27 November, 2025
The warning shots are over. The NIS 2 Directive is live, and enforcement has begun.
The October 17, 2024, transposition deadline has passed. If you are still asking “how do I prepare?”, you are asking the wrong question. The question now is: “Am I compliant right now?”
This is no longer a drill. The Network and Information Security (NIS) 2 Directive has fundamentally changed the European cybersecurity landscape. It replaces the fragmented approach of the 2016 NIS Directive with a unified, strict enforcement regime .
The stakes have never been higher. Under this new law, C-level executives can be held personally liable for security failures.
In this guide, we will cut through the legal jargon. You will learn exactly who is in scope, the 10 mandatory security measures you must implement, and how to automate your gap analysis using SAMMY, our NIS 2 assessment tool.
Key Takeaways about NIS 2
-
The October 17, 2024 transposition deadline has passed, meaning the NIS 2 Directive is currently live and enforceable legislation that automatically applies to medium and large enterprises in critical sectors under the new “Size-Cap” rule.
-
C-level executives and management bodies are now personally liable for cybersecurity failures, with regulators holding the power to temporarily ban natural persons from managerial functions in Essential entities for repeated non-compliance.
-
Incident reporting timelines have tightened drastically, requiring organizations to submit an “Early Warning” to the competent authority within 24 hours of becoming aware of a significant incident, rather than the previous 72-hour standard.
-
Financial penalties have been standardized and increased, with fines reaching a maximum of at least €10 million or 2% of global annual turnover for Essential entities, and €7 million or 1.4% for Important entities.
-
To avoid managing complex requirements via spreadsheets, organizations can use SAMMY to run an automated NIS 2 assessment that maps legal text to actionable questions and creates the necessary audit trail for governance oversight.
What is the NIS 2 Directive?
The NIS 2 Directive (Directive (EU) 2022/2555) is comprehensive EU legislation designed to achieve a high common level of cybersecurity across the European Union.
It mandates strict risk management measures and reporting obligations for entities in critical sectors, such as energy, transport, health, and digital infrastructure.
The directive officially repeals the original NIS Directive (NIS 1) from 2016. While the first directive started the conversation, it allowed member states too much flexibility. This resulted in a fragmented landscape where security standards varied wildly from one country to another.
NIS 2 eliminates these inconsistencies. It establishes a uniform baseline for cybersecurity that applies across the internal market. The goal is to ensure that the services essential to our economy and society remain resilient, even when facing large-scale cyber threats.
Key objectives of the directive include:
- Harmonization: Creating consistent rules for all Member States.
- Expanded Scope: Covering more sectors and entities than ever before.
- Stronger Enforcement: Introducing minimum lists of administrative sanctions and fines.
What is The Scope of NIS 2? (The Size-Cap Rule)
Under the old rules, member states decided who was regulated. That system is dead.
NIS 2 introduces the “Size-Cap Rule”. If you operate in a listed sector and meet the size criteria, you are automatically in scope. You do not need to wait for a letter from the government. You must assess yourself.
1. The General Rule
You are regulated if you operate in a sector listed in Annex I or Annex II AND you meet the definition of a Medium or Large enterprise:
- Medium: 50 to 249 employees OR €10 million to €43 million turnover.
- Large: 250+ employees OR over €50 million turnover or €43 million balance sheet.
2. The Sectors (Annex I vs. Annex II)
Knowing your sector is critical. It determines if you are an Essential entity (High Criticality) or an Important entity (Other Critical Sectors).
Annex I: Sectors of High Criticality If you are a large enterprise in these sectors, you are likely an Essential Entity:
- Energy: Electricity, District heating/cooling, Oil, Gas, and Hydrogen.
- Transport: Air, Rail, Water, and Road.
- Finance: Banking and Financial market infrastructures.
- Health: Healthcare providers, labs, and R&D for medicines.
- Water: Drinking water suppliers and Waste water treatment.
- Digital Infrastructure: Cloud providers, Data centers, DNS, TLD registries, and Trust services.
- ICT Service Management: Managed Service Providers (MSPs) and Security Service Providers (MSSPs).
- Public Administration: Central and regional government entities.
- Space: Operators of ground-based infrastructure.
Annex II: Other Critical Sectors If you are in these sectors, you are likely an Important Entity:
- Postal and Courier Services.
- Waste Management.
- Chemicals: Manufacture, production, and distribution.
- Food: Production, processing, and distribution.
- Manufacturing: Medical devices, computers, electronics, machinery, and vehicles.
- Digital Providers: Online marketplaces, search engines, and social networking platforms.
- Research: Research organizations.
3. The Critical Exceptions
However, size does not always matter. Some entities are so critical that they are in scope regardless of their revenue or headcount. You are automatically regulated if you are :
- A DNS service provider or Top-Level Domain (TLD) name registry.
- A Trust Service Provider (e.g., digital signatures).
- A provider of public electronic communications networks or services.
- A Public Administration entity (Central government).
- The sole provider of an essential service in a Member State.
- An entity identified as a critical entity under the CER Directive (Directive (EU) 2022/2557).
If you fall into any of these categories, you must comply immediately. The legal deadline for these measures (18 October 2024) has already passed, meaning you are currently exposed to enforcement action if you have not yet acted.
Essential vs. Important Entities in NIS 2
Once you know you are in scope, you must determine your classification. NIS 2 divides regulated companies into two categories: Essential and Important.
While both must implement the same security measures and report incidents, the difference lies in how you are supervised and the penalties you face.
1. Essential Entities (The “Heavyweights”)
You are an Essential Entity if you meet any of the following criteria :
- Size + Sector: You are a Large enterprise (250+ employees or >€50M turnover) operating in an Annex I sector (e.g., Energy, Transport, Banking, Health).
- Specific Type: You are a Qualified Trust Service Provider, Top-Level Domain (TLD) name registry, or DNS service provider (regardless of size).
- Public Sector: You are a central government public administration entity.
- Critical Status: You have been identified as a “critical entity” under the CER Directive (Directive (EU) 2022/2557).
How regulators watch you: Regulators use Ex-Ante Supervision. They do not wait for a hack. They can conduct random inspections, regular audits, and on-site security scans at any time to prove you are compliant.
2. Important Entities
You are an Important Entity if you do not meet the “Essential” criteria but still fall under the directive’s scope . This typically includes:
- Size + Sector: You are a Medium-sized enterprise operating in an Annex I sector.
- Annex II Sectors: You are a Medium or Large enterprise operating in an Annex II sector (e.g., Waste, Food, Manufacturing, Digital Providers).
How regulators watch you: Regulators use Ex-Post Supervision. They act primarily after an incident occurs or if they receive evidence of non-compliance. While this sounds less intense, do not be fooled. If a breach happens and your documentation is missing, the penalties are severe .
The 4 Non-Negotiable Requirements of NIS 2
Compliance with NIS 2 is built on four pillars: Governance, Risk Management, Reporting, and Registration. You cannot pick and choose; you must execute all of them to avoid penalties.
1. Governance: Board Responsibility and Personal Liability
Under the old rules, cybersecurity was often buried in the IT department. NIS 2 forces it into the boardroom. Article 20 explicitly targets the “Management Bodies” (C-Suite and Boards), making them personally accountable for cyber risks.
The 3 New Executive Obligations:
- Approval and Oversight: You cannot just hire a CISO and walk away. The management body must formally approve the cybersecurity risk-management measures and oversee their implementation.
- Mandatory Training: Ignorance is no longer a legal defense. Members of the management body are required to undergo cybersecurity training to ensure they can assess risks effectively.
- Personal Liability: This is the wake-up call. Member States ensure that executives can be held personally liable if the organization fails to comply with Article 21. For Essential Entities, regulators even have the power to temporarily ban a CEO or legal representative from exercising managerial functions.
2. Risk Management: The 10 Mandatory Measures (Article 21)
Article 21 requires you to adopt an “all-hazards approach”. This means your security strategy must account for everything: malicious cyberattacks, human error, system failures, and physical events like fires or floods.
You must implement these 10 specific measures:
- Policies on Risk Analysis: Documented policies defining how you identify and protect against risks.
- Incident Handling: A concrete plan for prevention, detection, and response.
- Business Continuity: Backup management, disaster recovery, and crisis management plans.
- Supply Chain Security: Assessing the security risks unique to your direct suppliers and service providers.
- Security in Development: Managing vulnerabilities throughout the lifecycle of your network and systems.
- Assessing Effectiveness: Policies to regularly test and audit your security measures.
- Cyber Hygiene and Training: Mandatory staff training and basic hygiene practices.
- Cryptography: Policies on the use of encryption to protect data.
- HR Security: Strict access control and asset management policies.
- Multi-Factor Authentication (MFA): Using MFA and secured communications for emergency systems .
3. Reporting: The 24-Hour Reality
NIS 2 mandates a tiered reporting timeline that is much faster than many organizations are used to. If you rely on a “72-hour” standard from GDPR, you are non-compliant. You must report any “significant incident” (one causing severe disruption or financial loss) according to this schedule :
- Early Warning (24 Hours): You must notify the CSIRT within 24 hours. This is a “flag-raising” exercise to indicate if the incident is suspected to be malicious or has cross-border impact.
- Incident Notification (72 Hours): You must provide an initial assessment of the severity, impact, and indicators of compromise (IoCs).
- Final Report (1 Month): You must submit a detailed report covering the root cause, mitigation measures applied, and cross-border impact.
4. Registration: You Must Identify Yourself
Finally, you cannot be compliant in secret. Article 3 requires all Essential and Important entities to submit their details to the competent national authority. This includes your name, address, up-to-date contact details, and IP ranges .
- Action: Check your national regulator’s website immediately. Many countries have specific portals and deadlines for this registration.
Fines & Penalties: Cost of Non-Compliance with NIS 2
If the personal liability does not motivate your organization, the financial penalties will. NIS 2 introduces a standardized penalty regime that gives regulators real teeth.
Unlike the original directive, where fines varied wildly by country, NIS 2 sets a strict minimum maximum for administrative fines.
1. Financial Fines
The fines are tiered based on your classification :
- Essential Entities: Regulators must be able to issue fines of at least €10,000,000 or 2% of total worldwide annual turnover (whichever is higher).
- Important Entities: Regulators must be able to issue fines of at least €7,000,000 or 1.4% of total worldwide annual turnover (whichever is higher).
While these percentages are lower than the 4% maximum under GDPR, they are still massive. For a global enterprise, a 2% fine can erase a year’s worth of profit.
2. Non-Monetary Penalties
Money is not the only lever regulators can pull. They also have the power to issue “Binding Instructions” and “Compliance Orders.” This means they can force you to implement specific security measures or audit your systems at your own expense.
3. The “Executive Ban” (The Nuclear Option)
For Essential Entities, there is a penalty worse than a fine. If an entity repeatedly fails to comply with enforcement orders, the competent authority can request a temporary ban on any natural person discharging managerial responsibilities (e.g., the CEO).
This prohibits them from exercising managerial functions in that entity. In simple terms: Non-compliance can cost you your job.
NIS 2 vs. The Cyber Resilience Act (CRA): What’s the Difference?
If you are feeling overwhelmed by EU acronyms, you are not alone. Alongside NIS 2, you have likely heard of the Cyber Resilience Act (CRA). While both aim to secure the digital landscape, they target completely different parts of your business.
Think of it this way: NIS 2 secures the organization, while CRA secures the product.
The Core Distinction
| Feature | NIS 2 Directive | Cyber Resilience Act (CRA) |
| Focus | Operational Resilience: Ensuring your company keeps running during an attack. | Product Security: Ensuring the software/hardware you sell has no vulnerabilities. |
| Target Audience | Operators: Energy grids, hospitals, SaaS platforms, and critical infrastructure. | Manufacturers: Developers of software, IoT devices, firewalls, and digital products. |
| Key Requirement | Risk management measures, backups, and incident reporting. | “Secure by Design” development, vulnerability patching, and CE marking. |
| Timeline | Live Now: Enforcement began Oct 18, 2024. | Coming Soon: Full enforcement expected around late 2027 (with some reporting earlier). |
How They Overlap (The Supply Chain Link)
This is where it gets critical for your strategy.
- If you are a NIS 2 entity: You are required to assess the security of your supply chain (Article 21). The CRA helps you do this. In the future, you will likely require your vendors to prove they are CRA compliant (CE marked) as a condition of doing business.
- If you are a software vendor: You might be hit by both. You need NIS 2 because you provide a “digital service” (like cloud computing), and you need CRA because you license software code.
The Bottom Line: NIS 2 is your immediate “license to operate.” CRA is your future “license to sell.” Don’t confuse the two, but prepare for both.
It’s Not Just Brussels: National Laws Matter in NIS 2
While NIS 2 is an EU Directive, it is not a single, uniform law that applies identically everywhere. It is a “Directive,” not a “Regulation” (like GDPR).
This means every Member State had to write its own national version of the law. As a result, we now have a patchwork of 27 different legal variations. While the core rules (Article 21 measures) are the same, the administrative deadlines, registration portals, and fine structures vary significantly.
The “Patchwork” of Enforcement (November 2025 Status)
If you operate across borders, you cannot just “comply with the EU.” You must comply with each nation individually. Here is how widely the landscape differs right now:
- Germany (The “Just-In-Time” Enforcer): After months of delay, Germany finally passed its national implementation act (NIS2UmsuCG) in November 2025. If you are a German entity, the clock has officially started.
- Critical Deadline: Essential and Important entities must register with the BSI (“Bundesamt für Sicherheit in der Informationstechnik”) by April 2026.
- Belgium (The Early Adopter): Belgium was ahead of the curve. The Belgian law has been fully active since October 2024.
- Critical Status: The registration deadline in the CCB(“Centre for Cybersecurity Belgium”)’s Safeonweb@work portal passed in March 2025. If you are a Belgian entity and haven’t registered, you are already in violation.
- France (The “In-Progress” Giant): France has been transposing the directive via a bill aimed at strengthening the resilience of critical infrastructures. The national regulator, ANSSI (“Agence Nationale de la Sécurité des Systèmes d’Information”), is the authority to watch. If you have French operations, you must check the ANSSI portal immediately for specific “OIV” (Operator of Vital Importance) vs. “OSE” (Operator of Essential Services) transition timelines.
Action Item: Find Your Regulator
Do not assume your headquarters’ rules apply to your branch offices. You must identify the “Competent Authority” in every country where you have critical infrastructure. Here are some examples:
- Germany: BSI (“Bundesamt für Sicherheit in der Informationstechnik”)
- France: ANSSI (“Agence Nationale de la Sécurité des Systèmes d’Information”)
- Belgium: CCB (“Centre for Cybersecurity Belgium”)
How to Run a NIS 2 Assessment
Knowing the requirements is only step one. The harder part is proving to an auditor that you actually meet them.
You could try to manage this with a massive spreadsheet, but that is prone to error and hard to track. A better way is to use a dedicated platform that automates the gap analysis for you.
We have built a specific NIS 2 Assessment Module inside our security assurance management platform, SAMMY. It translates the legal text into actionable questions, allowing you to see exactly where you stand in minutes.
Watch this short guide to see it in action:
Step-by-Step: Automating Your Compliance
- Select the Framework As shown in the video, you don’t need to be a legal expert. Simply log in to SAMMY, create a new assessment, and select “NIS 2” from the framework dropdown.
- Guided Assessment SAMMY breaks down the 10 mandatory measures into specific, answerable questions. It maps these against standard security controls (like NIST and ISO), so you can reuse work you have already done.
- The “Four-Eyes Principle” (Governance) Compliance is a team sport. SAMMY allows you to assign one person to submit answers and a second person to validate them. This creates an audit trail. It proves to regulators that you have the oversight required by Article 20.
- Instant Gap Analysis Once you finish, SAMMY generates a visual report. You can see your “maturity score” and export a Gap Report to share with your Board. This gives them the clear data they need to approve the necessary budget and security upgrades.
Is Your Organization NIS 2 Compliant? Prove It.
Compliance is no longer just an IT problem; it’s a Board-level liability. SAMMY transforms the NIS 2 Directive from a legal headache into a manageable, measurable process.
With SAMMY, you can:
- Map your current security controls directly to NIS 2 requirements.
- Track progress across Governance, Risk Management, and Reporting obligations.
- Identify critical gaps in your supply chain and security posture instantly.
- Generate the concrete data your C-suite needs to sign off on risk measures.
Don’t wait for the regulator to knock:
Conclusion
The NIS 2 Directive is not just another compliance checklist. It is a fundamental shift in how Europe views cybersecurity. It treats digital security as a core responsibility of doing business, just like paying taxes or ensuring workplace safety.
For the first time, the “corporate veil” has been pierced. Security is no longer just an IT problem; it is a personal liability for the people at the very top.
The enforcement has begun. The fines are real. The only question left is: Are you ready?
You don’t have to navigate this alone. Start your assessment in SAMMY today to see exactly where you stand, identify your biggest gaps, and give your Board the clear, visual data they need to act. The cost of compliance is significant, but the cost of negligence is now far higher.
