Not sure where your organisation stands on NIS2? Our free assessment can help spot gaps, prioritise next steps and prepare more confidently.

NIS2 directive: requirements, deadlines and implementation in 2026
The NIS2 Directive is reshaping cybersecurity across Europe. Learn what it requires, who it applies to and how organisations can prepare.
Contents
- What is NIS2?
- Deadlines and entry into force
- Implementation
- National implementation
- Who is affected?
- Requirements: checklist
- Compliance & certification
- DORA vs. NIS2
At a glance: NIS2 directive
- Extends the rules to 18 critical sectors across the EU
- Separates in-scope organisations into essential and important entities
- Pushes cybersecurity further into governance, oversight and day-to-day risk management
- Uses a staged reporting model for significant incidents
- Gives management a more direct role in cybersecurity oversight
- An NIS2 assessment can help clarify whether your organisation is affected and where further work may be needed
What is NIS2? The NIS2 directive explained
The NIS2 directive sets a stricter legal framework for cybersecurity across the European Union. It replaces the earlier framework introduced in 2016 and reflects how much the threat landscape has changed since then. Its reach is broader than before, and the standard expected of organisations has also moved up.
Put simply, what is NIS2? At the centre of the NIS2 directive are three shifts: tighter risk management, earlier reporting of serious incidents and better preparation for disruption. For organisations in scope, cybersecurity is no longer treated only as a technical issue. Looked at plainly, NIS2 explained means that cybersecurity now sits more clearly within accountability, internal processes and operational resilience.
Europe’s economy now relies heavily on connected digital systems. When those systems are disrupted, the consequences often extend well beyond IT. The NIS2 regulation takes that broader operational reality into account.

Summary: The key points of the NIS2 directive
Since the original NIS rules were introduced in 2016, the threat landscape has changed significantly. Implementation across the EU has also been uneven. The NIS2 directive is intended to create a more consistent and more demanding framework in response.
This summary of the NIS2 directive points to a broader shift. The focus is no longer limited to technical controls alone. The directive brings governance, reporting, supplier oversight and organisational resilience much more clearly into view.
An overview of the key changes:
- Extended scope (Article 3):
The earlier distinction no longer does the same work here. The key question now is whether an organisation is treated as an essential entity or an important one.
- Stricter incident reporting (Article 23):
Incident reporting is more exacting under the NIS2 directive. A serious incident is generally reported in stages: an early warning within 24 hours, further information within 72 hours, then a final report within one month.
- Supply chain security (Article 21):
Suppliers can open up weak points that affect the wider organisation. NIS2 reflects that by giving more weight to supplier-related cyber risk. That means organisations often need to look more carefully at what they depend on, how those relationships are overseen, and where contractual safeguards may need strengthening.
- Management accountability (Article 20):
Management bodies are meant to approve risk-management measures and keep track of how those measures are being put into effect.
- Mandatory cyber hygiene (Article 21):
Basic security measures carry more weight under NIS2 than before. These can include regular updates, password security, access controls and staff awareness measures, including training on phishing and social engineering.
- EU-wide cooperation (Articles 16 & 19):
Through the EU-CyCLONe network and peer reviews, the EU places greater emphasis on cross-border coordination during major cyber incidents.
A guide to your NIS2 strategy
Explore related NIS2 articles to understand the requirements in more detail and work out what matters most for your organisation.
NIS2 deadlines: when does the directive come into force?
The European cybersecurity framework moves on two levels. At EU level, the NIS2 directive sets the common legal direction. For organisations, however, the exact timing of legal obligations depends on how each Member State transposes those rules into national law.

The EU timetable: how the NIS2 directive came into force
The European Union adopted the NIS2 directive at the end of 2022. It entered into force on 16 January 2023, which started the countdown for Member States to transpose the directive into national law. The deadline for doing so was 17 October 2024.
That process did not move forward at the same pace everywhere. Some Member States did not complete transposition on time. In a number of countries, national implementation continued well into 2025. That meant the practical legal position remained unclear for longer in some parts of the EU. The European Commission has scheduled the first formal review of the NIS2 directive for October 2027.
NIS2 Check in 3 minutes

NIS2 implementation: what does the EU require of Member States?
The NIS2 directive sets the legal objective for Europe as a whole, but leaves the route to Member States. In other words, Brussels defines the milestones for NIS2 implementation, while each country has to turn those broader European requirements into national law. That step matters for organisations, because national legislation is what determines the exact obligations, supervisory rules and penalties in each jurisdiction.
One of the central requirements of the NIS2 directive concerns the administration of in-scope organisations. Every Member State must designate a national supervisory authority and give it broad powers. Those authorities are expected to carry out audits, request evidence and take enforcement action where organisations fail to meet their obligations.
The central reporting system under the NIS2 directive
The European Union also requires Member States to establish a national cybersecurity reporting structure. This includes setting up a Computer Security Incident Response Team, or CSIRT. These specialised teams receive the incident reports required by law and coordinate the response. Where attacks affect more than one country, the relevant national bodies are expected to cooperate through the European CyCLONe network.
The NIS2 regulation also requires Member States to determine which organisations fall within scope. To do that, they need a reliable picture of essential and important entities operating in their territory. Many countries use central registration systems for this. Affected organisations may need to provide their details there.
National choices still matter. The NIS2 directive provides a common starting point, but some elements are still left to national law. Member States may also adopt stricter cybersecurity requirements where they choose to go beyond the EU baseline.
National implementation: why local law still matters
A directive is not the same thing as a regulation. That difference matters with NIS2. An EU regulation applies directly. A directive works through national law. It sets the framework, then each Member State turns that framework into its own legal rules.
That is why NIS2 does not look exactly the same everywhere. The overall direction is shared across Europe, but the way it takes effect is not. What an organisation actually deals with on the ground still depends on the country concerned.
Where the gaps between countries show up
Oversight: In one Member State, the lead authority may sit inside an existing regulator. In another, responsibility may lie with a dedicated cybersecurity body.
Reporting and registration: Reporting channels and registration can vary from country to country.
Management liability and enforcement: These areas can also differ at national level.
Penalties: NIS2 sets the wider framework, but sanctions and enforcement still depend in part on national law.
Who is affected? Sectors and entities covered by the NIS2 directive
Under NIS2, far more organisations may fall within scope than under the previous framework. It covers a broad range of essential and important entities across critical areas of the economy, which means the question of who does NIS2 apply to now reaches far beyond traditional critical infrastructure alone.

Sector is only one piece of the puzzle. How large an organisation is, what role it plays, and how national law has been applied all feed into that picture. For a closer look at the thresholds, categories and full list of NIS2 sectors, see our detailed guide: NIS2: Who is affected?
NIS2 directive: requirements and checklist for implementation
For organisations in scope, the question is no longer whether NIS2 matters, but where the work still sits. That answer will not be the same everywhere: While some organisations already have a solid foundation in place, others might still be trying to pin down ownership, identify weaker areas and work out what needs attention first.
Progress in this area is rarely quick. NIS2 reaches beyond technical controls and into governance, reporting, supplier relationships and staff awareness. For that reason, the work often cuts across several teams rather than sitting with one function alone. A useful place to start is with the current position. From there, priorities usually come into view more easily.
- Clarify responsibilities: Involve management, IT, security and relevant service providers early. Make sure ownership is clear.
- Assess the current state: Take stock of your critical systems, core processes and key dependencies. This helps you see where existing controls are already working and where the more obvious gaps still sit.
- Prioritise measures: Turn the requirements of the NIS2 directive into a workable set of actions. Some will be technical, others procedural or organisational.
- Build awareness: Make sure people understand the risks that matter in their day-to-day work. That includes leadership as well as employees across the organisation, supported by relevant awareness training.
- Create evidence: Keep clear records of what has been introduced, how it is being applied and which areas still need further work.
A detailed NIS2 checklist can help bring structure to that process. It gives organisations a clearer view of priorities, responsibilities and evidence requirements under NIS2. These five steps are a useful starting point, but most organisations will need a more detailed working document to move from planning to implementation. Our NIS2 checklist is designed for exactly that purpose.
NIS2 compliance and certification: how do you demonstrate security?
Many organisations look for a formal NIS2 certification that would prove they have met the requirements of the NIS2 directive. The picture is more complicated than that. The NIS2 directive does not create a single official certificate that automatically demonstrates full compliance across every jurisdiction.
What it does require is stronger evidence. Organisations need to be able to show that they are managing cyber risk in a structured way, putting appropriate measures in place and responding to incidents in line with their obligations. On that basis, NIS2 compliance is not something completed in a single step. It rests on governance, documentation and day-to-day readiness over time.
This also affects the shape of an NIS2 audit. Documentation still has a place, but it may not be enough by itself. Organisations may need to show how measures are carried through in day-to-day work, who is accountable at key points and how risk is kept under review.
That is one reason existing frameworks still matter. ISO/IEC 27001:2022 may already provide structure in organisations with mature security processes. The NIS2 directive, however, reaches further than certification alone.
Organisations that want a clearer view of meaningful NIS2 compliance usually need a closer look at evidence, controls and governance. Our dedicated guide on NIS2 compliance looks at that in more depth.
NIS2 Check in 3 minutes

Not sure where your organisation stands on NIS2? Our free assessment can help spot gaps, prioritise next steps and prepare more confidently.
DORA vs. NIS2: what are the differences?
Some organisations are not looking at the NIS2 directive in isolation. They also need to understand how it sits alongside DORA (Digital Operational Resilience Act) and where the boundary between the two frameworks runs. That is the practical question behind NIS2 vs DORA.
Both frameworks deal with cyber risk and resilience, but they were written for different purposes and different parts of the economy. The NIS2 directive has a broad cross-sector scope. DORA is focused on the financial sector and on certain ICT third-party providers that support it.
The table below highlights the main differences at a glance:
| NIS2 directive | DORA | |
| Who is covered? | Essential and important entities across a wide range of sectors, including energy, transport, healthcare and public administration | Financial entities, such as banks and insurers, as well as certain ICT third-party service providers |
| Main objective | Strengthen cybersecurity and resilience across critical sectors of the economy | Strengthen digital operational resilience in the financial sector |
| Focus of the framework | Risk management, incident reporting, governance and supervisory oversight across multiple sectors | ICT risk management, operational resilience testing, incident reporting and third-party risk in finance |
| How it applies | Implemented through national law in EU Member States | Applies directly as an EU regulation |
| Relationship to other rules | Broad cross-sector framework | Sector-specific framework for financial services |
The NIS2 directive takes a broader cross-sector approach, while DORA goes deeper into the operational resilience of the financial sector. For organisations near the boundary between both frameworks, the safest approach is to check the applicable legal position in detail.
Legal note: This article is for general information only and is not a substitute for legal advice. Organisations that need clarity on their specific NIS2 obligations should speak to a qualified lawyer or the competent authority in their jurisdiction.










