NIS2 misconceptions are not just a knowledge problem. They are a risk problem. When a company operates on a false assumption about what NIS2 requires, who it applies to, or when enforcement begins, the consequences are specific: significant fines, personal liability for directors, and a security posture that is weaker than leadership realizes.
NIS2, the EU's updated Network and Information Security Directive, set a transposition deadline of October 2024. Yet a large number of European organizations, particularly SMBs and mid-market companies, are still operating on assumptions about the directive that range from outdated to simply wrong. This article corrects the seven most common, with the facts and context needed to understand what compliance actually involves.
NIS2 Only Applies to Large Enterprises and Critical Infrastructure
This is the most widespread NIS2 myth, and it has left thousands of organizations unprepared.
The original NIS Directive focused primarily on operators of essential services in traditional critical sectors: energy, water, transport, banking, and healthcare. It was, in practice, a regulation for large, strategically important entities. NIS2 is a fundamental expansion of that scope.
According to the European Commission, more than 160,000 entities across the EU now fall within NIS2's scope. The directive covers 18 sectors, split into Annex I (essential entities) and Annex II (important entities). Essential sectors include energy, transport, banking, health, water, digital infrastructure, public administration, and space. Important sectors extend into postal and courier services, waste management, chemicals, food production, manufacturing of critical products including medical devices and electronics, digital providers, and research organizations. That list describes a very large share of the European business landscape.
The size threshold is also clearly defined, and smaller than many assume. As set out in the official directive text, NIS2 applies to entities with at least 50 employees or an annual turnover exceeding €10 million, operating in one of the covered sectors. That description matches a significant portion of European SMBs that have not yet started their compliance journey. If you are unsure whether your organization falls in scope, the Kertos NIS2 Checker walks you through the assessment in a few minutes.
Being ISO 27001 Certified Means Being NIS2 Compliant
ISO 27001 certification is genuinely valuable. It shows that an organization has built a structured information security management system and subjected it to independent audit. If your organization has achieved it, you already have a strong foundation for NIS2. But calling yourself NIS2 compliant on the basis of ISO 27001 alone is one of the most consequential NIS2 compliance mistakes a company can make.
The two frameworks overlap meaningfully, but they address distinct obligations. Reading NIS2 through the lens of ISO 27001 reveals three critical gaps in particular.
First, incident reporting timelines. NIS2 requires essential entities to submit an early warning to the competent national authority within 24 hours of becoming aware of a significant incident, followed by a fuller notification within 72 hours, and a final report within one month. ISO 27001 has no equivalent mandatory regulatory timeline. It asks organizations to manage incidents well; it does not impose a legal clock with enforcement consequences attached to missing it.
Second, supply chain security. NIS2 requires organizations to assess and actively manage the security vulnerabilities of their direct suppliers and, where relevant, sub-contractors. This extends due diligence well beyond a standard vendor risk questionnaire into a formal, documented supply chain security program. ISO 27001 addresses third-party risk, but NIS2 applies a different level of stringency and multi-tier breadth.
Third, and perhaps most practically significant, management liability. NIS2 places explicit personal responsibility on senior management and governing bodies for overseeing cybersecurity. ISO 27001 requires management commitment, but it does not expose individual executives to personal fines or temporary disqualification from leadership positions. That is a NIS2-specific obligation that no certification satisfies on its own.
NIS2 Is an IT Department Problem
This assumption is understandable. Cybersecurity has historically lived in the technical domain, managed by IT teams and, in more mature organizations, by a dedicated security function. NIS2 changes that model explicitly and with legal weight.
Article 20 of the NIS2 Directive requires management bodies of essential and important entities to approve cybersecurity risk management measures, oversee their implementation, and complete cybersecurity training. If a significant incident occurs and gross negligence by management can be demonstrated, individual members of the governing body can be held personally liable. For essential entities with repeated violations, temporary bans from holding management positions are among the sanctions available to national authorities.
This is not a theoretical exposure. The NIS2 obligations that fall directly on managing directors are explicit and increasingly the focus of early enforcement conversations. In Germany, individual managers face personal fines of up to €500,000 for governance failures under the national NIS2 implementation act. That figure does not appear in any IT budget. It belongs on the agenda of every board and executive team in scope.
The practical implication is that NIS2 compliance requires cross-functional ownership. Security teams handle technical implementation. Legal and compliance teams interpret the obligations. Management approves the program, oversees its execution, and accepts accountability for the outcome. Organizations that treat NIS2 as a ticket in the IT team's backlog are misallocating both responsibility and risk.
The Deadline Has Passed, So There's No Urgency Anymore
The October 2024 transposition deadline came and went, and for many organizations, nothing dramatic happened immediately. No fines arrived. No auditors appeared. It is tempting to conclude that the urgency was overstated, or that the window to act has already closed.
Both conclusions are wrong, and the second is the more dangerous of the two.
On the transposition timeline: only four EU member states met the October 2024 deadline. The European Commission subsequently opened infringement procedures against 23 member states. Germany, home to a vast number of NIS2-affected companies, passed its national implementation act in November 2025, with essential and important entities required to register with the BSI by April 2026. The enforcement infrastructure is now operational and the countdown is running.
The BSI has already issued dozens of formal notices to organizations that failed to register or designate a point of contact, with the energy sector and digital infrastructure providers receiving early attention. No major fines have been issued yet, but the escalation path is clearly defined and regulators have shown they intend to follow it.
The window to act has not closed. But organizations that have been waiting for a compelling reason to start now have one: a firm registration deadline, an active national enforcement body, and personal liability for the executives responsible for governance. Waiting further does not reduce the compliance gap. It increases the personal exposure of everyone accountable for it.
NIS2 Compliance Is a One-Time Project, and Supply Chain Is Someone Else's Responsibility
These two beliefs often appear together, and together they represent a fundamental misreading of what NIS2 actually demands.
NIS2 is not a certification you achieve and file away. It is a continuous obligation. The directive requires that risk management measures be maintained, reviewed, and updated on an ongoing basis. Incident reporting obligations are always active. Supply chain security assessments must reflect the current state of your supplier relationships, not a point-in-time snapshot from a project completed two years ago. Registrations with national authorities must be kept accurate and current as organizational details change.
The continuous nature of NIS2 compliance is one reason compliance automation has become central to how forward-looking security teams approach the directive. Manually maintaining evidence, tracking control status, and managing supplier assessments across a live, changing business is an enormous operational burden, particularly for teams that are already stretched. Platforms like Kertos automate evidence collection, continuously monitor control status across integrated systems, and surface gaps in real time, turning compliance from a periodic sprint into a steady-state function that does not consume disproportionate team capacity.
On supply chain: Article 21 of NIS2 explicitly requires organizations to address "the security of the supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." ENISA's guidance on supply chain security reinforces that this obligation is active and substantive, not a box to check with a standard vendor questionnaire. You cannot contract away this responsibility. If a supplier's security failure propagates into your environment and appropriate due diligence was not conducted, pointing to a contract clause does not reduce your regulatory exposure. NIS2 places this accountability firmly with your organization, and your leadership team owns it.
Frequently Asked Questions About NIS2 Misconceptions
Does NIS2 apply to our company if we have fewer than 50 employees?
Generally, no. NIS2 applies to entities that qualify as medium-sized or large enterprises under EU Recommendation 2003/361/EC, meaning at least 50 employees or an annual turnover and balance sheet exceeding €10 million, operating in one of the 18 covered sectors. However, smaller organizations may still be affected indirectly: NIS2-covered entities are required to assess the security of their supply chain, which may create downstream compliance expectations for smaller suppliers. Use the Kertos NIS2 Checker to confirm your status.
Does ISO 27001 certification satisfy NIS2 requirements?
Partially. ISO 27001 provides a strong foundation for NIS2, particularly in risk management and security controls. However, NIS2 adds mandatory incident reporting timelines (24h early warning, 72h notification, 1-month final report), multi-tier supply chain security obligations, and personal management liability that ISO 27001 does not address. Organizations with ISO 27001 certification should conduct a gap assessment to identify what additional measures NIS2 requires.
What are the fines for NIS2 non-compliance?
Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face up to €7 million or 1.4% of global annual turnover. Member states may set higher national thresholds: Germany, for instance, has set a maximum of €20 million for essential entities, with personal fines of up to €500,000 for individual managers found guilty of governance failures.
What does NIS2 require for incident reporting?
Essential entities must issue an early warning to the competent national authority within 24 hours of becoming aware of a significant incident. A fuller incident notification follows within 72 hours, and a final report is due within one month. Important entities follow the 72-hour timeline for the initial notification. These are mandatory regulatory obligations with enforcement consequences, not internal targets.
How does Kertos support NIS2 compliance?
Kertos is a European compliance automation platform that helps organizations achieve and maintain continuous NIS2 compliance. The platform automates evidence collection, maps your security controls to NIS2 requirements, tracks your compliance program status in real time, and supports supply chain security management. For organizations pursuing ISO 27001 or other frameworks in parallel, Kertos handles multiple frameworks simultaneously, reducing duplication and overhead. Book a demo to see how it works.
NIS2 misconceptions are not a minor inconvenience. They are the reason organizations arrive at enforcement conversations unprepared, with gaps that could have been closed months earlier. The directive is broad, the obligations are legally binding, and the personal consequences for management are specific enough that they cannot be quietly delegated away. But NIS2 is also achievable. The organizations that approach it clearly, without the filter of wishful assumptions, consistently find that the path to compliance is far more manageable than the myths suggested. Getting the facts right is the only place to start.
