Overview
The NIS2 Directive (EU Directive 2022/2555 on measures for a high common level of cybersecurity across the Union) is the EU's updated framework for cybersecurity risk management and incident reporting. It replaces the original NIS Directive (2016/1148) and represents a substantial expansion in both scope and stringency.
Published on December 27, 2022, NIS2 entered into force on January 16, 2023, with EU member states required to transpose it into national law by October 17, 2024. The directive now covers organizations in over 18 sectors — from energy and transport to manufacturing, food production, and research institutions.
Because NIS2 is a directive, it only binds organizations once their member state transposes it. Most have now done so, but the picture remains uneven: as of mid-2026 around 22 of 27 member states have adopted transposing legislation, while five — France, Ireland, Luxembourg, the Netherlands, and Spain — are still in their national legislative processes. The Commission has opened infringement proceedings to push the laggards along (see Transposition Status). Separately, on January 20, 2026 the Commission proposed a package of targeted NIS2 amendments plus a new Cybersecurity Act 2 (see 2026 Proposed Amendments).
For AI compliance teams, NIS2 is directly relevant: organizations deploying AI systems in any covered sector must ensure those systems and their supply chains meet NIS2's cybersecurity standards. The EU AI Act cross-references NIS2 in its cybersecurity requirements for high-risk AI, creating an overlapping compliance landscape that teams must navigate together — though note that the AI Act's high-risk obligations have themselves been deferred to December 2027 (covered below).
Who It Applies To
NIS2 distinguishes between two tiers of regulated organizations based on sector and size:
Essential Entities
Large organizations (≥250 employees or >€50M annual turnover and >€43M balance sheet) in high-criticality sectors. Subject to proactive supervision by national authorities — regulators can conduct audits, targeted security scans, and on-site inspections without waiting for an incident.
Important Entities
Medium-sized organizations (50–249 employees or €10M–€50M turnover) in high-criticality sectors, and all sizes in other critical sectors. Subject to reactive supervision — authorities investigate after receiving evidence of non-compliance or an incident.
Geographic Reach
NIS2 applies to entities established in the EU and to entities established outside the EU but offering services inside the EU in covered sectors. Non-EU entities must designate an EU representative.
Exclusions
Micro and small enterprises (fewer than 50 employees and under €10M turnover) are generally excluded unless they are the sole provider of an essential service in a member state, or their disruption would have a significant cross-border impact.
Covered Sectors
NIS2 covers organizations in two categories:
Highly Critical Sectors (Annex I)
- Energy — electricity, oil, gas, district heating/cooling, hydrogen
- Transport — air, rail, water, road
- Banking — credit institutions
- Financial market infrastructure — trading venues, CCPs
- Health — hospitals, healthcare providers, EU reference laboratories, pharmaceutical manufacturers, medical device manufacturers
- Drinking water
- Wastewater
- Digital infrastructure — internet exchange points, DNS service providers, TLD registries, cloud computing service providers, data centre services, content delivery networks, trust service providers, providers of public electronic communications networks
- ICT service management (B2B) — managed service providers (MSPs), managed security service providers (MSSPs)
- Public administration — central government entities, regional entities with significant cross-border impact
- Space — ground-based infrastructure supporting space services
Other Critical Sectors (Annex II)
- Postal and courier services
- Waste management
- Manufacture, production, and distribution of chemicals
- Production, processing, and distribution of food
- Manufacturing — medical devices, computers and electronics, machinery, motor vehicles, other transport equipment
- Digital providers — online marketplaces, online search engines, social networking platforms
- Research — research organisations (optional for member states)
Key Requirements
NIS2 mandates ten baseline cybersecurity risk-management measures for all covered entities. These are minimum requirements; member states may impose stricter standards.
Binding technical detail for digital-infrastructure and digital providers. For one specific group of entities, the measures below are no longer described only in general terms. Commission Implementing Regulation (EU) 2024/2690 (in force since October 2024, and directly applicable in all member states without national transposition) lays down binding technical and methodological requirements — organized into 13 thematic areas — and specifies exactly when an incident counts as "significant" for DNS service providers, TLD name registries, cloud computing providers, data centre providers, content delivery networks, managed service providers (MSPs), managed security service providers (MSSPs), online marketplaces, online search engines, social networking platforms, and trust service providers. ENISA has published accompanying Technical Implementation Guidance. If your organization is one of these entity types, treat the Implementing Regulation — not just the ten generic measures — as your detailed compliance baseline.
1. Policies on Risk Analysis and Information Security
Organizations must have documented policies for analyzing cybersecurity risks, assessing their information assets, and maintaining an information security program proportionate to their risk profile.
2. Incident Handling
Covered entities must implement procedures for detecting, analyzing, containing, and recovering from security incidents. They must maintain incident response capabilities and establish clear escalation paths.
3. Business Continuity and Crisis Management
Organizations must have business continuity plans, including backup management, disaster recovery, and crisis management procedures, to ensure they can maintain or rapidly restore essential services after a significant incident.
4. Supply Chain Security
One of NIS2's most significant additions: covered entities must assess and address cybersecurity risks in their supply chains, including relationships with direct suppliers and service providers. This means evaluating the security practices of software vendors, cloud providers, AI platform providers, and other technology suppliers.
5. Security in Network and Information Systems Acquisition, Development, and Maintenance
Organizations must integrate security into procurement, development, and maintenance of network and information systems — including vulnerability disclosure policies and processes for handling and publishing vulnerabilities.
6. Policies and Procedures to Assess Cybersecurity Risk-Management Measure Effectiveness
Covered entities must have policies and procedures to assess the effectiveness of their cybersecurity measures, including regular testing and evaluation.
7. Basic Cyber Hygiene Practices and Cybersecurity Training
Organizations must implement basic cyber hygiene (patching policies, password management, multi-factor authentication) and provide regular cybersecurity awareness training to employees.
8. Cryptography and Encryption Policies
Where appropriate, organizations must use encryption and cryptographic controls. NIS2 requires policies on the use of cryptography and, where relevant, encryption.
9. Human Resources Security, Access Control, and Asset Management
Covered entities must manage human resources security (background checks, access revocation procedures), enforce access control policies, and maintain an asset management inventory.
10. Multi-Factor Authentication and Secured Communications
Organizations must use multi-factor authentication (MFA) or continuous authentication solutions, and use secured voice, video, and text communications and secured emergency communications where appropriate.
Management Accountability
Management bodies must approve the cybersecurity risk-management measures, oversee their implementation, and can be held personally liable for systematic non-compliance. Management must also receive regular cybersecurity training.
AI & NIS2 Intersection
NIS2 was not designed specifically as an AI regulation, but it has significant implications for any organization deploying AI systems in covered sectors.
AI Systems as ICT Assets
Under NIS2, AI systems used in essential or important entities are ICT assets that must be covered by the organization's cybersecurity risk-management program. This includes:
- AI models used in operational technology (energy management systems, traffic control, industrial control systems)
- AI-powered security tools (anomaly detection, threat intelligence, fraud detection)
- AI systems processing sensitive data (health AI, financial AI, government AI)
- Generative AI tools used by employees in covered organizations
AI Vendors as Supply Chain Risk
NIS2's supply chain security requirements (Article 21(2)(d)) are particularly significant for AI deployments. Organizations must assess the cybersecurity practices of their AI platform providers, model vendors, and AI-as-a-service suppliers. This means:
- Evaluating cybersecurity practices of AI vendors before procurement
- Including security requirements in AI vendor contracts
- Monitoring AI third-party providers for security incidents that could affect your systems
- Maintaining the ability to switch AI providers if a supplier's security posture deteriorates
EU AI Act Cross-Reference
The EU AI Act's Article 15 on accuracy, robustness, and cybersecurity for high-risk AI systems references NIS2, expecting high-risk AI systems to meet NIS2 standards where applicable. Organizations deploying high-risk AI in NIS2-covered sectors will eventually face dual compliance obligations:
| Requirement | EU AI Act | NIS2 |
|---|---|---|
| Cybersecurity of AI systems | Article 15 | Article 21 |
| Incident reporting | Article 73 (serious incidents) | Articles 23-24 (significant incidents) |
| Supply chain / third parties | Article 25 (obligations for distributors) | Article 21(2)(d) (supply chain security) |
| Documentation | Articles 11, 18 (technical docs, logs) | Article 21 (policies and procedures) |
Timing caveat — AI Act high-risk obligations deferred. Under the Digital Omnibus on AI (Commission proposal November 19, 2025; provisional political agreement May 6, 2026; confirmed by the Council May 13, 2026; formal adoption expected before August 2, 2026), the AI Act's high-risk obligations were postponed: stand-alone Annex III high-risk systems move from August 2, 2026 to December 2, 2027, and Annex I embedded high-risk systems to August 2, 2028. The omnibus replaced the originally proposed conditional trigger with these fixed dates. Practically, the AI Act side of the "dual obligation" above is not yet live for high-risk systems — but NIS2's own cybersecurity duties apply now to in-scope entities, independent of the AI Act timeline.
Managed Service Providers Using AI
MSPs and MSSPs — themselves regulated as "essential entities" under NIS2's Annex I — face heightened scrutiny when they provide AI-powered managed services. Their AI tools for threat detection, automated response, and security monitoring must meet the same NIS2 standards as any other ICT system.
Compliance Timeline
| Date | Milestone |
|---|---|
| December 27, 2022 | NIS2 Directive published in Official Journal of the EU |
| January 16, 2023 | NIS2 enters into force (20 days after publication) |
| October 2024 | Commission Implementing Regulation (EU) 2024/2690 enters into force — binding technical rules for digital-infrastructure and digital-provider entities |
| October 17, 2024 | Deadline for EU member states to transpose NIS2 into national law (most missed it) |
| November 28, 2024 | Commission sends letters of formal notice to 23 member states for failure to fully transpose |
| April 17, 2025 | Deadline for member states to establish a list of essential and important entities |
| May 7, 2025 | Commission escalates to reasoned opinions against 19 member states |
| January 20, 2026 | Commission proposes targeted NIS2 amendments + a new Cybersecurity Act 2 (CSA2) |
| Mid-2026 | ~22 of 27 member states have transposed; 5 still in their national legislative process |
Important: the October 17, 2024 transposition deadline is not a uniform EU-wide go-live for compliance obligations. NIS2 is a directive, so an organization's concrete legal duties depend on the national implementing law in each member state where it operates — and several of those laws were still being adopted in mid-2026. Verify which national law applies to you and monitor for jurisdiction-specific requirements that may exceed NIS2's baseline. See Transposition Status below.
Transposition Status
Because NIS2 binds organizations only once a member state has transposed it, the real-world picture in mid-2026 is patchy rather than uniform:
- Met the original October 17, 2024 deadline: only a handful of states — Belgium, Croatia, Italy, and Lithuania — transposed on time.
- Transposed since: by mid-2026 roughly 22 of 27 member states have adopted transposing legislation.
- Still in progress: five member states — France, Ireland, Luxembourg, the Netherlands, and Spain — remained in their national legislative procedures as of mid-2026.
The Commission has used infringement proceedings to press the laggards:
| Date | Action |
|---|---|
| November 28, 2024 | Letters of formal notice to 23 member states for failing to fully notify transposition |
| May 7, 2025 | Reasoned opinions to 19 member states (the next escalation step before referral to the Court of Justice) |
Practical takeaway: if you operate across multiple member states, your effective obligations and go-live dates differ by country. In jurisdictions where the national law is still pending, the directive is not yet directly enforceable against most private entities — but you should still prepare, because adoption is imminent and many national laws apply retroactively from a fixed date.
2026 Proposed Amendments
On January 20, 2026 the European Commission published a cybersecurity package containing two proposals: a new Cybersecurity Act 2 (CSA2) — which would replace the 2019 Cybersecurity Act (Regulation (EU) 2019/881) — and a set of targeted amendments to NIS2. These are proposals, not yet binding law; adoption is expected in late 2026 or 2027, followed by an implementation period (the NIS2 amendments contemplate roughly a 12-month transposition window).
Key proposed NIS2 changes include:
- Simpler jurisdictional rules to reduce ambiguity about which member state supervises an entity.
- Harmonized technical measures. Where the Commission adopts implementing acts specifying technical or methodological risk-management requirements, member states would no longer be able to layer on additional national requirements on those points — curbing "gold-plating" and creating a more uniform EU-wide control baseline.
- Streamlined and ransomware-specific reporting. Entities reporting significant incidents linked to ransomware would, on request, have to disclose ransom-related details (whether a demand was made, whether it was paid, the amount, and the payment method).
- Expanded EU-representative obligation. The duty to designate an EU representative would extend beyond today's digital service providers to a broader set of entities offering NIS2-regulated services in the EU — for example credit institutions and certain product manufacturers.
- Scope adjustments. Adds operators of submarine data-transmission (cable) infrastructure and providers of European Digital Identity / Business Wallets to the digital-infrastructure sector; removes chemical distributors while keeping chemical manufacturers in scope.
- Size-threshold tweaks, including a new "small mid-cap" category intended to lower the supervisory and compliance burden on smaller players so the strictest requirements fall on larger, systemic entities.
- A reinforced coordinating role for ENISA, the EU cybersecurity agency.
What to do now: keep complying with the directive as transposed in your jurisdiction(s). The 2026 proposal does not change current obligations, but it signals where the regime is heading — especially the move toward harmonized, non-gold-plated technical measures and broader EU-representative duties.
Penalties & Enforcement
NIS2 sets maximum penalty levels, with member states having discretion to set higher fines in national law.
| Entity Type | Maximum Fine |
|---|---|
| Essential entities | €10 million or 2% of global annual turnover (whichever is higher) |
| Important entities | €7 million or 1.4% of global annual turnover (whichever is higher) |
Additional Enforcement Powers
National competent authorities have significant supervisory and enforcement powers:
- On-site inspections and off-site supervision for essential entities
- Security audits by independent bodies
- Targeted security scans based on risk assessments
- Requests for evidence of implementation
- Binding instructions to remediate deficiencies
- Temporary prohibition on management from exercising management functions (essential entities only)
- Public disclosure of non-compliance
Management Liability
For essential entities, national authorities can impose temporary bans on individuals in management positions from exercising managerial responsibilities if the entity fails to systematically comply with NIS2 requirements. This is a significant personal liability risk for CISOs, CIOs, and board members.
Compliance Steps
Use this roadmap to build your NIS2 compliance program:
-
Determine applicability. Identify whether your organization is an essential or important entity based on sector (Annexes I and II) and size thresholds. Check the national implementing law in each EU member state where you operate.
-
Conduct a gap analysis. Compare your current cybersecurity posture against NIS2's ten mandatory measures. Identify gaps in risk management policies, incident response, supply chain security, and access controls.
-
Build a cybersecurity risk management program. Document policies for risk analysis, information asset classification, and ongoing risk assessment. Align with recognized frameworks (ISO 27001, NIST CSF, CIS Controls) where applicable.
-
Establish incident detection and reporting procedures. Implement monitoring and detection capabilities to identify significant incidents. Build a 24-hour early warning process and a 72-hour full notification workflow. Identify your national CSIRT (Computer Security Incident Response Team) and competent authority.
-
Assess your AI and technology supply chain. Map all AI vendors, cloud providers, and ICT service providers. Conduct security assessments of critical suppliers. Update procurement contracts to include NIS2-aligned security requirements and audit rights.
-
Implement technical baseline measures. Deploy multi-factor authentication, encrypted communications, vulnerability management programs, and patch management. Conduct regular employee cybersecurity training.
-
Establish business continuity capabilities. Implement backup and disaster recovery procedures. Test recovery capabilities for your most critical systems — including AI systems used in essential services.
-
Train and engage management. Ensure the management body approves your cybersecurity risk-management measures. Provide cybersecurity training to senior leadership and establish a reporting line from the CISO to the board.
-
Register with competent authorities. In many member states, essential and important entities must register with or notify their national NIS2 competent authority. Check requirements in each jurisdiction where you operate.
-
Establish a continuous monitoring and review cycle. NIS2 requires ongoing assessment of measure effectiveness. Schedule regular reviews, penetration tests, and tabletop exercises.
Frequently Asked Questions
Does NIS2 apply to companies outside the EU? Yes. Organizations established outside the EU must comply if they provide services within the EU in covered sectors, and must designate an EU representative.
What is the difference between essential and important entities? Essential entities face proactive (ex ante) supervision — regulators can audit them at any time. Important entities face reactive (ex post) supervision — regulators act only when triggered by evidence of non-compliance or an incident. Both face the same mandatory security measures; important entities face slightly lower maximum fines.
How does NIS2 interact with GDPR? NIS2 and GDPR overlap on incident reporting. A cybersecurity incident affecting personal data may trigger both NIS2's 24-hour early warning and GDPR's 72-hour personal data breach notification. Organizations should coordinate their response procedures to meet both simultaneously.
Do managed service providers have specific NIS2 obligations? Yes. MSPs and MSSPs are explicitly classified as essential entities under Annex I of NIS2, regardless of their size, given the critical role they play in the cybersecurity of their clients. They face the full set of NIS2 obligations including mandatory incident reporting.
What counts as a "significant incident" requiring reporting? An incident is significant if it causes or can cause severe operational disruption, financial loss, or affect other natural or legal persons by causing considerable material or non-material damage. Indicators include the number of affected users, duration of disruption, geographic spread, and the extent of disruption to essential services.
Is NIS2 compliance the same across all EU member states? No. NIS2 is a directive, meaning member states must transpose it into national law — and they have some discretion in how they do so. National laws may set higher fines, extend the scope to smaller organizations, or add sector-specific requirements. The picture is also uneven in time: as of mid-2026 about 22 of 27 member states had transposed NIS2, while France, Ireland, Luxembourg, the Netherlands, and Spain were still legislating (the Commission has reasoned-opinion infringement proceedings open against the laggards). Always review the national implementing legislation in each member state where you operate.
Is NIS2 being amended? Yes — a proposal is pending. On January 20, 2026 the Commission proposed targeted NIS2 amendments alongside a new Cybersecurity Act 2. The amendments would harmonize technical measures (limiting national add-ons), add ransomware-specific reporting, broaden the EU-representative duty, and adjust scope (adding submarine cable operators and digital identity wallet providers, removing chemical distributors). It is not yet law; adoption is expected in late 2026 or 2027.
Official Sources
- NIS2 Directive full text (EUR-Lex)
- Commission Implementing Regulation (EU) 2024/2690 (EUR-Lex)
- Commission: NIS2 implementing regulation for critical entities and networks
- Commission: NIS2 transposition status by member state
- Commission: proposal to amend NIS2 (simplification + Cybersecurity Act alignment, Jan 20, 2026)
- Council: agreement to simplify and streamline AI Act rules (Digital Omnibus, May 7, 2026)
- ENISA NIS2 resources
Get weekly regulation updates, enforcement news, and compliance deadlines — free.