InfoSec

The NIS2 Directive: A Complete Guide for 2026

What NIS2 is, who it covers, what it requires, and where transposition stands now.

Author
Catherine Higginson
Date
13.7.2026
Updated on
13.7.2026
The NIS2 Directive: A Complete Guide for 2026

Key takeaways

  • NIS2 is the EU's expanded cybersecurity directive, replacing the original NIS directive and bringing an estimated 160,000 organisations into scope.
  • It splits organisations into "essential" and "important" entities across 18 sectors, mostly medium-sized and larger companies.
  • The core duties are ten baseline risk-management measures and strict incident reporting: a 24-hour early warning, a 72-hour notification, and a final report within one month.
  • Management is personally accountable for compliance, and fines reach 10 million euros or 2 percent of global turnover for essential entities.
  • The transposition deadline was 17 October 2024; by mid-2026 most member states, including Germany, have transposed NIS2 into national law, with a few still finalising.

The NIS2 directive is the biggest expansion of EU cybersecurity law to date, and if your company operates in or sells into Europe, there is a real chance it now applies to you. It replaces the 2016 NIS directive with tougher requirements, far wider scope, and penalties large enough to reach the boardroom. This guide explains what the NIS2 directive is, which organisations it covers, the obligations it imposes, and what the current transposition picture means for your deadlines.

It is the central reference for our NIS2 coverage. Once you understand the shape of the directive here, the linked articles go deeper on the parts that matter most to you, from sector-specific duties to incident planning.

What is the NIS2 directive?

NIS2 is EU Directive 2022/2555, a law that sets a common, raised baseline for cybersecurity risk management and incident reporting across essential and important sectors. It entered into force in January 2023 and replaced the original 2016 NIS directive, which member states and regulators judged too narrow and too unevenly applied.

The change that matters most is scale. Where the first directive covered a few thousand operators, NIS2 pulls in far more organisations, by some estimates around 160,000 across the EU, and standardises the obligations so a company faces broadly the same expectations wherever it operates. You can read the full text through the official EU law database, and the EU cybersecurity agency publishes ongoing implementation guidance.

Who does NIS2 apply to?

NIS2 applies to medium-sized and larger organisations operating in one of its covered sectors, split into two tiers: essential entities and important entities. As a general rule, that means organisations with at least 50 staff or more than 10 million euros in turnover in a listed sector, though some organisations are in scope regardless of size because of their criticality. If you are unsure which duties attach to your tier, our breakdown of NIS2 requirements goes through them in detail. Scope is also where most myths take hold, from "we are too small" to "it is only IT's problem", which we clear up in the most dangerous NIS2 misconceptions.

The two tiers face the same core obligations but different supervision and penalty ceilings. The table summarises the split.

Essential entities Important entities
Example sectorsEnergy, transport, banking, financial market infrastructure, health, drinking and waste water, digital infrastructure, public administration, spacePostal and courier, waste management, chemicals, food, manufacturing, digital providers, research
SupervisionProactive (regulators can audit before any incident)Reactive (scrutiny mainly after an incident or evidence of non-compliance)
Maximum fine€10 million or 2% of global annual turnover, whichever is higher€7 million or 1.4% of global annual turnover, whichever is higher

Critical-infrastructure operators (often the same organisations covered by national KRITIS rules) face the most intensive obligations. If that is you, the NIS2 implementation guide for KRITIS covers the specifics.

What NIS2 requires: risk management and incident reporting

Two duties sit at the centre of NIS2: a set of baseline risk-management measures, and fast incident reporting. Article 21 lists ten minimum measures every in-scope entity must implement:

  • Risk analysis and information security policies
  • Incident handling
  • Business continuity, backup management and crisis management
  • Supply chain security
  • Security in acquisition, development and maintenance of systems
  • Policies to assess whether the measures actually work
  • Basic cyber hygiene and security training
  • Cryptography and encryption
  • Access control, asset management and personnel security
  • Multi-factor authentication and secured communications

The second duty is speed of reporting. When a significant incident hits, NIS2 sets a strict clock, and missing it is itself a breach. Business continuity is a recurring theme across these measures, which our guide to NIS2 emergency planning addresses in depth.

Deadline What you submit
Within 24 hoursEarly warning that flags the incident to your national authority
Within 72 hoursIncident notification with an initial assessment, severity and indicators of compromise
Within 1 monthFinal report covering root cause, mitigation and impact

Management responsibility and penalties

NIS2 puts accountability on the management body, not just the security team. Company leadership must approve the risk-management measures, oversee their implementation, and take cybersecurity training, and they can be held personally liable for failures. This is a deliberate shift designed to move security up the boardroom agenda, and it is why our NIS2 checklist for managing directors exists.

The penalties reinforce the point. Essential entities face fines up to 10 million euros or 2 percent of total worldwide annual turnover, whichever is higher; important entities up to 7 million euros or 1.4 percent. Regulators can also suspend certifications and, for essential entities, temporarily bar individuals from management roles.

NIS2 deadlines and where transposition stands in 2026

NIS2 is a directive, so it takes effect through each member state's national law rather than directly. The transposition deadline was 17 October 2024. In practice, most member states missed it, and the picture is still uneven.

By mid-2026, the large majority of the 27 member states have transposed NIS2 into national law, including Germany. A handful, among them France, Ireland, Luxembourg, the Netherlands and Spain, were still completing their legislation, and the European Commission has referred several of them to the Court of Justice for the delay. The practical takeaway: the obligations are live in most of the EU now, and the direction is one way, so waiting for your national deadline is not a strategy. The official European Commission NIS2 pages track the status country by country.

How to prepare for NIS2

The fastest route to NIS2 readiness is to build on an information security management system you may already have or be planning. NIS2's ten measures map closely onto ISO 27001, so if you are certified or working towards it, you are most of the way there; our guide to NIS2 and ISO 27001 overlaps shows exactly how the two line up.

From there, the work is to confirm scope and tier, close the gaps against the ten measures, stand up the 24/72-hour reporting process, and get management trained and signed off. Kertos automates the evidence and control work behind all of this and maps one control set across NIS2, ISO 27001 and your other frameworks, so NIS2 becomes an extension of your programme rather than a separate project. You can see the specifics on the NIS2 solution page or across the wider compliance platform.

Frequently asked questions

Who has to comply with NIS2?

Medium-sized and larger organisations (generally 50+ staff or over 10 million euros turnover) operating in one of NIS2's covered sectors, classified as essential or important entities. Some organisations are in scope regardless of size because of their criticality.

What is the difference between essential and important entities?

Both face the same core obligations, but essential entities get proactive supervision and higher fines (up to 10 million euros or 2 percent of turnover), while important entities are supervised reactively with lower ceilings (up to 7 million euros or 1.4 percent).

What are the NIS2 reporting deadlines?

A 24-hour early warning, a 72-hour incident notification, and a final report within one month of the significant incident.

Is NIS2 in force yet?

The transposition deadline was 17 October 2024. By mid-2026 most member states, including Germany, have transposed it into national law, so the obligations are live across most of the EU, with a few countries still finalising.

How does NIS2 relate to ISO 27001?

NIS2's risk-management measures overlap heavily with ISO 27001, so an ISO 27001 ISMS covers much of what NIS2 requires. See our guide on NIS2 and ISO 27001 overlaps for the mapping.

See how Kertos gets you NIS2-ready by building on the frameworks you already run: book a demo.

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

The Founder's Guide about NIS2: Prepare your company Now before

Protect your startup: Discover how NIS2 can impact your business and what you need to consider now. Read the free white paper now!

The NIS2 Directive: A Complete Guide for 2026
Ready, your compliance to put on autopilot?
Dr. Kilian Schmidt

Dr. Kilian Schmidt

CEO & Co-Founder, Kertos GmbH

Dr. Kilian Schmidt developed a strong interest in legal processes early on. After studying law, he began his career as Senior Legal Counsel and Data Protection Officer at the Home24 Group. After working at Freshfields Bruckhaus Deringer, he moved to TIER Mobility, where, as General Counsel, he was significantly involved in expanding the legal and public policy department - and grew the company from one to 65 cities and from 50 to 800 employees. Motivated by limited technological advances in the legal sector and inspired by his consulting work at Gorillas Technologies, he co-founded Kertos to develop the next generation of European data protection technology.

About Kertos

Kertos is the modern backbone of the data protection and compliance activities of scaling companies. We enable our customers to implement integrated data protection and information security processes in accordance with GDPR, ISO 27001, TISAX®, SOC2 and many other standards quickly and cheaply through automation.

Ready to simplify GDPR compliance?

CTA Image

📅 Schedule Your 5min Compliance Check

Please enter your business email to continue. We require a company email address to ensure we can best serve your organization.

📞 5min Compliance Check