The NIS2 Directive replaced the original NIS Directive in October 2024, with member-state transpositions landing across 2024 and 2025. The new regime is broader (more sectors and entities in scope), stricter (more specific obligations and harder enforcement), and structured around two tiers — essential entities and important entities — with different supervision and penalty regimes. A meaningful number of organisations now in scope still treat NIS2 as something the security team will figure out. The supervisory authorities are not waiting.
How Scope Expanded
NIS2 covers eighteen sectors split between "highly critical" (essential entities) and "other critical" (important entities). The list includes the obvious — energy, transport, banking, financial market infrastructures, health, drinking water, digital infrastructure — plus expanded coverage of postal and courier services, waste management, manufacturing of critical products, food production, ICT service management, public administration entities, and digital providers. Size thresholds (typically 50+ employees and €10M+ turnover) determine whether an entity is in scope, with sector-specific exceptions.
The expansion is significant in two ways. First, many organisations are now in scope that were not under the original NIS. Second, supply chain effects mean even smaller organisations may face NIS2-shaped requirements through their customers, who need to demonstrate supply chain risk management.
The Risk Management Obligations
Article 21 of NIS2 sets out the cybersecurity risk-management measures organisations must implement. The list is technology-neutral but specific: risk analysis and information system security policies, incident handling, business continuity (including backups and disaster recovery), supply chain security, security in network and information systems acquisition and development, policies and procedures to assess effectiveness, basic cyber hygiene practices and training, cryptography policies, human resources security and access control, and authentication including multi-factor where appropriate.
A common misreading: organisations treat the Article 21 list as guidance and continue running their existing security programme. The list is mandatory, and supervisory authorities are increasingly capable of assessing whether each measure is actually implemented. An ISO 27001 ISMS satisfies most of the list — but the gap between "we have ISO 27001" and "we have demonstrably implemented every Article 21 measure" can include items like documented multi-factor authentication policy, formal supply chain risk assessment, and specific cyber hygiene training programmes.
Incident Reporting Timelines
NIS2 imposes specific reporting timelines for significant incidents: an early warning within 24 hours, an incident notification within 72 hours, an intermediate report on request, and a final report within one month. The timelines are tight, the criteria for a "significant incident" are defined, and the reporting goes to the national CSIRT or competent authority. Programmes that have not built incident classification specifically against the NIS2 thresholds tend to either over-report or under-report — both of which create supervisory exposure.
Management Body Accountability
NIS2 explicitly assigns accountability for cybersecurity risk management to the management body of the entity. They are required to approve the risk management measures, oversee their implementation, and are personally exposed to potential liability for non-compliance. The standard requires management body members to receive training to identify and assess cybersecurity risks. This is a substantive change — cybersecurity is no longer something the management body can delegate entirely to the CISO.
Practical Steps for In-Scope Organisations
- Confirm scope under your member state's transposition — sector and size criteria can vary in detail
- Map Article 21 measures to your existing security programme; document gaps with remediation plans
- Build NIS2-aligned incident classification into your IR runbook so the 24/72-hour timelines are runnable
- Conduct supply chain risk assessment of critical ICT suppliers; update contractual provisions
- Brief and train the management body on cybersecurity risk; document the training as evidence
- Register with the national competent authority within the timeline your member state requires
- Plan for proactive supervision — essential entities face routine inspections, not just incident-driven
Why "Wait and See" Is the Wrong Strategy
Some organisations are taking a wait-and-see approach, expecting enforcement to ramp slowly. The supervisory authorities have signalled otherwise. Penalties for essential entities can reach €10M or 2% of global annual turnover, whichever is higher. For important entities, €7M or 1.4%. Member states are staffing up their competent authorities and CSIRTs. Organisations that delay until the first enforcement action against a peer find themselves with much less time than they assumed.