Network and Information Security Directive 2

NIS2 is the EU's updated directive on cybersecurity, replacing the original NIS Directive. It significantly expands the scope of sectors and entities covered, strengthens security requirements, and introduces more stringent enforcement measures.

Regulations Tracked

Jurisdictions

Upcoming Milestones

2026-04-03

Last Updated

Who Needs to Comply?

Essential and important entities across 18 sectors including energy, transport, banking, health, digital infrastructure, ICT service management, public administration, and space. Medium-sized and large organizations in these sectors.

Key Dates & Timeline

Entered into force January 2023. EU member states had until October 2024 to transpose into national law. Compliance deadlines vary by member state.

Latest NIS2 Updates

guidancemedium2026-04-03

ENISA publications page highlights new cybersecurity guidance and reports

ENISA’s publications page shows multiple 2026 cybersecurity publications, including NIS2 technical implementation guidance, indicating updated implementation detail is available now for organizations aligning cyber controls to EU expectations.

guidancemedium2026-03-29

ENISA guidance on cybersecurity roles and skills for NIS2 entities

ENISA’s June 2025 guidance clarifies the cybersecurity roles and skills needed for NIS2 entities, giving organizations a concrete staffing benchmark as they build operational readiness for NIS2 compliance.

Jurisdiction Coverage

International European Union

Related Frameworks

DORA ISO 27001 EU AI Act SOC 2 + AI

Key Topics

Cybersecurity Risk Management Data Governance Financial Services

Frequently Asked Questions

What is NIS2?

NIS2 is the European Union's updated Network and Information Security Directive. It establishes cybersecurity risk management and incident reporting obligations for organizations across critical sectors, replacing and expanding the original NIS Directive.

How does NIS2 differ from NIS1?

NIS2 significantly expands scope from 7 to 18 sectors, introduces size-based criteria for determining covered entities, strengthens risk management requirements, mandates faster incident reporting (24-hour early warning), and introduces personal liability for management bodies.

What are the penalties under NIS2?

Essential entities face fines up to 10 million euros or 2% of global annual turnover. Important entities face fines up to 7 million euros or 1.4% of global annual turnover. Management bodies can be held personally liable.