NIST Cybersecurity & Privacy

NIS2 Directive: What Operators of Essential and Important Entities Actually Need to Do

Standarity Editorial Team·NIS2 Lead Implementers
··8 min read

The NIS2 Directive expanded the scope of EU cybersecurity regulation dramatically — from the original NIS Directive's narrow set of operators of essential services to tens of thousands of essential and important entities across 18 sectors. National transposition deadlines have come and gone, and competent authorities are now moving from awareness campaigns into enforcement. The entities still treating NIS2 as a paper compliance exercise are discovering that the directive's incident reporting timelines, supply chain obligations, and personal liability provisions for management bodies require operational changes that take quarters to implement, not weeks.

Who Is Now in Scope

NIS2 distinguishes between essential entities — energy, transport, banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space — and important entities, which include postal services, waste management, chemicals, food, manufacturing of medical devices and certain critical products, digital providers, and research. The directive applies above size thresholds (medium and large entities, with some sector-specific exceptions that pull smaller entities in regardless). The first task for many organisations is not implementation; it is determining whether they are in scope at all, and if so, as essential or important.

The Substantive Obligations

NIS2 requires entities to adopt cybersecurity risk management measures covering at least ten areas: risk analysis and information system security policies, incident handling, business continuity and crisis management, supply chain security, security in network and information systems acquisition, policies and procedures for evaluating effectiveness, basic cyber hygiene and training, cryptography, human resources security and access control, and use of multi-factor authentication or continuous authentication. The list reads like a control framework summary because that is essentially what it is — entities that have implemented ISO 27001 or NIST CSF have most of the substantive work done; entities starting from scratch face a real implementation programme.

Incident Reporting Timelines

NIS2 imposes a layered reporting timeline that is tighter than most national regimes that preceded it: an early warning to the CSIRT or competent authority within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours, an intermediate report on request, and a final report within one month. The 24-hour clock surprises organisations that have not rehearsed it. The early warning need not be a complete report — but the obligation to make a competent-authority notification in the first day of an incident requires that someone is on call, knows the contact route, and has authority to file. That is operational work, not policy work.

A pattern we see in NIS2 readiness reviews: the entity has written the policies and risk management framework, and has not rehearsed the incident reporting timeline. The first significant incident reveals that the 24-hour early warning has no defined owner, no contact list for the competent authority, and no decision authority outside business hours. The substantive obligations were addressed; the procedural one that the regulator will see first was not. Tabletop the reporting timeline before the incident does it for you.

Supply Chain and Management Body Liability

Two NIS2 provisions reshape the risk landscape beyond the direct entity. Supply chain security obligations require entities to assess and manage the cybersecurity risks of their suppliers and service providers — including the security practices of suppliers' suppliers where relevant. Management body provisions hold the management body responsible for approving cybersecurity risk management measures and supervising their implementation, with explicit liability for breaches of the cybersecurity obligations. Both provisions push cybersecurity up the organisational stack — from a technical function to a board-level governance matter — and the entities that adapt fastest are the ones that brief their boards properly rather than discovering the liability after an incident.

A Readiness Programme That Holds Up

  • Confirm scope determination — essential, important, or out of scope — and document the basis
  • Map existing controls (ISO 27001, NIST CSF, internal frameworks) to the ten substantive measure areas and close the gaps
  • Build and rehearse the incident reporting workflow against the 24-hour early warning clock
  • Identify critical suppliers and assess their cybersecurity posture with a defined methodology
  • Brief the management body on its supervisory and liability obligations, not just the technical programme
  • Establish the registration relationship with the national competent authority
  • Document the cybersecurity risk management measures in a form a regulator can inspect

Why Treating NIS2 as Compliance Theatre Will Not Work

Competent authorities have explicit enforcement powers under NIS2 — instructions, warnings, binding orders, administrative fines up to €10 million or 2% of global turnover for essential entities (€7 million or 1.4% for important entities), and in some Member States temporary suspension of certifications or management responsibilities. The fine architecture is similar to GDPR, and the enforcement trajectory will likely follow a similar pattern — initial cooperative engagement, escalating to material penalties as the regime matures. Entities that build a defensible programme now position themselves for the cooperative phase; entities that wait position themselves for the penalty phase.

Explore Courses on Udemy

Beginner

Introduction to NIS2 Directive

Intermediate

NIS2 Directive Lead Implementer Practice Exams

Intermediate

Implement NIS2 Step by Step