Get a demo
Get a demo
  • 14min read

9 Key NIS2 Requirements & Tips for Compliance

NIS2 significantly expands the range of entities required to comply with its cybersecurity mandates. These are the 9 key requirements covering 18 sectors.
Share post:

What Is the NIS2 Directive? 

NIS2 requirements, which came into force in October 2024,  mandate eligible EU organizations, primarily in critical sectors with over 50 employees or €10 million in revenue, to implement technical and organizational measures for risk management and incident response. To be subject to NIS2, an organization must meet these three criteria:

  1. Operate in one of the 18 critical sectors, such as energy, transport, banking, health, or digital infrastructure. 
  2. Be a mid-sized or larger enterprise, defined as having at least 50 employees or more than €10 million in annual revenue. 
  3. Offer its products or services within the European Union.

However, even smaller entities may fall under NIS2 if designated as critical due to their impact or sector role. Additionally, non-EU organizations offering services within the EU must also comply.

NIS2 requires a comprehensive, proactive approach to cybersecurity, including:

  • Risk management: Conduct ongoing risk assessments to identify and mitigate cybersecurity vulnerabilities and threats. 
  • Incident response and reporting: Establish robust incident handling procedures to detect, analyze, and respond to incidents, with strict mandatory reporting to authorities within 24 hours for significant incidents. 
  • Supply chain security: Implement comprehensive risk management for the entire supply chain, including assessing and managing security risks associated with third-party suppliers. 
  • Business continuity: Develop, test, and maintain business continuity and crisis management plans to ensure essential services can be recovered and continue during and after a cyber incident. 
  • Security monitoring: Maintain continuous security monitoring and analysis to quickly detect and respond to cybersecurity threats. 
  • Audits and testing: Conduct regular internal and external audits and security drills to assess the effectiveness of implemented security measures. 
  • Vulnerability management: Establish formal protocols for identifying, managing, and disclosing security vulnerabilities. 

This is part of a series of articles about NIS2 compliance

In this article:

Who Must Comply with NIS2 Requirements? 

NIS2 significantly expands the range of entities required to comply with its cybersecurity mandates. While the original NIS directive applied mainly to operators of essential services and digital service providers, NIS2 broadens its coverage to include a wider list of essential and important entities across sectors such as energy, transport, health, financial services, digital infrastructure, water supply, and public administration. 

In addition, companies offering services or operating infrastructure in EU member states, even if not headquartered in the EU, may be subject to NIS2 if they provide services to EU markets. 

Enterprise Sizes

Small and micro enterprises are generally exempt, unless they are designated as critical due to their sector, impact, or role in the supply chain. Here are the definitions:

  • Micro Enterprise: Fewer than 10 employees, annual turnover or annual balance sheet total below €2 million.
  • Small Enterprise: Fewer than 50 employees, annual turnover or annual balance sheet total below €10 million. 

Industry Sectors

NIS2 covers entities in the following 18 sectors:

Essential Entities

  1. Energy (electricity, oil, gas, hydrogen)
  2. Transport (air, rail, water, road)
  3. Banking
  4. Financial market infrastructures
  5. Health (including hospitals and private clinics)
  6. Drinking water supply and distribution
  7. Waste water management
  8. Digital infrastructure (IXPs, DNS, TLDs, cloud, data centers, CDN)
  9. ICT service management (MSPs, managed security service providers)
  10. Public administration (central government entities and agencies)
  11. Space (satellite operators and services)

Important Entities

  1. Postal and courier services
  2. Waste management
  3. Manufacture, production and distribution of chemicals
  4. Food production, processing and distribution
  5. Manufacturing of medical devices and critical products
  6. Digital providers (search engines, online marketplaces, social platforms)
  7. Research organizations (if critical to society or security)

Key NIS2 Compliance Requirements for Organizations 

1. Risk Management

Organizations must implement a risk management framework tailored to their specific threat environment. This includes identifying assets, assessing vulnerabilities, and evaluating the potential impact of cyber incidents. The NIS2 Directive requires entities to adopt a risk-based approach that covers both operational and strategic risks.

Controls must be proportional to the risks identified and should encompass preventive, detective, and corrective measures. Organizations are also expected to document their risk assessments and maintain them regularly to reflect changes in the threat landscape or business operations. NIS2 emphasizes the need for integrating cybersecurity risk into enterprise-wide governance structures, making it a responsibility not just of IT departments, but of executive management as well.

2. Incident Response and Reporting

Organizations must establish and maintain incident response procedures to handle cybersecurity events that could disrupt operations or compromise data. NIS2 requires entities to be capable of detecting, analyzing, and responding to incidents in a timely and coordinated manner. This includes assigning roles and responsibilities, ensuring communication between internal teams, and enabling rapid containment and recovery.

Entities are also obligated to report significant incidents to the relevant computer security incident response team (CSIRT) or national competent authority without undue delay. NIS2 requires a three-phase reporting process for significant incidents: an initial report within 24 hours, a follow-up within 72 hours, and a final report within one month. The report must contain an initial assessment, impact evaluation, mitigation measures taken, and any cross-border implications. 

The directive mandates maintaining an internal register of incidents, including documentation of the event timeline, response actions, and lessons learned. This historical data supports compliance audits and helps refine future incident handling capabilities.

3. Supply Chain Security

Under NIS2, organizations are accountable not only for their internal security posture but also for the cybersecurity practices of third parties involved in delivering critical services. This includes suppliers, service providers, cloud vendors, and managed service providers, especially those with access to core systems or sensitive data.

Entities must conduct risk assessments focused on supply chain dependencies and ensure that contractual agreements incorporate cybersecurity obligations, including breach notification clauses, minimum security standards, and audit rights. Regular reviews of supplier performance and security practices are required to detect emerging risks.

Additionally, organizations are encouraged to promote a culture of shared responsibility by fostering transparency and collaboration with third parties. The goal is to ensure continuity and security across the entire digital ecosystem.

4. Business Continuity

NIS2 emphasizes the importance of operational resilience in the face of cybersecurity incidents. Organizations must develop and maintain business continuity and disaster recovery plans that address potential disruptions to essential services. These plans should identify critical functions, define recovery time objectives, and outline procedures for maintaining operations during and after incidents.

The directive requires periodic testing of these plans to validate their effectiveness under realistic conditions. Entities should also ensure that personnel are trained on their roles within continuity frameworks and that the organization can operate under degraded conditions if necessary.

By integrating cybersecurity into continuity planning, organizations can minimize downtime, prevent cascading failures, and maintain public trust during adverse events.

5. Security Monitoring

Continuous monitoring is a core component of NIS2 compliance. Organizations must implement systems and processes to detect unauthorized access, malicious activity, and potential breaches in real time. This involves collecting and analyzing security logs, network traffic, system alerts, and user activity data across all relevant environments.

Monitoring capabilities should enable early detection of incidents, help identify trends or anomalies, and support forensic investigations. Entities are expected to maintain situational awareness across their infrastructure and adapt monitoring strategies to reflect changing threats.

The directive also encourages integration with threat intelligence feeds and coordination with external CSIRTs to enhance detection capabilities and response readiness.

6. Technical and Organizational Measures

NIS2 requires a balanced implementation of technical controls and organizational policies to manage cybersecurity risks effectively. Technical measures may include firewalls, endpoint protection, intrusion detection systems, multi-factor authentication, encryption, secure configurations, and network segmentation.

Organizational measures encompass governance structures, security policies, employee awareness programs, access control procedures, and regular risk assessments. These policies must be formalized, communicated across the organization, and regularly reviewed to remain effective.

The directive stresses that measures must be proportionate to the entity’s risk exposure, service criticality, and operational complexity. Entities should also ensure that security responsibilities are clearly defined and enforced throughout the organization.

7. Audits and Testing

To ensure that cybersecurity measures are effective and up to date, NIS2 mandates regular internal and external evaluations. Essential entities must undergo regular audits, including technical testing such as penetration tests, vulnerability assessments, and red team exercises, as well as formal audits of policies, procedures, and compliance with the directive’s requirements. Important entities may also be audited, depending on national enforcement approaches.

Audit results must be documented and acted upon. Entities are expected to implement corrective actions for identified gaps or weaknesses and demonstrate a cycle of continuous improvement. Competent authorities may also conduct inspections or request evidence of compliance at any time.

Routine testing validates not only technical defenses but also the organization’s readiness to respond to incidents and adapt to evolving threats.

8. Vulnerability Management

Organizations must have structured processes in place to identify, assess, prioritize, and remediate vulnerabilities across their digital assets. This includes continuously scanning systems, applying patches, and monitoring for newly disclosed vulnerabilities in third-party components.

NIS2 also emphasizes participation in coordinated vulnerability disclosure processes, requiring entities to establish secure communication channels for reporting and addressing externally discovered flaws. The goal is to reduce the attack surface and limit the time window in which systems remain exposed to known threats.

Entities should also maintain asset inventories and update them regularly to ensure that vulnerability management efforts cover all relevant systems and applications.

9. Management Oversight

Senior leadership plays a critical role in ensuring NIS2 compliance. The directive explicitly assigns accountability for cybersecurity governance to executive management, requiring them to oversee risk management strategies, allocate necessary resources, and monitor performance.

Boards and executives must be regularly informed about the organization’s cybersecurity posture, including risk assessments, incident metrics, audit results, and compliance status. They are also expected to lead by example, fostering a security-aware culture and integrating cybersecurity into broader business objectives.

Training for executives and board members is encouraged to ensure they understand their responsibilities under NIS2 and can make informed decisions about security investments and risk tolerance.

Tips from the Expert
Picture of Jessica Eisenberg
Jessica Eisenberg
Jessica is Senior Global Campaigns Manager at N2WS with more than 10 years of experience. She enjoys very spicy foods, lifting heavy things and cold snowy mountains (even though she lives near the arid desert).
Linkedin
  • Integrate DRaaS with compliance automation: Disaster Recovery as a Service (DRaaS) platforms that support API-based automation can help validate business continuity and incident recovery requirements of NIS2, reducing manual reporting burdens.
  • Map NIS2 controls to existing frameworks: Create a crosswalk that aligns NIS2 requirements with ISO 27001, NIST CSF, or CIS Controls. This lets you repurpose existing policies, audits, and artifacts to meet NIS2 obligations—especially helpful for multinationals.
  • Simulate third-party breach propagation: Beyond standard supplier assessments, simulate breach propagation scenarios involving third-party access to your environment. Use attack path mapping tools to evaluate how supplier compromise could move laterally into core systems.
  • Use breach cost modeling to prioritize controls: Implement cyber risk quantification (CRQ) models to estimate the financial impact of different cyber incidents. This helps justify cybersecurity investments to executives and aligns with NIS2’s focus on proportionate controls.
  • Leverage deception technology for high-fidelity monitoring: Add deception systems (honeypots, decoys, fake DBs) to improve threat detection precision without increasing alert fatigue. These tools provide context-rich, low-noise indicators of compromise that complement SIEM/SOAR tools.

Best Practices for Adhering NIS2 Requirements 

Obtain Top Management Accountability and Governance

Effective governance begins with the direct involvement of senior management in cybersecurity matters. NIS2 assigns explicit accountability to top leadership for ensuring that all compliance obligations are met across the organization. This means the board and executive teams must set clear policies, allocate adequate resources, and ensure oversight of implementation efforts. Regular engagement with risk reports, incident updates, and audit results strengthens their understanding of threat landscapes and assists in making informed strategic decisions.

Leadership should also establish frameworks for clear lines of responsibility regarding cyber risk at all levels of the business. This involves appointing qualified individuals to manage NIS2 compliance, defining accountability metrics, and ensuring ongoing staff training. Effective governance relies on transparent communication and documented workflows, making it easier to demonstrate compliance to regulators and respond decisively to cybersecurity incidents.

Adopt a Risk-Based, Proportionate Cybersecurity Strategy

A risk-based approach to cybersecurity ensures that resources are focused on addressing threats that present the greatest risk to the business. NIS2 expects organizations to tailor their security programs based on the severity and likelihood of specific cyber threats. This starts with a thorough assessment of organizational assets, threats, and vulnerabilities and continues with the prioritization of mitigations according to their criticality.

Implementing proportionate controls requires aligning technical and organizational measures with the actual risk profile of the organization. This includes making informed choices about the depth and breadth of controls, avoiding over- or under-engineering solutions. Regular risk evaluations, dynamic risk modeling, and review of emerging threat intelligence underpin a strategy that remains relevant as the organization and its operating environment change.

Build and Test an Incident Response Playbook that Aligns with NIS2’s Reporting Requirements

An effective incident response playbook provides a structured process for identifying, managing, and reporting cybersecurity incidents in compliance with NIS2 obligations. It should define clear escalation paths, communication procedures, and decision-making authority to ensure that incidents are handled consistently and efficiently. The playbook must also map response activities to NIS2’s specific timelines and requirements, particularly the obligation to submit an initial incident notification within 24 hours and a final report within 72 hours or as otherwise required by national authorities.

Testing the playbook through tabletop exercises, simulations, and post-incident reviews validates its practicality and ensures staff understand their roles. Each exercise should evaluate detection speed, communication flow, documentation accuracy, and compliance with reporting deadlines. Lessons learned must be integrated into the playbook to refine processes and close gaps in coordination or documentation.

To maintain readiness, organizations should align incident response plans with broader business continuity and crisis management frameworks. Integrating technical, legal, and communications teams ensures that security incidents are managed holistically—from containment and evidence preservation to external reporting and public disclosure. Regular updates to the playbook, reflecting new threat patterns and regulatory guidance, sustain its effectiveness and demonstrate a proactive approach to NIS2 compliance.

Build a Third-Party Risk Management Program

Third-party risk management is essential for organizations with complex supply chains or that rely on external service providers. Compliance with NIS2 demands that entities conduct thorough due diligence before onboarding new suppliers, assessing their security practices, track records, and ability to adhere to relevant controls. Risk-based contractual clauses and ongoing monitoring ensure that suppliers maintain the necessary security standards throughout the relationship.

Periodic reviews of supplier performance, regular audits, and security certifications are effective tools for managing third-party risks. Sharing cybersecurity expectations and incident reporting requirements with all business partners serves to align efforts and minimize mutual exposure to cyberthreats. By integrating supplier risk management into procurement and legal processes, organizations close potential gaps in their overall cybersecurity posture.

Continuous Monitoring, Logging, and Threat Detection

Continuous monitoring of critical systems and networks allows organizations to detect irregularities that could signal cyber incidents. Deploying security information and event management (SIEM) solutions, combined with threat detection systems, helps organizations to spot suspicious activity in real time. Log management is crucial for tracking events, supporting investigations, and meeting audit requirements under NIS2.

Regularly reviewing and analyzing logs, along with running security analytics and threat intelligence feeds, enhances an organization’s ability to detect emerging threats. Automation of response mechanisms can further shrink response times during active attacks. By integrating monitoring with incident response and risk management procedures, organizations create a feedback loop that improves overall security and compliance.

Utilize Penetration Testing / Red Teaming

Penetration testing and red teaming exercises are recognized best practices for evaluating the strength of organizational cyber defenses. NIS2 encourages the use of these tests to realistically assess an organization’s ability to prevent, detect, and respond to attacks. Regularly scheduling these exercises ensures that critical vulnerabilities are identified, prioritized, and resolved in a timely manner.

Red teaming goes beyond traditional testing by simulating complex attack scenarios, gauging not only technical controls but also staff awareness and response procedures. The findings from these exercises provide actionable insights for improving both technical configurations and organizational readiness. Continuous improvement, based on lessons learned from penetration tests and red team results, is essential for maintaining resilience and NIS2 compliance as the threat landscape evolves.

Adapting to NIS2 Requirements with N2W

NIS2 RequirementHow N2W Helps
Business Continuity & DRRapid recovery and near-zero RTO; off-site or geographically redundant copies
Incident Response & RecoveryFast, granular restores; automated testing and DR drills
Immutable Backups & ProtectionAir-gapped, cross-cloud, and immutable backups
Monitoring & Audit SupportUsage tracking, alerts, compliance reports
Supply Chain ResilienceBackup isolation from third-party management tools

Ready to Operationalize NIS2 Compliance?

You don’t have to start from scratch. We’ve built a free, downloadable NIS2 Checklist that breaks down each requirement into actionable steps—mapped to real-world security and continuity practices.

✅ Prioritize what matters

✅ Track your progress

✅ Stay ahead of regulators 👉 Grab the checklist now

You might also like