NIS2 Explained: Cybersecurity Compliance for European Organizations

When I guided the cybersecurity adequacy project for an operator in a critical digital-infrastructure sector, the hardest part was not the technical work. It was the first conversation, the one where the management team understood that NIS2 was not a document their lawyers would handle in the background, but a set of obligations with their own names attached to it, personally. That shift, from "a compliance matter" to "a board responsibility with deadlines and fines", is the real subject of NIS2, and it is the reason this guide is written from the point of view of someone who has done the work, not summarized the law.

The framing also has to change with the calendar. For a long time NIS2 was discussed as something on the horizon. It no longer is. The directive's transposition deadline was 17 October 2024, and by 2026 most of the European Union has written it into national law, national authorities are running their registration cycles, and inspection and sanctioning powers are active. If your organization is in scope and is still treating NIS2 as a future problem, it is already behind. Let me explain what it is, who it touches, and what compliance genuinely involves once the slides are over and the work begins.

What NIS2 actually is, in practical terms

NIS2 is the second iteration of the European Union's cybersecurity directive. "NIS" stands for Network and Information Security, and Directive (EU) 2022/2555 replaced the original Directive (EU) 2016/1148, broadening its scope and sharpening its teeth. You can read the full text on EUR-Lex, but the practical meaning is simpler than the legal language: the EU decided that voluntary best practice was not protecting critical services well enough, so it made a baseline of cybersecurity measures mandatory, with deadlines, registration, incident reporting, and personal accountability for management.

A crucial point that trips up many organizations: a directive is not directly enforceable on its own. It instructs each Member State to write it into national law, and it is that national law you actually have to comply with. In Italy, for example, NIS2 was transposed by Legislative Decree 138/2024, in force since 16 October 2024, with the National Cybersecurity Agency (ACN) acting as the competent authority and single point of contact. The obligations you face, the registration platform you use, the authority you report incidents to, and the exact penalties all come from your country's transposition, not from the directive in the abstract. So the first practical question is never "what does NIS2 say" but "what does my Member State's NIS2 law require of me".

Who does NIS2 apply to, and how do you know if it is you?

NIS2 applies to public and private organizations operating in sectors the EU considers critical to society and the economy, and it covers far more organizations than the 2016 directive did. The directive sorts in-scope organizations into two tiers, and the tier determines how heavy the obligations and how intense the supervision are.

Essential entities are organizations of primary importance to a country's infrastructure and economy: energy (power grids, gas, generation), transport (airports, ports, railways), healthcare (hospitals, labs), banking and financial market infrastructure, drinking water and wastewater, digital infrastructure (cloud providers, data centers, DNS and top-level-domain operators), public administration, and the space sector. Important entities sit one step down in criticality but are still in scope: postal and courier services, waste management, manufacturing of chemicals, food, medical devices and other key goods, digital service providers such as online marketplaces, search engines and social platforms, and managed service and managed security providers.

The size threshold matters and is a common source of error. As a rule of thumb, organizations above the medium-enterprise ceiling, broadly more than 250 employees or over €50 million in annual turnover, in an Annex I (highly critical) sector are treated as essential; organizations above roughly 50 employees or €10 million in turnover are typically important. But the thresholds are not the whole story: regardless of size, an organization can be pulled into scope if a national authority designates it as critical, and many small but strategically important operators are. There is also a supply-chain dimension that catches organizations by surprise: even if you are technically out of scope, if you provide services to an essential or important entity, that customer's own supply-chain security obligations will flow down to you contractually. In practice, "we are too small for NIS2" is a conclusion to verify carefully against the national law, not to assume.

This is exactly where I see the most expensive mistakes, and where having someone read the scoping against your real situation pays for itself. If you are unsure whether your organization is in scope, or you have just discovered that it is, in my professional profile you will find the concrete experience of guiding NIS2 adequacy on the technical side, from the initial scoping all the way to the security architecture. The cost of getting the classification wrong, in either direction, is far higher than the cost of getting it checked.

The obligations: what compliance actually requires

Beneath the legal structure, NIS2 asks organizations to do four broad things, and each one is more work than it sounds on a slide.

The first is risk management. You have to identify your cyber risks and implement measures proportionate to them: continuous risk assessment, business continuity and backup, supply-chain security (auditing your vendors, not just yourself), and systematic vulnerability management. The national transpositions spell this out in detail; the Italian decree, for instance, articulates ten areas of mandatory security measures. This is not a one-off audit but an ongoing process, and the word "proportionate" is doing a lot of work: the depth expected of a large bank is not the depth expected of a mid-sized logistics firm.

The second is technical and organizational security measures: written and enforced security policies, access control and identity management, encryption of data in transit and at rest, multi-factor authentication, secure-by-design development, logging and monitoring, physical security, and staff training. None of these is new to anyone who takes security seriously; what NIS2 changes is that they are now legally expected and inspectable, with documentation to prove them.

The third is incident reporting, and the timelines are strict. For a significant incident, NIS2 requires an early warning to the national authority within 24 hours, a more complete notification within 72 hours, and a final report within one month. Meeting a 24-hour clock is not a documentation exercise you can improvise under attack: it requires detection capability and a rehearsed runbook in place before the incident, which is why incident-response readiness is one of the first things I build with a client rather than one of the last.

The fourth, and the one that genuinely changed the conversation in that boardroom I mentioned, is management accountability. NIS2 places direct, personal responsibility on senior leadership for ensuring the organization implements and oversees its security measures. Executives can be held personally liable for negligence, and authorities can, in serious cases, temporarily bar individuals from management functions. Cybersecurity is no longer something the board can delegate downward and forget; it is a governance obligation with their names on it.

Deadlines, registration, and penalties in 2026

The "deadlines are distant" framing that older guides use is no longer accurate, and acting on it is a real risk. The directive's transposition deadline was 17 October 2024. Member States that missed it have faced infringement procedures: in May 2025 the European Commission sent reasoned opinions to nineteen Member States that had not notified full transposition. Where your country has transposed, the clock is already running on you, not just on the legislator.

Transposition typically brings a registration obligation: in-scope entities must register themselves with the national authority, often on an annual cycle. Italy runs its registration window from 1 December to 28 February each year through ACN's platform, and the first cycle used staggered deadlines, with cloud, data center and managed-service providers required to register by 17 January 2025 and other entities by 28 February 2025. The details vary by country, but the pattern is the same everywhere: you have to identify yourself to the authority, and missing the registration window is itself a violation, separate from any security failing. The authoritative source for your country's specifics is your national cybersecurity agency, and the European Commission maintains an overview of NIS2 transposition across Member States worth checking for your jurisdiction.

On penalties, NIS2 deliberately borrows the GDPR's logic of fines large enough to be dissuasive. For essential entities, administrative fines can reach up to €10 million or 2% of total worldwide annual turnover, whichever is higher; for important entities, up to €7 million or 1.4% of worldwide turnover. Beyond the figures, authorities can impose binding corrective orders, suspend operations, and, as noted, hold management personally responsible. The point of the numbers is not to frighten but to recalibrate the cost-benefit: for most organizations, the cost of a serious adequacy program is now clearly smaller than the exposure of ignoring it. This reframing, from cost to risk-managed investment, is the angle I develop in the article on compliance as a competitive advantage with enterprise clients, because the organizations that treat NIS2 well turn it into a sales argument, not just a cost.

Where the work really is: the technical adequacy

This is the part that explainer articles tend to skip, and it is the part I actually spend my time on. Translating NIS2's obligations into a real, defensible security posture is an engineering project, not a paperwork exercise, and it touches the whole stack.

It starts with architecture: network segmentation so that a breach in one area does not become a breach everywhere, hardened and redundant DNS, properly configured firewalls, and resilient designs (load balancing, multi-region where the continuity requirements justify it) that can actually meet the "business continuity" obligation rather than just claim it. It continues into the application layer, where secure coding against the common vulnerability classes, granular identity and access management, the elimination of hard-coded credentials, and comprehensive logging are what an inspection will actually look for. It requires monitoring that can detect an incident in time to report it within 24 hours, which in practice means centralized log management or a SIEM and, above all, a response runbook that has been rehearsed. And it requires choosing infrastructure and providers that make compliance easier rather than harder: certified providers, encryption with proper key management, and data residency that fits both NIS2 and the GDPR, which NIS2 explicitly coordinates with alongside the Cybersecurity Act and sector rules like DORA.

The thread running through all of this is that NIS2 compliance is built, not bought. There is no product you can purchase that makes you compliant; there is a posture you have to design, implement, document and maintain, with the technical evidence to show an inspector. For an organization without a dedicated security function, this is where an experienced technical partner matters most, because the gap between "we have antivirus and backups" and "we can demonstrate proportionate measures across ten areas and respond within 24 hours" is wide, and it is full of decisions that are easy to get wrong. I have written about the specific technical competencies this demands in the dedicated piece on the IT security skills NIS2 actually requires, and about doing it on a realistic timeline in the article on aligning a software house with NIS2 in six months.

NIS2 as an investment, not a burden

It would be easy to read all of this as a long list of costs imposed from Brussels, and to approach it defensively, doing the minimum to avoid fines. In my experience that is the most expensive way to handle it, because it produces compliance theater that satisfies neither an inspector nor an actual attacker. The organizations that get value from NIS2 are the ones that treat the deadline as the occasion to finally fix what they had been postponing: the unpatched systems, the absent backups, the access controls nobody had reviewed in years, the incident plan that existed only as an idea. Those things needed doing regardless of any directive; NIS2 simply removed the option of continuing to postpone them.

That operator I worked with did not come out of the project with a certificate and a box ticked. They came out with network segmentation that actually contained the one incident they had during the year, with backups that had been tested by restoring them rather than by assuming they worked, and with a management team that understood its own exposure well enough to fund security as a standing line item rather than an emergency. That is what good NIS2 compliance looks like: not a defense against fines, but a genuine increase in resilience that happens to also satisfy the law.

If your organization has just realized it falls within NIS2's scope, or you suspect it does and want certainty before the next registration window or an inspection, the worst thing you can do is wait, because the substantive work, the architecture, the monitoring, the trained staff, the rehearsed response, takes months to do properly and cannot be improvised. If you want a clear, technical reading of where you stand and what closing the gap actually involves, get in touch: the directive is not going away, the deadlines have already started, and the distance between a checklist and a defensible posture is exactly the distance that an experienced hand is there to close.