NIS 2 Directive.

NIS 2 is the EU directive that puts cybersecurity boards on the hook. Mid-sized or larger, in any of 18 listed sectors, you are in scope. The clock starts on the first significant incident: 24-hour early warning, 72-hour notification, full report at one month. Penalties bite (10 million euros or 2% of worldwide turnover). Transposition state varies country to country.

By Christophe Mazzola, Practicing CISO · Founder of Cyber AcademyEU regulationsAll entries

The Cyber Academy take

NIS 2 is the EU directive that puts cybersecurity boards on the hook. Mid-sized or larger, in any of 18 listed sectors, you are in scope. The clock starts on the first significant incident: 24-hour early warning, 72-hour notification, full report at one month. Penalties bite (10 million euros or 2% of worldwide turnover). Transposition state varies country to country.

What NIS 2 actually changes

NIS 2 is the second iteration of the EU Network and Information Security Directive, and it widens the net considerably from the original NIS regime. Where the first directive leaned on national authorities to identify operators of essential services case by case, NIS 2 sets self-identifying criteria: if you operate in one of the listed sectors and you clear the size threshold, you are in scope and expected to know it. The directive sorts in-scope organisations into two tiers, "essential" and "important" entities, which mainly affects how supervision and enforcement are applied rather than the baseline obligations themselves.

The headline shift is accountability. NIS 2 makes management bodies responsible for approving and overseeing cybersecurity risk-management measures, and it expects them to follow training so they can actually exercise that oversight. Security stops being something the IT department owns quietly and becomes a governance topic the board has to sign off on. That is the practical reason the directive is so often summarised as "putting boards on the hook".

Scope, sectors and the size test

Scope rests on two questions: are you in a listed sector, and are you big enough? The directive covers sectors split between "high criticality" and "other critical" categories, spanning energy, transport, banking, health, water, digital infrastructure, public administration, postal services, manufacturing of certain products, food, and more. The size test generally pulls in medium and large organisations, with smaller entities sometimes caught when their role is critical regardless of headcount. Because Member States can designate additional entities, the only safe approach is to map your own activities against the sector annexes rather than assume you are too small to matter.

The incident reporting clock

What practitioners feel most directly is the reporting timeline, which kicks in on a significant incident. It runs in stages: an early warning within 24 hours, a fuller notification within 72 hours, and a final report at the one-month mark, with the competent authority or CSIRT as the recipient. The point of the staged model is to surface incidents fast without forcing a complete forensic picture on day one. To meet it you need detection that flags significance quickly, a decision owner who can classify an incident, and pre-drafted notification templates so the clock does not catch you writing from scratch.

Backing the timeline are risk-management obligations that read like a familiar baseline: incident handling, business continuity and backups, supply-chain security, secure development and maintenance, vulnerability handling, the use of cryptography, access control and multi-factor authentication, and policies to test how well all of it works. None of this is exotic. An organisation running a mature ISMS, for example one aligned to ISO 27001, already covers most of the ground; the work is mapping existing controls to NIS 2 expectations and closing the governance and reporting gaps.

What being in scope means in practice

If you conclude you are in scope, the practical programme is fairly consistent: register with the relevant national authority where required, formalise board-level oversight of cyber risk, document your risk-management measures against the directive headings, stand up an incident-classification and notification process that can hit the 24/72/one-month windows, and extend due diligence into your supply chain because suppliers are explicitly part of the risk picture. Enforcement has teeth, with fines reaching into the tens of millions of euros or a percentage of worldwide turnover, plus the possibility of management accountability, which is exactly why the directive pushes responsibility upward.

Frequently asked questions

01How do I know if my organisation is in scope of NIS 2?

Check two things: whether you operate in one of the directive's listed sectors, and whether you meet the size threshold, which generally captures medium and large organisations. Some smaller entities are pulled in when their role is critical, and Member States can designate additional ones, so map your activities against the sector annexes rather than assuming.

02What are the NIS 2 incident reporting deadlines?

For a significant incident the clock runs in stages: an early warning within 24 hours, a notification within 72 hours, and a final report within one month. The recipient is the competent national authority or CSIRT.

03What is the difference between NIS 1 and NIS 2?

NIS 2 widens the scope to more sectors and uses self-identifying size criteria instead of relying mainly on national authorities to designate operators. It also strengthens incident reporting, supply-chain security and, crucially, makes management bodies directly accountable for cybersecurity measures.

04How does NIS 2 relate to ISO 27001?

They overlap heavily on substance. An ISMS aligned to ISO 27001 already addresses most NIS 2 risk-management measures such as incident handling, business continuity, access control and cryptography. ISO 27001 is a certifiable standard you adopt voluntarily, while NIS 2 is a legal obligation; the practical task is mapping your existing controls to the directive and filling reporting and governance gaps.

05Why does NIS 2 talk so much about management responsibility?

Because it makes management bodies responsible for approving and overseeing cybersecurity risk-management measures, and expects them to be trained to do so. Security becomes a board-level governance topic, and accountability can attach to leadership, not just the IT function.

Need more than a definition?

Book a free 20-minute discovery call. We map the cohort that turns this term into an audit-ready practice.