NIS2

NIS2 is the EU's directive on network and information security (Directive 2022/2555). It sets requirements for how organisations in critical sectors manage cybersecurity risks, report incidents and secure their supply chains. The directive replaced the original NIS Directive in January 2023.

Back to Dictionary

Table of Contents

    What is NIS2?

    NIS2 (Network and Information Security Directive 2, EU Directive 2022/2555) is the EU's updated rulebook for cybersecurity. It entered into force on 16 January 2023 and was due to be transposed into national legislation by 17 October 2024.

    The directive is a response to the growing threat landscape. Cyberattacks increasingly target critical infrastructure, and the original NIS Directive from 2016 proved insufficient. NIS2 expands both the scope (more sectors) and the requirements (stricter measures).

    Who is covered by NIS2?

    NIS2 covers organisations in 18 sectors, divided into two categories:

    Essential entities (strict requirements and proactive supervision):

    • Energy (electricity, gas, oil, district heating)
    • Transport (air, rail, road, maritime)
    • Health
    • Drinking water and wastewater
    • Digital infrastructure (DNS, TLD registries, cloud, data centres)
    • Public administration
    • Space

    Important entities (less strict but still significant requirements):

    • Postal and courier services
    • Waste management
    • Chemicals and food industry
    • Manufacturing
    • Digital services (marketplaces, search engines, social networks)
    • Research


    Size threshold:     As a general rule, medium-sized organisations (50+ employees or EUR 10 million+ turnover) and large organisations in the listed sectors are covered. However, certain types of organisations are covered regardless of size, such as DNS providers and TLD registries.

    What does NIS2 require?

    NIS2 imposes requirements in four main areas:

    • Risk management: Organisations must carry out risk assessments and implement appropriate security measures covering policies, incident handling, business continuity and supply chain security.
    • Incident reporting: Significant incidents must be reported to the authorities within 24 hours (early warning) followed by a full report within 72 hours.
    • Supply chain security: Organisations must assess and manage risks from their suppliers and service providers.
    • Management accountability: Senior management must approve cybersecurity measures and can be held personally liable. They must also undergo cybersecurity training.

    NIS2 vs ISO 27001

    Many organisations ask whether ISO 27001 certification is enough to satisfy NIS2. The answer is: it helps enormously, but does not cover everything.

    ISO 27001 provides a solid foundation for information security management, and there is substantial overlap with NIS2's requirements. However, NIS2 imposes specific requirements for incident reporting and supply chain security that ISO 27001 does not directly address.

    Frequently Asked Questions about NIS2

    What is NIS2?

    NIS2 is the EU's directive on network and information security (Directive 2022/2555). It sets requirements for risk management, incident reporting and supply chain security for organisations in critical and important sectors.

    Who is covered by NIS2?

    NIS2 covers organisations in 18 sectors, divided into essential and important entities. These include energy, transport, health, digital infrastructure, public administration and many more. Generally, medium-sized and large organisations in these sectors are covered.

    What is the difference between NIS2 and ISO 27001?

    NIS2 is a legal requirement from the EU focused on cybersecurity in critical sectors. ISO 27001 is a voluntary international standard for information security management. They overlap significantly, but NIS2 additionally requires incident reporting and supply chain security measures that ISO 27001 does not directly cover.

    When did NIS2 enter into force?

    NIS2 entered into force on 16 January 2023. EU Member States were required to transpose it into national legislation by 17 October 2024.

    What happens if an organisation does not comply with NIS2?

    NIS2 introduces significant penalties for non-compliance. Essential entities face fines of up to EUR 10 million or 2% of global annual turnover, whilst important entities face fines of up to EUR 7 million or 1.4% of global annual turnover.

    Still unsure?

    Ask Johannes directly, he runs most demos personally

    Book him here
    +400 companies use .legal
    Region Sjælland
    Aarhus Universitet
    aj_vaccines_logo
    Realdania
    Right People
    IO Gates
    PLO
    Finans Danmark
    geia-food
    Vestforbrænding
    Evida
    Klasselotteriet
    NRGI1
    BLUE WATER SHIPPING
    Karnov
    Ingvard Christensen
    VP Securities
    AH Industries
    Lægeforeningen
    InMobile
    AK Nygart
    ARP Hansen
    DEIF
    DMJX
    Axel logo
    qUINT Logo
    KAUFMANN (1)
    SMILfonden-logo
    kurhotel_skodsborg
    nemlig.com
    Molecule Consultancy
    Novicell
    Footer topswirl

    Info

    .legal A/S

    hello@dotlegal.com
    +45 7027 0127

    VAT-no: DK40888888

    Support

    support@dotlegal.com
    +45 7027 0127
    Need help?

     

    Office

    Aarhus

    Store Torv 14, 2.
    8000 Aarhus C

    We care about safety

    Download our declarations

    ISAE 3000

    ISAE 3402

    Modules

    Let me help you get started

    joa i blob
    Reach out to me on phone
    +45 7027 0127 and I'll get you started
    arrow-right-white Get a demo

    .legal is not a law firm and is therefore not under the supervision of the Bar Council.

    Footer bottomswirl