a compounding risk that spans financial, operational, reputational, and individual liability dimensions simultaneously.
Extra-Territorial Reach: Does NIS2 Apply to Your Business Outside the EU?
NIS2 applies to entities that provide services in the EU or EEA — not only to entities incorporated there. An American software-as-a-service company that sells cloud infrastructure to Belgian hospitals qualifies as a digital service provider under Annex III and must designate an EU representative under Article 26, register with the competent authority, and meet all compliance requirements.
The practical test is straightforward: if you have paying customers in the EU receiving a service covered by NIS2's sector definitions, the directive applies regardless of where your servers are located or where your company is registered. The EU Agency for Cybersecurity (ENISA) publishes sector-specific guidance to help organisations self-assess their jurisdictional exposure at enisa.europa.eu.
For businesses that are borderline in-scope, the risk calculus favours compliance: the cost of implementing the six steps above is substantially lower than the cost of a successful enforcement action — and regulators have signalled that 2026 will not be a grace period.
Frequently Asked Questions
What is the difference between NIS1 and NIS2?
NIS1 (Directive 2016/1148) covered a narrow set of Operators of Essential Services and Digital Service Providers, leaving Member States broad discretion over scope and enforcement. NIS2 replaces it with a harmonised framework: expanded sector coverage, mandatory registration, stricter incident reporting timelines, management-body accountability, and a higher penalty ceiling. The number of in-scope entities more than tripled compared to NIS1.
Do small businesses need to comply with NIS2?
Size thresholds (50+ employees or €10M+ turnover) exclude most micro and small enterprises. However, any entity — regardless of size — that is designated as critical by a national authority must comply. Similarly, small businesses that sit in the supply chain of an Essential Entity may face contractual NIS2 obligations imposed by that entity under Article 21(2)(d), even if they are not directly regulated.
What counts as a "significant incident" under NIS2?
A significant incident is one that causes or is capable of causing severe operational disruption, financial loss, or material impact on other persons or organisations. ENISA and national Computer Security Incident Response Teams (CSIRTs) publish sector-specific guidance on thresholds. Internally, your incident response protocol should define the organisation-specific triggers that automatically invoke the 24-hour reporting clock.
Can the same incident trigger both NIS2 and GDPR penalties?
Yes. A ransomware attack that encrypts personal data constitutes both a NIS2 significant incident (reporting to the national NIS2 authority) and a GDPR personal data breach (notification to the supervisory authority within 72 hours under GDPR Article 33). Both sets of penalties apply independently and simultaneously, with no offset between them.
Disclaimer: The information on this page is provided for informational purposes only and does not constitute legal advice. Consult a qualified cybersecurity lawyer for guidance specific to your organisation's situation.
