NIS2 Directive: What EU Businesses Need to Know in 2026
NIS2 is the EU's biggest cybersecurity regulation update in a decade. It applies to more sectors, imposes stricter requirements, and introduces personal liability for management.
Key Takeaway
NIS2 expands EU cybersecurity obligations to 18 sectors, requires incident reporting within 24 hours, mandates risk management measures including MFA and encryption, and holds management personally liable for non-compliance. Penalties reach €10 million or 2% of global turnover.
What Is NIS2?
The NIS2 Directive (Directive (EU) 2022/2555) replaces the original NIS Directive from 2016. It entered into force in January 2023, with EU member states required to transpose it into national law by October 2024. It significantly expands the scope, requirements, and penalties for cybersecurity in the EU.
Where NIS1 focused narrowly on operators of essential services and digital service providers, NIS2 covers 18 sectors and introduces two categories: "essential entities" and "important entities." The full text is available on EUR-Lex.
Who It Applies To
Essential entities (highest requirements):
- Energy (electricity, oil, gas, hydrogen)
- Transport (air, rail, water, road)
- Banking and financial market infrastructure
- Health (hospitals, labs, pharma, medical devices)
- Drinking water and wastewater
- Digital infrastructure (DNS, TLD registries, cloud, data centers, CDNs)
- ICT service management (managed services, managed security services)
- Public administration
- Space
Important entities (slightly lower requirements):
- Postal and courier services
- Waste management
- Chemical manufacturing and distribution
- Food production and distribution
- Manufacturing (medical devices, electronics, machinery, motor vehicles)
- Digital providers (online marketplaces, search engines, social platforms)
- Research organizations
Size matters: NIS2 generally applies to medium-sized and large entities (50+ employees or €10M+ turnover). But some entities are covered regardless of size. DNS services, TLD registries, and qualified trust services, for example.
Security Requirements
Article 21 lists minimum cybersecurity risk management measures:
- Risk analysis and information system security policies
- Incident handling (prevention, detection, response)
- Business continuity and crisis management (backups, disaster recovery)
- Supply chain security (security requirements for suppliers)
- Security in network and information systems acquisition, development, and maintenance (including vulnerability handling and disclosure)
- Policies and procedures to assess the effectiveness of cybersecurity measures
- Basic cyber hygiene practices and cybersecurity training
- Policies on the use of cryptography and encryption
- Human resources security, access control policies, and asset management
- Multi-factor authentication (MFA) or continuous authentication solutions
Incident Reporting
NIS2 introduces a three-stage reporting obligation for significant incidents:
- Early warning within 24 hours. Notify the national CSIRT (Computer Security Incident Response Team) or competent authority. Include whether the incident is suspected to be caused by unlawful or malicious acts.
- Incident notification within 72 hours. Update with an initial assessment: severity, impact, and indicators of compromise.
- Final report within one month. Detailed description of the incident, root cause analysis, mitigation measures applied, and cross-border impact if applicable.
A "significant incident" is one that causes or could cause severe operational disruption or financial loss, or affects other entities by causing considerable damage. ENISA provides guidance on classification.
Management Liability
NIS2 Article 20 requires that management bodies of essential and important entities approve cybersecurity risk management measures and oversee their implementation. Management must undergo cybersecurity training.
The directive explicitly states that management bodies can be held personally liable for non-compliance. Member states can implement measures that allow competent authorities to require specific remediation. And to temporarily ban individuals from exercising managerial functions in case of repeated violations.
Penalties
| Entity Type | Maximum Fine |
|---|---|
| Essential entities | €10 million or 2% of global annual turnover |
| Important entities | €7 million or 1.4% of global annual turnover |
National authorities can also impose periodic penalty payments, order compliance audits, issue binding instructions, and require public disclosure of non-compliance.
How to Prepare
- Determine if NIS2 applies to you. Check your sector and size against the categories above.
- Conduct a risk assessment. Identify your critical systems, data flows, and threats.
- Implement Article 21 measures. Start with MFA, encryption, backup, and vulnerability management.
- Establish incident response. Create a documented plan with clear roles, communication templates, and CSIRT contact details.
- Audit your supply chain. Map your suppliers and assess their security practices.
- Train management. Board-level cybersecurity awareness is a legal requirement.
- Run regular vulnerability scans. ismycodesafe.com covers web application security across 110 checks. Use it alongside infrastructure-level scanning tools.
Check your website right now
110 security checks in 60 seconds. Free, no signup required.
Scan My Website (Free)ismycodesafe.com Security Team
We run automated security scans on thousands of websites daily, combining static analysis, SSL/TLS inspection, header auditing, and CVE lookups. Our team tracks OWASP, NIST, and evolving compliance requirements (GDPR, NIS2, PCI DSS) to keep these guides accurate and practical.