The NIS2 Directive sets out the core cybersecurity requirements that medium-sized and large organizations in critical and important sectors must meet across the European Union. It replaced the original NIS framework with a broader scope, stronger supervision, stricter governance obligations, and more explicit cybersecurity risk-management and incident reporting duties. For organizations trying to understand what compliance actually requires in practice, the most important parts of the law are the rules on governance in Article 20, cybersecurity risk-management measures in Article 21, and reporting obligations in Article 23.
If you want a practical answer to questions connected to NIS2 requirements, this is the simplest way to think about it. NIS2 requires in-scope entities to determine whether they fall under the directive, assign executive accountability, implement proportionate technical, operational and organizational security measures, document those measures, train management, prepare for business disruption, secure key suppliers, and report significant incidents to the relevant authority within strict timelines. Those requirements are broad by design, because the directive expects organizations to adapt controls to their own risk profile, sector, and operational reality.
What are the NIS2 requirements?
At a high level, the NIS2 requirements fall into four connected areas. The first is scope, meaning whether your organization is an essential entity or an important entity under the directive. The second is governance, meaning the responsibility of management bodies to approve and oversee cybersecurity measures. The third is risk management, meaning the minimum set of security measures that must be implemented under Article 21. The fourth is incident reporting, meaning the duty to notify significant incidents quickly and in a structured way.
That structure matters for search intent because many articles only explain one layer of the subject. In reality, a company can only meet the NIS2 requirements when those four layers are linked together. Scope determines whether you are covered. Governance determines who is accountable. Risk management determines what you must implement. Reporting determines what you must do when something goes wrong. The law is written to make cybersecurity an executive responsibility, rather than a narrow IT issue. The European Commission’s own overview highlights that NIS2 brings cybersecurity into the boardroom by making top management accountable for non-compliance with risk-management measures.
Who must comply with NIS2?
NIS2 applies to a much wider range of sectors than the original NIS regime. The Commission explains that, in addition to the sectors already covered by NIS1, the new rules also apply to providers of public electronic communications, more digital services such as social platforms, waste and wastewater management, critical product manufacturing, postal and courier services, public administration, and the space sector.
As a general rule, medium-sized and large entities in covered sectors are in scope, although the directive also captures certain entities regardless of size, including some DNS providers, top-level domain registries, trust service providers, and certain public administration entities.
The directive divides covered entities into two regulatory categories, essential entities, and important entities. That distinction matters for supervision, but both categories are subject to the same core cybersecurity risk-management and reporting obligations. Essential entities generally face more proactive oversight, while important entities are often supervised in a more reactive way, especially after incidents or signs of non-compliance.
For search users, the critical point is that being classified as “important” does not mean the requirements are light. The obligations are still substantial, and regulators still have enforcement powers.
When did NIS2 take effect?
NIS2 entered into force in January 2023, and Member States had until October 17, 2024 to transpose it into national law. The Commission also states that NIS2 repealed NIS1 as of 18 October 2024.
There is another important development that many competing articles still miss. On October, 17 2024, the Commission adopted Implementing Regulation (EU) 2024/2690, which lays down technical and methodological requirements for certain digital and ICT-related entities, including cloud providers, data center service providers, managed service providers, managed security service providers, online marketplaces, online search engines, social networking services platforms, and trust service providers. ENISA’s 2025 technical implementation guidance was published specifically to help those entities operationalize that regulation.
Article 20, management accountability is a core NIS2 requirement
One of the most consequential NIS2 requirements is executive accountability. Article 20 requires management bodies of essential and important entities to approve the cybersecurity risk-management measures adopted to comply with Article 21, oversee their implementation, and be capable of being held liable for infringements. Article 20 also requires Member States to ensure that management bodies follow training and that employees receive training on a regular basis so they can gain sufficient knowledge and skills to identify risks and assess cybersecurity risk-management practices.
This is where many companies underestimate the directive. NIS2 does not treat cybersecurity as a technical silo that can be delegated without oversight. The directive expects boards and senior management to be involved in approval, oversight, and competency. In practical terms, that means your organization should be able to show where management formally approved the cybersecurity program, how it receives reporting on implementation and incidents, what escalation thresholds exist, and how board-level training is recorded. Without those governance records, many organizations will struggle to prove compliance even if they have decent technical controls.
Article 21, the 10 minimum cybersecurity risk-management measures
Article 21 is the heart of the NIS2 requirements. It obliges essential and important entities to take appropriate and proportionate technical, operational and organizational measures to manage risks to the security of the network and information systems they use for operations or service delivery, and to prevent or minimize the impact of incidents on recipients of their services and on other services. The directive then sets out a minimum list of measures that must be addressed.
The first requirement is a policy on risk analysis and information system security. This means the organization must understand which systems, assets, business processes, dependencies, and threat scenarios matter most, then translate that understanding into a documented control approach. A mature program normally includes asset inventories, data flow visibility, risk criteria, treatment decisions, and review cycles tied to changes in the environment.
The second requirement is incident handling. NIS2 expects entities to detect, respond to, manage, document, and learn from incidents. This typically requires defined severity levels, escalation paths, technical playbooks, internal communications procedures, and post-incident review processes that produce corrective actions and evidence of closure.
The third requirement is business continuity, including backup management, disaster recovery, and crisis management. This means compliance goes beyond security prevention. Regulators expect resilience, meaning your organization should be able to maintain or restore critical operations during disruption. Backup coverage, recovery objectives, restoration testing, crisis roles, and decision logs become central evidence points.
The fourth requirement is supply chain security, including security-related aspects concerning relationships between each entity and its direct suppliers or service providers. Article 21 also states that organizations must take into account vulnerabilities specific to direct suppliers and service providers, as well as the overall quality of their products and cybersecurity practices, including secure development procedures where relevant. This is one of the most operationally demanding parts of NIS2, because it requires ongoing third-party risk management instead of one-off procurement checks.
The fifth requirement is security in network and information systems acquisition, development and maintenance, including vulnerability handling and vulnerability disclosure. This pushes NIS2 firmly into secure lifecycle practices. Organizations should be able to demonstrate patch governance, secure configuration baselines, change control, vulnerability triage, remediation timelines, and a process for receiving and handling vulnerability reports.
The sixth requirement is policies and procedures to assess the effectiveness of cybersecurity risk-management measures. This means the controls themselves must be evaluated, not simply documented. Internal assurance, control testing, monitoring, metrics, and management review all become relevant. A documented policy library with no testing discipline will rarely be enough.
The seventh requirement is basic cyber hygiene practices and cybersecurity training. The implementing materials connected to Article 21 emphasize awareness of risks, the importance of cybersecurity, and the use of cyber hygiene practices by employees, management bodies, suppliers, and service providers where relevant. Strong content should explain that training under NIS2 is role-based, recurring, and expected to support measurable operational performance.
The eighth requirement is policies and procedures regarding the use of cryptography and, where appropriate, encryption. This includes governance over where encryption is required, how keys are managed, which data states are protected, and how exceptions are approved and reviewed.
The ninth requirement is human resources security, access control policies, and asset management. This area touches hiring, role changes, offboarding, privilege management, segregation of duties, device ownership, acceptable use, and the lifecycle management of information assets.
The tenth requirement is the use of multi-factor authentication or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate. This shows clearly that NIS2 expects concrete technical controls, even though the directive remains risk-based and technology-neutral at a high level.
Article 23, NIS2 incident reporting deadlines
Article 23 creates one of the most widely searched parts of the directive because the reporting deadlines are strict and highly operational. NIS2 requires entities to notify significant incidents without undue delay. The typical timeline consists of an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours, and a final report no later than one month after the incident notification. The initial and follow-up reporting must include enough information for the competent authority or CSIRT to understand severity, impact, indicators of compromise where available, and any cross-border implications.
From an implementation perspective, the reporting rule means organizations need more than an incident response plan. They need a decision model that defines what counts as a significant incident, who decides reportability, how legal and communications teams are involved, what facts must be collected in the first hours, and how internal approvals work under pressure. This is a major reason why mature organizations build NIS2 readiness around scenarios and tabletop exercises rather than policy writing alone.
What evidence do you need to prove compliance with NIS2?
NIS2 does not create a single EU-issued certificate for general compliance, and the burden is on the entity to demonstrate that it has implemented appropriate measures. In practice, that means evidence is as important as controls. ENISA’s 2025 implementation guidance is especially useful here because it links requirements to examples of evidence and to practical implementation expectations for relevant digital sectors.
A well-prepared organization should therefore maintain a defensible evidence base across governance, risk, operations, resilience, suppliers, and incident management. That usually includes risk assessments, security policies, board approvals, training records, incident logs, supplier due diligence records, business continuity test results, vulnerability management outputs, access reviews, and control effectiveness reviews. The strongest NIS2 content should make this point clearly because search users are often trying to answer a very practical question, which is how they will prove compliance during supervision, audit, or investigation.
A practical roadmap for meeting the NIS2 requirements
The most effective path to compliance begins with scope and classification. Your organization should confirm whether it falls into Annex I or Annex II sectors, whether size thresholds are met, whether any sector-specific or entity-specific exception applies, and whether national law imposes additional detail. After that, governance should be formalized quickly, because board approval and oversight are not activities that can be retrofitted credibly at the last minute.
The next phase is a gap assessment against Articles 20, 21 and 23, supported where relevant by the 2024 implementing regulation and ENISA’s 2025 guidance. This should identify control gaps, missing evidence, unclear ownership, immature supplier processes, insufficient testing, and weak reporting readiness. Once the gap assessment is complete, organizations should prioritize remediation based on service criticality, concentration risk, and regulatory exposure, then build a documented implementation plan with milestones, owners, and management reporting.
The final phase is operationalization. This means testing the incident process, validating backups and recovery, reviewing supplier risk decisions, confirming that vulnerability handling is working in practice, and ensuring that reporting obligations can be executed within the legal deadlines. The companies that perform best under NIS2 are usually the ones that treat compliance as an operating model, supported by evidence and management oversight, rather than a paperwork project.
Common mistakes organizations make with NIS2
A common mistake is assuming that NIS2 is mainly a documentation exercise. The directive is about demonstrable resilience and risk management, which means controls, evidence, testing, and accountability all matter together. Another common mistake is treating supplier security as a procurement questionnaire instead of a live risk-management discipline.
A third mistake is ignoring executive training and approval records, even though Article 20 makes them central. A fourth mistake is discovering too late that incident reporting decisions cannot be made quickly because legal, security, and operations teams never defined significance thresholds or reporting workflows in advance.
NIS2 requirements, final takeaway
The NIS2 requirements are broad, serious, and operationally demanding because the directive is intended to raise the real level of cybersecurity resilience across Europe. For most organizations, the core compliance challenge is to turn the legal text into an operating system for governance, risk management, resilience, supplier oversight, and rapid reporting. If you understand the directive through Articles 20, 21 and 23, and then implement those duties through evidence-backed processes, you are focusing on the parts of NIS2 that matter most in practice.
FAQ section
A complete list of the top 50 FAQs regarding NIS2 can be found here: https://www.kertos.io/nis2-faq
What are the main NIS2 requirements?
The main NIS2 requirements are scope determination, management accountability, cybersecurity risk-management measures under Article 21, and incident reporting obligations under Article 23. The directive also expects organizations to maintain evidence, train management, and implement proportionate security measures across systems, suppliers, and business continuity capabilities.
What are the 10 measures in Article 21 of NIS2?
Article 21 covers risk analysis, incident handling, business continuity, supply chain security, secure acquisition and development, effectiveness assessment, cyber hygiene and training, cryptography and encryption, human resources security and access control, and multi-factor authentication plus secure communications where appropriate.
What are the NIS2 reporting deadlines?
NIS2 generally requires an early warning within 24 hours, an incident notification within 72 hours, and a final report within one month for significant incidents. National implementation rules may shape the exact reporting process, but the directive establishes the underlying timeline.
Who is in scope for NIS2?
Under NIS2, the main rule is that medium-sized and large entities operating in the sectors listed in Annex I and Annex II are in scope. Those sectors include areas such as energy, transport, health, digital infrastructure, public administration, financial services, manufacturing, and certain digital and research services. Some entities are covered regardless of size, especially where they provide particularly critical services, such as trust services, DNS and TLD services, public electronic communications services, certain public administration bodies, and entities designated as critical or as the sole provider of an essential service in a Member State. Member States may also bring smaller high-risk entities into scope.
Covered sectors now extend well beyond the original NIS framework and include areas such as digital providers, public electronic communications, waste and wastewater, critical manufacturing, postal services, public administration, and space.
Is there an official NIS2 certification?
There is no general EU-issued NIS2 certification that proves compliance in the way some management system standards do. Organizations are expected to demonstrate compliance through implemented controls, governance, documentation, and evidence.
How to start your NIS2 journey
Kertos provides compliance automation built specifically for European requirements, including NIS2 for KRITIS operators. Our platform reduces implementation effort by 80% compared to manual approaches, with prebuilt templates for German regulatory requirements and integrated evidence collection for audit readiness.
Start with your free NIS2 assessment and check if your company is impacted by the new EU directive.
