NIS 2
Also known as: NIS 2 Directive, Directive (EU) 2022/2555, Network and Information Security Directive 2
NIS 2 is the European Union’s second-generation cybersecurity directive. It expanded the original NIS Directive to a much wider set of sectors and entities. Member states were required to transpose it into national law by 17 October 2024.
What changed from NIS 1
The original NIS Directive (2016) caught roughly 12,000 entities across the EU. NIS 2 widened that materially by adding sectors (digital infrastructure, ICT service management, public administration, space, postal, waste management, chemicals, food, manufacturing, digital providers, research) and by setting a clearer size threshold.
The directive also raised the bar on cybersecurity measures, tightened incident reporting to 24-hour early warning, and made governing bodies personally accountable for cybersecurity risk management.
Two entity classes
NIS 2 distinguishes between essential entities (Annex I sectors) and important entities (Annex II sectors). Essential entities face proactive supervision, including ex ante inspections. Important entities are supervised ex post, after a triggering event.
Penalties differ. Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global annual turnover.
Why "Directive" (not "Regulation") matters
NIS 2 is a Directive, not a Regulation. The distinction is in Article 288 of the Treaty on the Functioning of the European Union. A Regulation (such as GDPR or the EU AI Act) is directly applicable: the same text binds every organisation across the EU. A Directive sets a goal each member state must achieve, but each member state writes its own national act to get there. Operational details, enforcement structure, and some sectoral scope choices vary between national transpositions.
For an SME operating in one member state, NIS 2 means the national transposition act of that state. For an SME operating in five, it means five national acts, broadly aligned but not identical. Compliance work that treats NIS 2 as one rulebook will produce gaps in at least some of those countries.
When it became enforceable
Member states had until 17 October 2024 to transpose NIS 2 into national law. Several missed the deadline; the European Commission opened infringement procedures against the late ones. As of mid-2026, transposition status remains uneven (Germany and a handful of others are still finalising their national acts). In practice, every NIS 2 obligation is national: the directive sets the floor, the national transposition act sets the operational detail.