Get a demo
Get a demo
  • 16min read

NIS2 Compliance: Requirements, Enforcement, and Compliance Checklist

Failure to comply with these NIS2 requirements can result in financial penalties up to €10 million or 2% of global revenue.
Share post:

What Is NIS2 Compliance?

NIS2 compliance refers to adhering to the European Union’s NIS2 Directive, which requires Member States to transpose it into national law (so requirements are enforced via each country’s implementing legislation). Under the directive, organizations in key sectors to implement comprehensive cybersecurity risk management and reporting measures to improve resilience and security within the EU. 

Key requirements include regular risk assessments, robust incident response and business continuity plans, enhanced supply chain security, implementation of technical, operational, and organizational security measures, corporate accountability for management, and strict, timely incident reporting. Failure to comply can result in significant financial penalties, up to €10 million or 2% of global revenue—depending on whether the entity is essential or important as well as national implementation.

NIS2 also increases management-body accountability (oversight, approvals, training) and can expose leaders to sanctions under national law, including in some cases temporary bans.

The NIS2 Directive significantly expands the scope of the original NIS Directive, affecting more entities and sectors. Compliance is mandatory for organizations operating within the EU that are:

  • Critical infrastructure providers: Including sectors like energy, banking, healthcare, and transport. 
  • Digital service providers: Such as cloud services, online marketplaces, and search engines. 
  • Public administration bodies: National and local governmental bodies. 
  • Mid-sized to large enterprises: NIS2 generally applies to medium and large entities in covered sectors (Annex I/II), with some exceptions where smaller entities may be included based on criticality / national rules.

NIS2 compliance involves several core components:

  • Corporate accountability: Senior management is responsible for approving and overseeing cybersecurity measures and must undergo relevant training. 
  • Risk management: Organizations must conduct regular, proactive risk assessments and implement technical, operational, and organizational security measures to address vulnerabilities. 
  • Incident reporting: Timely and structured reporting of security incidents is required, with specific deadlines for early warnings and final reports. 
  • Supply chain security: Companies must assess and manage risks associated with their third-party vendors and suppliers. 
  • Business continuity: Plans must be in place to ensure continued operations and resilience during and after a major cyber incident. 
  • Security audits and drills: Organizations are expected to perform routine audits and security drills to test their preparedness.

In this article:

Evolution from NIS to NIS2 

The original NIS Directive, adopted in 2016, was the first EU-wide law on cybersecurity and aimed to improve the overall level of cybersecurity in the European Union. However, the digital landscape has changed dramatically, and new risks and threats have emerged, making the initial directive insufficient for today’s needs. The patchwork implementation across member states also left significant gaps in security posture, leading to inconsistent protection levels throughout the EU.

To address these issues, the European Commission updated the directive, resulting in NIS2, which entered into force in January 2023 with transposition deadlines in October 2024. Compared to its predecessor, NIS2 applies to a broader range of sectors, introduces stricter supervisory measures, and sets stronger enforcement and penalty regimes. The new directive aims to harmonize cybersecurity requirements, ensure better crisis management across borders, and promote higher levels of security throughout the supply chain.

Who Needs to Comply with NIS2? 

The NIS2 Directive applies to a wider set of entities than its predecessor, targeting both public and private organizations whose operations are critical to the EU’s economy, security, and public welfare. Compliance is based on the type of service provided and the size of the organization, with most obligations applying to medium and large entities.

Critical Infrastructure Providers

This group includes operators in sectors essential to society and the economy, such as energy, transport, banking, financial market infrastructure, healthcare, drinking water, and digital infrastructure. These organizations must implement robust cybersecurity and risk management practices to ensure uninterrupted delivery of services that citizens and businesses rely on.

Digital Service Providers

NIS2 covers key digital service providers like cloud computing services, data center services, content delivery networks, online marketplaces, and search engines. These providers are critical to the functioning of many other sectors, and their cybersecurity posture directly affects broader digital supply chains and infrastructure.

Public Administration Bodies 

National and regional public administration entities are included, except for those involved in national security, defense, law enforcement, or judiciary functions. These institutions hold large volumes of sensitive data and often provide digital public services, making them targets for cyberattacks and requiring elevated security standards.

Mid-Sized to Large Enterprises 

Organizations that do not fall into a specific sector category but exceed size thresholds (more than 50 employees and annual turnover over €10 million) may also be subject to NIS2 if they provide services that are considered essential or important under the directive. These companies must assess their inclusion based on national transposition rules and their role in the broader supply chain or economy.

Digital/ICT services are explicitly in-scope in many cases (e.g., cloud computing, data centres, managed service providers, and core internet services like DNS/domain registration), which can surprise organizations that don’t see themselves as ‘critical infrastructure.’

Tips from the Expert
Picture of Jessica Eisenberg
Jessica Eisenberg
Jessica is Senior Global Campaigns Manager at N2WS with more than 10 years of experience. She enjoys very spicy foods, lifting heavy things and cold snowy mountains (even though she lives near the arid desert).
Linkedin
  • Use breach simulation platforms: Run simulated attacks using breach and attack simulation (BAS) tools to verify that detection and incident response workflows trigger the correct alerts, notifications, and escalation paths in line with NIS2 timelines.
  • Introduce tiered access logging for privileged accounts: Go beyond standard logging by implementing context-aware logging (e.g., access location, time anomalies, behavior deviation) for privileged accounts. This helps spot misuse early and supports forensic readiness.
  • Map business impact to threat scenarios: Instead of generic risk assessments, create a matrix that links realistic threat scenarios (e.g., ransomware in OT, cloud provider breach) to business impact (downtime, legal exposure) to justify controls and continuity measures.
  • Establish a cross-border incident response plan: If the organization operates in multiple EU member states, develop response protocols that address cross-border reporting obligations, data localization rules, and regulatory contacts ahead of time.
  • Apply automated supplier segmentation in asset and risk inventories: Use dynamic tagging to auto-classify suppliers and linked systems by risk exposure, contractual terms, or data access, making reviews & response prioritization efficient.

Key Organizational Requirements Under NIS2

1. Corporate Accountability

NIS2 brings a shift in placing ultimate responsibility for cybersecurity on corporate management. Board members and top executives are required to ensure that their organizations have adequate cybersecurity practices in place. Organizations are now expected to provide regular cybersecurity training to executive staff and document decisions regarding security risk assessments, investments, and incident responses. 

How to ensure compliance:

  • Document security decisions, including accepted risks and investment choices
  • Provide recurring cybersecurity training for board and executive teams
  • Establish a governance framework with clear ownership of security responsibilities
  • Review cybersecurity performance and incident reports at management meetings
  • Maintain evidence of oversight activities for regulators

2. Risk Management

Effective risk management is fundamental under NIS2. Entities must implement risk assessment strategies that cover internal IT environments, operational technology systems, and dependencies involving external partners or suppliers. The directive mandates the use of security-by-design and defense-in-depth principles to mitigate identified risks and ensure the resilience of essential services.

How to ensure compliance:

  • Perform scheduled risk assessments across IT, OT, and third‑party environments
  • Apply security-by-design principles in new systems and service deployments
  • Implement layered security controls based on defense‑in‑depth
  • Use asset inventories to track critical systems and dependencies
  • Reassess risks after major changes, incidents, or technology updates

3. Incident Reporting

NIS2 sharpens incident reporting requirements with much tighter timelines and clearer expectations. Organizations must notify authorities of significant cyber incidents that affect service availability, confidentiality, or integrity. Early warning within 24 hours of becoming aware, then an incident notification within 72 hours, plus a final report within one month (and progress updates where applicable).

How to ensure compliance:

  • Define internal escalation paths with clear reporting triggers
  • Implement monitoring and detection tooling that supports early warning deadlines
  • Create incident reporting templates that capture required regulatory data
  • Run simulation exercises to test reporting workflows
  • Maintain logs and evidence to support post‑incident reporting requirements

4. Supply Chain Security

NIS2 expands the scope of cybersecurity to cover the entire supply chain. Organizations must assess and manage risks not just within their own environments but also when it comes to suppliers, service providers, and other external partners. 

How to ensure compliance:

  • Evaluate supplier security practices using questionnaires or audits
  • Add cybersecurity clauses to contracts, including breach notification terms
  • Classify suppliers by criticality and apply stricter controls for high‑risk partners
  • Monitor third‑party access and integrate it into identity and access management
  • Review supplier performance and security incidents on a regular cycle

5. Business Continuity

NIS2 explicitly calls out business continuity measures including ‘backup management and disaster recovery’ as part of required risk-management measures. Organizations must develop, maintain, and regularly test business continuity and disaster recovery plans specific to cyber incidents. These plans should prioritize essential service processes, establish fallback procedures, and detail how operations can be restored quickly following an attack.

How to ensure compliance:

  • Develop continuity and disaster recovery plans tailored to cyber scenarios
  • Identify essential processes and define acceptable downtime thresholds
  • Establish backup procedures for critical data and systems
  • Test recovery procedures through tabletop or technical exercises
  • Update plans after significant incidents, audits, or infrastructure changes

✅ TIP: For AWS/Azure environments, N2W supports policy-based backups, fast restores, and automated DR drills—plus recovery of key cloud networking constructs—so teams can generate evidence instead of chasing screenshots at audit time.

6. Security Audits and Drills

Under NIS2, organizations are expected to conduct regular audits and technical assessments to ensure the effectiveness of their cybersecurity controls. Internal or external audits help identify gaps, compliance risks, or process failures that may otherwise go unnoticed. These assessments must be thorough, well-documented, and lead to actionable remediation when issues are discovered.

How to ensure compliance:

  • Schedule internal and external audits to review technical and procedural controls
  • Use audit findings to create remediation plans with clear deadlines
  • Conduct penetration tests or technical assessments on high‑risk systems
  • Run operational drills to evaluate response readiness
  • Maintain audit trails and evidence to demonstrate compliance during inspections

✅ TIP: Treat DR testing as an audit artifact. Tools like N2W can run automated DR drills and produce detailed reporting/alerts—useful for demonstrating readiness and continuous improvement.

NIS2 Enforcement and Penalties 

NIS2 introduces a stronger enforcement framework, equipping national authorities with enhanced supervision and investigation powers. Regulatory bodies can conduct audits, request documentation, carry out on-site inspections, and impose mandatory measures or corrective actions. They can also issue binding instructions, order data erasure, or suspend services until sufficient security is restored.

Penalties under NIS2 are severe to encourage compliance. For “essential” entities, fines can be up to €10 million or 2% of global annual turnover, whichever is higher. For “important” entities, fines can reach €7 million or 1.4% of global annual turnover. Authorities may also hold corporate executives personally liable for serious compliance failures. In addition to financial penalties, public disclosure of non-compliance can result in loss of reputation and customer trust.

How Does NIS2 Compare to Other Cybersecurity Regulations? 

The NIS2 Directive aligns with several major cybersecurity standards and regulations but introduces specific obligations and enforcement mechanisms tailored to critical infrastructure and essential services in the EU. The table below provides a high-level comparison of NIS2 with GDPR, ISO 27001, DORA, and the NIST Cybersecurity Framework.

FeatureNIS2GDPRISO 27001DORANIST Cybersecurity Framework
ScopeCritical infrastructure, essential and important entitiesPersonal data protectionInformation security managementFinancial sector ICT riskCritical infrastructure (US-centric)
Legal Status in EULegally binding once transposed into national lawEU RegulationVoluntary standardEU Regulation; applies from 17 Jan 2025Voluntary framework
Focus AreasCyber resilience, incident response, supply chain security, governanceData privacy, breach notification, data subject rightsRisk management, ISMS, continuous improvementOperational resilience, ICT risk, third-party risk, testingIdentify, protect, detect, respond, recover
Mandatory Incident ReportingYes (tight deadlines and sector-specific)Yes (within 72 hours)No (unless required by contract/regulation)Yes (detailed and to financial regulators)No
Sector-Specific RequirementsYes (sector-based scope and obligations)NoNoYes (for financial institutions and third-party providers)No
Alignment with NIS2N/APartial (overlap in breach handling and personal data)High (shared principles in security management)Medium to high (overlapping operational and reporting requirements)High (conceptual match, not legal compliance)

NIS2 vs. GDPR

NIS2 and GDPR (General Data Protection Regulation) are both cornerstone pieces of EU cybersecurity legislation, but they focus on different areas. GDPR aims to protect personal data and privacy rights of individuals within the EU, whereas NIS2’s primary concern is the resilience and security of critical network and information systems that underpin essential services. While both directives share some overlap, particularly where personal data is involved in cyber incidents, their scope and requirements differ.

Organizations that fall under both NIS2 and GDPR must align their compliance programs carefully. Incident reporting processes should be harmonized to ensure timely notification to authorities under both regimes, and security control requirements should be mapped accordingly. Failing to comply with either directive can result in significant penalties.

NIS2 vs. ISO 27001

ISO 27001 is an internationally recognized standard for information security management systems and provides a structured approach to managing sensitive information. Many NIS2 requirements dovetail with ISO 27001 best practices, such as risk management, incident response planning, and leadership commitment to cybersecurity. Organizations already certified under ISO 27001 will find significant alignment with NIS2’s requirements, easing the path to compliance.

However, NIS2 goes further in several areas, such as mandating strict timelines for incident reporting, enforcing sector-specific requirements, and introducing top-level corporate accountability. ISO 27001 certification is valuable but does not guarantee NIS2 compliance; organizations must still assess any regulatory gaps and ensure all NIS2 obligations are met for their specific industry and operations.

Learn more in our detailed guide to NIS2 vs ISO 27001

NIS2 vs. DORA

The Digital Operational Resilience Act (DORA) is another key piece of EU regulation focused on financial sector ICT risk, covering banks, insurers, and related service providers. While DORA shares objectives with NIS2—such as increasing resilience and managing third-party risks—it includes sector-specific requirements and a heavier emphasis on reporting to financial supervisors. DORA also introduces mandatory testing of digital operational resilience and specific incident response standards for the financial sector.

Entities subject to both DORA and NIS2 must reconcile overlapping demands, especially in areas like supply chain security, incident reporting, and business continuity. Coordinated compliance efforts are necessary to avoid duplicated work and conflicting obligations. Organizations should map DORA’s provisions to NIS2 requirements and approach compliance holistically, especially when relying on common IT infrastructure and processes.

Learn more in our detailed guide to DORA regulation 

NIS2 vs. NIST Cybersecurity Framework

The NIST Cybersecurity Framework, developed in the United States, is widely regarded as a best-practice model for improving critical infrastructure cybersecurity. It provides a flexible, risk-based approach built around six core functions: identify, protect, detect, respond, recover, and govern. Though not a legal requirement in the EU, NIST’s framework is compatible with key NIS2 principles and is often integrated as a benchmark in broader cybersecurity programs.

EU organizations aligning their security policies with NIST benefit from structured risk management and incident response processes that reinforce NIS2 compliance. Adoption of the framework can facilitate harmonized security controls, metrics, and reporting practices. However, organizations must ensure all specific, mandatory NIS2 obligations—such as reporting timelines and sector-focused risk controls—are fully addressed in addition to voluntary best practices.

Learn more in our detailed guide to NIST vs NIS2

NIS2 Compliance Checklist 

1. Assign Clear Cybersecurity Responsibilities at Management Level

Compliance begins with leadership. NIS2 requires that top management formally oversee cybersecurity strategy and implementation. Responsibilities must be clearly assigned, documented, and monitored to ensure accountability.

  • Designate a senior executive or board member responsible for cybersecurity oversight
  • Integrate cybersecurity into organizational risk management and governance structures
  • Review and approve security budgets, policies, and key risk assessments
  • Ensure top management undergoes cybersecurity training
  • Maintain documentation showing leadership involvement in key security decisions

2. Perform Regular Risk Assessments Covering Networks, Systems, and Supply Chain

Organizations must identify and manage risks across their IT and OT environments, as well as their external dependencies. Risk assessments must be proactive and regularly updated.

  • Map all critical assets, data flows, and external dependencies
  • Assess threats and vulnerabilities across internal and third-party systems
  • Update risk assessments after major changes, incidents, or discoveries of new threats
  • Document identified risks and corresponding mitigation measures
  • Review risk reports at management level

3. Report Incidents to Authorities Within Required Timeframes

NIS2 requires fast reporting of significant incidents. Organizations must have procedures in place to meet initial and follow-up notification deadlines.

  • Identify types of incidents that trigger NIS2 reporting requirements
  • Implement monitoring tools to detect reportable incidents in real time
  • Assign reporting responsibilities to specific roles or teams
  • Prepare templates for initial and detailed incident notifications
  • Maintain evidence of all notifications and communications with authorities

4. Implement Multi-Factor Authentication (MFA) for Critical Systems and Accounts

MFA is a baseline security control that significantly reduces the risk of unauthorized access. It is particularly important for accounts with administrative privileges or access to critical systems.

  • Identify all high-privilege accounts and critical access points
  • Enable MFA for remote access, cloud services, and internal administrative interfaces
  • Ensure MFA supports secure and user-friendly authentication methods
  • Monitor for bypass attempts or configuration errors
  • Regularly review MFA coverage and enforcement policies

5. Keep All Systems and Software Patched and Updated to Reduce Vulnerabilities

Unpatched systems are a major vector for cyberattacks. NIS2 requires organizations to maintain up-to-date systems to limit exposure to known threats.

  • Maintain an up-to-date inventory of all hardware and software
  • Apply security patches promptly, especially for critical vulnerabilities
  • Automate patch management processes where possible
  • Validate that updates are successfully applied
  • Monitor vendor advisories for newly discovered vulnerabilities

6. Encrypt Sensitive Data Both in Transit and at Rest

Encryption protects the confidentiality and integrity of sensitive information. It must be applied consistently across systems handling personal, financial, or operationally critical data.

  • Identify data that requires encryption based on sensitivity and regulatory requirements
  • Use industry-standard encryption protocols for data transmission and storage
  • Ensure encryption keys are securely stored and managed
  • Regularly test encryption effectiveness and compliance
  • Monitor systems for encryption failures or misconfigurations

7. Maintain Business Continuity and Disaster Recovery Plans with Tested Backups

NIS2 emphasizes the need for resilience. Organizations must ensure essential services can continue or recover quickly after cyber incidents.

  • Identify critical processes and define acceptable recovery time objectives
  • Develop and document business continuity and disaster recovery plans
  • Regularly test failover systems and backup recovery procedures
  • Ensure backup systems are segmented from production environments
  • Use immutable backups and a true air gap to reduce ransomware blast radius
  • Automate restore testing/DR drills and keep the results as audit evidence
  • Verify the integrity of backups through regular restoration tests

8. Establish and Test an Incident Response Plan with Clear Escalation Procedures

An effective incident response plan ensures that organizations can react quickly and efficiently to cyberattacks. NIS2 mandates detailed, actionable procedures and regular testing.

  • Develop a written incident response plan covering detection, response, and recovery
  • Define roles, responsibilities, and escalation chains
  • Include procedures for internal reporting, containment, investigation, and communication
  • Run incident simulations and adjust the plan based on test results
  • Log all incidents and maintain post-incident review records

9. Assess and Manage Third-Party/Vendor Risks

Supply chain risks are a key concern under NIS2. Organizations must evaluate and control risks posed by external vendors and service providers.

  • Maintain a register of all third-party service providers
  • Conduct security assessments or require certifications (e.g., ISO 27001)
  • Include cybersecurity clauses in contracts, covering reporting and access control
  • Monitor compliance and performance of critical suppliers
  • Reassess vendor risk profiles regularly

10. Conduct Regular Staff Cybersecurity Awareness Training

Employees are often the first line of defense. NIS2 mandates training programs that promote secure behavior and incident readiness.

  • Deliver annual cybersecurity awareness training to all employees
  • Provide targeted training for high-risk roles (e.g., administrators, finance staff)
  • Include phishing simulations and practical incident response exercises
  • Track training completion and knowledge retention
  • Update training materials to reflect evolving threats and lessons learned from incidents

Backup and Recovery for NIS2 Compliance with N2W

  • NIS2 calls out business continuity: N2W helps operationalize business continuity measures with automated backup policies and rapid recovery.
  • Prove it works: run automated DR drills and capture results/reporting as evidence.
  • Harden recovery against ransomware: with immutable backups and a true air-gapped DR approach.
  • Support isolation + resilience needs: with cross-region/cross-account recovery and cross-cloud options.

Want a fast path to NIS2 readiness?

Download the 10-step checklist to rapid NIS2 compliance

You might also like