Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union
The NIS-2 Directive (Directive (EU) 2022/2555) is an EU directive that establishes cybersecurity risk management and incident reporting obligations for organizations operating in critical sectors. Adopted on 14 December 2022, it replaces the original NIS Directive (2016/1148) and significantly expands both the scope of covered entities and the stringency of requirements.
Unlike the Cyber Resilience Act (CRA), which targets product manufacturers, NIS-2 targets the organizations operating essential and important services. Its primary goal is to achieve a high common level of cybersecurity across the European Union by harmonizing requirements and strengthening cooperation between member states.
NIS-2 distinguishes between two categories of entities, each with different supervisory regimes and penalty levels.
Size thresholds: Generally medium+ enterprises (50+ employees OR EUR 10M+ annual turnover). Some sectors — DNS providers, TLD registries, telecommunications, and public administration — apply regardless of size.
All essential and important entities must implement risk-based security measures covering at minimum 10 domains defined in Article 21:
Risk analysis and information security policies
Establish and maintain a comprehensive risk management framework
Incident handling
Procedures for detection, response, and recovery from security incidents
Business continuity and crisis management
Backup management, disaster recovery, and crisis management plans
Supply chain security
Assess and manage cybersecurity risks in supply relationships
Security in network and information systems
Secure acquisition, development, and maintenance practices
Vulnerability handling and disclosure
Policies for identifying, managing, and disclosing vulnerabilities
Cybersecurity risk assessment effectiveness
Procedures to assess the effectiveness of measures
Cybersecurity hygiene and training
Basic cyber hygiene practices and regular training programs
Cryptography and encryption
Policies and procedures for the use of cryptography
Human resources security and access control
Active directory security, asset management, multi-factor authentication
NIS-2 requires a three-stage reporting process for "significant incidents":
Within 24 hours
Early Warning
Early warning to the competent national CSIRT. Must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact.
Within 72 hours
Incident Notification
Incident notification with initial assessment, including severity, impact, and indicators of compromise where applicable.
Within 1 month
Final Report
Final report with detailed description of the incident, root cause analysis, mitigation measures applied, and cross-border impact if applicable.
What is a "significant incident"? An incident that has caused or is capable of causing severe operational disruption or financial loss, or has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.
NIS-2 is a directive (not a regulation), meaning each EU member state must transpose it into national law. The transposition deadline was 17 October 2024. Status varies significantly by country:
Already transposed
Belgium, Croatia, Czech Republic, Denmark, Finland, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Malta, Romania, Slovakia, Slovenia, Sweden, and others.
In progress
Austria, Bulgaria, Estonia, France, Ireland, Luxembourg, Netherlands, Poland, Portugal, Spain.
Each country designates its own competent authority (e.g., BSI in Germany, ANSSI in France, CCB in Belgium). Registration requirements and deadlines vary by country.
CS Compliance tracks country-specific transposition status and deadlines — see our interactive deadline tracker in the platform.
One of the most significant changes from NIS-1. Under NIS-2:
This represents a paradigm shift: cybersecurity is no longer just an IT issue — it is a boardroom responsibility.
Essential entities
Fines up to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher)
Important entities
Fines up to EUR 7 million or 1.4% of total worldwide annual turnover (whichever is higher)
| Aspect | NIS-2 Directive | Cyber Resilience Act |
|---|---|---|
| Type | Directive (national transposition) | Regulation (directly applicable) |
| Focus | Organizations operating services | Products with digital elements |
| Who | Essential & important entities | Manufacturers, importers, distributors |
| Requirements | Risk management, incident reporting | Product security, vulnerability handling |
| Penalties | Up to EUR 10M / 2% turnover | Up to EUR 15M / 2.5% turnover |
Many organizations will need to comply with BOTH NIS-2 and CRA. CS Compliance supports both frameworks in a single platform.
Determine if you're in scope
Check if your organization falls under Annex I or II sectors and meets size thresholds
Register with your national authority
Complete required registration with the competent authority in your country
Implement Article 21 measures
Conduct risk assessment and implement the 10 required security domains
Establish incident reporting
Set up processes to detect, assess, and report significant incidents within required timelines
Train management
Ensure board members and senior management complete cybersecurity training and formally approve risk management measures
CS Compliance helps you assess Article 21 compliance, manage incidents, track governance training, and monitor country-specific deadlines.
Start Free Gap Analysis →