The NIS2 Directive (Network and Information Security Directive 2) is the European Union's updated cybersecurity law designed to protect critical infrastructure, digital services, and essential economic functions from cyber threats.
It replaces the earlier 2016 NIS Directive with a broader and stronger regulatory framework, raising the bar for cybersecurity governance across thousands of organisations operating in or serving EU markets.
What is NIS2?
NIS2 is an official EU law — Directive (EU) 2022/2555 — on measures for a high common level of cybersecurity across the Union. It was adopted on 14 December 2022 and entered into force on 16 January 2023.
Its core purpose is to create a common cybersecurity baseline across EU member states and ensure better protection against cyberattacks targeting critical systems and services.
EU member states were required to transpose NIS2 into national law by 17 October 2024, meaning enforcement frameworks are now active across the bloc.
Why NIS2 Matters — Key Facts & Figures
NIS2 significantly expands the scope of EU cybersecurity regulation. It now covers 18 critical sectors — a substantial increase from the original NIS Directive — and applies to thousands of medium and large organisations across energy, transport, finance, health, digital infrastructure, water, and public administration.
The directive's reach extends beyond EU borders. Non-EU companies offering services in EU markets are also subject to NIS2 obligations, making it a global compliance consideration for internationally active businesses.
Incident reporting requirements have also been tightened, with faster mandatory notification timelines imposed on covered entities compared to the previous regime.
Who Must Comply With NIS2?
NIS2 groups in-scope organisations into two categories. Essential Entities are those whose disruption could seriously affect society or the economy — including energy and utilities, transport, banking and finance, healthcare, water supply, and digital infrastructures such as cloud providers, data centres, and DNS operators.
Important Entities cover sectors that are critical but considered lower risk than essential entities, including manufacturing, food supply, scientific research, and postal and courier services. In both cases, organisations must typically meet a size threshold — medium or large enterprise — to fall within scope.
What NIS2 Requires — Key Obligations
NIS2 raises the bar on cybersecurity expectations across all covered organisations. Entities must implement structured, proportionate risk management measures to address threats and vulnerabilities. Top management involvement is mandatory — boards must ensure active oversight of cyber risk, making cybersecurity a legal governance responsibility at executive level.
Beyond internal governance, NIS2 requires rapid notification of cybersecurity incidents to national authorities under strict timelines. Organisations must also evaluate and manage risks within their third-party supply chains, and national authorities are empowered to audit compliance and impose significant penalties for breaches.
NIS2 Elevates Cybersecurity to Board Level
One of the most significant shifts under NIS2 is the explicit accountability placed on leadership. Cyber risk is no longer solely an IT department concern — boards and senior executives are directly and legally responsible for ensuring their organisations meet NIS2 obligations.
This governance shift means cybersecurity must be embedded into strategic planning, risk management frameworks, and board-level reporting cycles — not treated as a technical afterthought.
Harmonising Cyber Rules Across the EU
NIS2 is designed to eliminate the fragmented cybersecurity regulations that varied significantly between EU member states under the original NIS Directive. By establishing a unified baseline, it creates more consistent compliance expectations for organisations operating across multiple EU jurisdictions.
For businesses with cross-border operations, this harmonisation reduces the complexity of navigating divergent national frameworks, while still requiring careful attention to the specific transposition measures adopted by each member state.
Strengthening Resilience Across the Digital Economy
From cloud infrastructure to healthcare systems, NIS2 demands that covered organisations be meaningfully better prepared to withstand and recover from cyberattacks. The directive's emphasis on proportionate risk management, supply chain security, and incident response reflects the EU's broader ambition to build a resilient digital single market.
Essential Takeaways for Business Leaders:
NIS2 is the next-generation EU cybersecurity law, replacing the older NIS rules and significantly expanding scope. It applies broadly across 18 critical sectors and thousands of organisations — including non-EU businesses serving EU markets. Risk management, incident reporting, and governance are at the heart of compliance. Boards and executives are directly accountable for cybersecurity performance under NIS2. And by harmonising rules across EU member states, the directive helps reduce fragmentation while raising the collective standard of cyber resilience across Europe.