NIS2 (Network and Information Security Directive 2) is the EU's updated cybersecurity legislation that establishes a high common level of cybersecurity across all member states. It replaces the original NIS Directive (2016) and significantly expands the scope, requirements, and enforcement powers.

Who does NIS2 apply to?

NIS2 applies to two categories: Essential Entities (energy, transport, banking, healthcare, water, digital infrastructure, ICT service management, public administration, space) and Important Entities (postal services, waste management, chemicals, food, manufacturing, digital providers, research). Generally, medium-sized enterprises (50+ employees or €10M+ turnover) in these sectors are in scope.

What are the penalties for NIS2 non-compliance?

For essential entities: up to €10 million or 2% of global annual turnover, whichever is higher. For important entities: up to €7 million or 1.4% of global annual turnover. Management bodies can also be held personally liable and temporarily banned from exercising managerial functions.

What is the difference between NIS2 and DORA?

NIS2 is a broad, cross-sector cybersecurity directive covering 18 sectors. DORA (Digital Operational Resilience Act) is a sector-specific regulation focused exclusively on financial entities. DORA is considered 'lex specialis' to NIS2, meaning financial entities primarily follow DORA but NIS2 still applies where DORA does not cover specific aspects.

When did NIS2 come into effect?

NIS2 entered into force on January 16, 2023. EU member states had until October 17, 2024 to transpose it into national law. Organizations must now comply with their national implementations of NIS2.

What is NIS2? | Alterra Solutions Security Glossary

Enforcement Is Active

The transposition deadline was October 17, 2024. Member states are now actively enforcing NIS2 requirements. Penalties mirror GDPR severity: up to €10 million or 2% of global turnover. Management can be held personally liable.

From NIS1 to NIS2: What Changed?

The original NIS Directive (2016) was the EU's first cybersecurity legislation. While groundbreaking, it suffered from inconsistent implementation across member states, a narrow scope, and weak enforcement. NIS2 addresses all of these:

Scope expansion: From ~7 sectors to 18 sectors, covering an estimated 160,000+ entities across the EU.
Harmonized rules: Minimum requirements are now uniform, eliminating the "race to the bottom" between member states.
Stronger enforcement: GDPR-style fines and personal liability for management bodies.
Supply chain focus: Organizations must assess and manage cybersecurity risks in their supply chain.
Incident reporting: Strict 24h/72h notification timelines to national CSIRTs.

Who Is In Scope?

NIS2 categorizes entities into two tiers, each with different oversight regimes:

Essential Entities (Stricter Oversight)

Sector	Examples
Energy	Electricity, oil, gas, hydrogen, district heating
Transport	Air, rail, water, road
Banking & Financial	Credit institutions, trading venues
Healthcare	Hospitals, labs, pharma manufacturers
Water	Drinking water supply, waste water
Digital Infrastructure	DNS, TLD, data centers, cloud, CDNs, trust services
ICT Service Management	MSPs and MSSPs (B2B)
Public Administration	Central government entities
Space	Operators of ground-based infrastructure

Important Entities (Lighter Oversight)

Postal and courier services
Waste management
Chemicals manufacturing and distribution
Food production and distribution
Manufacturing (medical devices, electronics, machinery, vehicles)
Digital providers (online marketplaces, search engines, social platforms)
Research organizations

Size threshold: Generally applies to medium-sized entities (50+ employees or €10M+ annual turnover). However, certain entities like DNS providers, TLD registries, and trust service providers are in scope regardless of size.

Core Requirements (Article 21)

NIS2 mandates an "all-hazards approach" to cybersecurity risk management. The minimum measures include:

Risk analysis and information system security policies
Incident handling — detection, response, and recovery
Business continuity — backup management, disaster recovery, crisis management
Supply chain security — assessing suppliers' cybersecurity posture
Security in network and information systems acquisition, development, and maintenance — including vulnerability handling and disclosure
Policies for assessing cybersecurity risk-management effectiveness
Cybersecurity hygiene and training
Cryptography and encryption policies
Human resources security — access control and asset management
Multi-factor authentication (MFA) — and secured communications

Incident Reporting Timeline

Deadline	Requirement
24 hours	Early warning to national CSIRT/competent authority
72 hours	Incident notification with initial assessment (severity, impact, IoCs)
1 month	Final report with root cause analysis, mitigation measures, and cross-border impact

Penalties & Personal Liability

Category	Maximum Fine
Essential Entities	€10M or 2% of global turnover
Important Entities	€7M or 1.4% of global turnover

Critically, NIS2 introduces personal liability for management. Board members and C-level executives can be held responsible for non-compliance, including temporary bans from exercising managerial functions.

NIS2 vs. DORA: Understanding the Relationship

DORA is the EU's sector-specific regulation for financial services. NIS2 is the horizontal framework covering all critical sectors. The key relationship:

DORA is lex specialis — it takes precedence for financial entities where it provides more specific rules.
NIS2 still applies where DORA does not cover specific aspects (e.g., supply chain requirements beyond ICT third parties).
Both share similar principles: risk-based approach, incident reporting, and regulator cooperation.

Compliance Roadmap

Scope Assessment: Determine if your organization qualifies as Essential or Important.
Gap Analysis: Map current security posture against the 10 minimum measures in Article 21.
Supply Chain Audit: Evaluate cybersecurity practices of critical suppliers and ICT service providers.
Incident Response Plan: Ensure capability to meet 24h/72h reporting deadlines.
Board Training: Management must approve and oversee cybersecurity measures—and receive training.
Continuous Monitoring: Implement ongoing risk assessment and vulnerability management.

Alterra's Perspective

NIS2 is not just a compliance checkbox—it's a fundamental shift in how European organizations approach cybersecurity governance. At Alterra Solutions, we help entities navigate the intersection of NIS2 compliance with existing frameworks like NIST 800-53 and Zero Trust Architecture, ensuring that compliance investments also deliver genuine security improvements.

NIS2 Directive