NIS 2
NIS 2 is the European Union’s second-generation cybersecurity directive. It expanded the original NIS Directive to a much wider set of sectors and entities, and was transposed into national law by member states by 17 October 2024.
NIS 2 expanded the regime materially. The original NIS Directive caught roughly 12,000 operators of essential services and digital service providers across the EU; NIS 2 catches a multiple of that, with the exact count varying by member state implementation. As a Directive (not a Regulation like GDPR or the AI Act), NIS 2 itself is not directly applicable: each member state transposed it into a national act, and the operational rulebook for a given country is that national act. The 24-hour incident early-warning obligation is short by historical standards, and the directive makes governing bodies personally accountable for cybersecurity risk management. Some entity types are caught regardless of size, including DNS providers, top-level domain registries, and trust service providers. Most software vendors selling into essential or important sectors will see NIS 2 due-diligence questionnaires from buyers.
Definitions
Practical guides
NIS 2 sectors in scope: essential, important, and the size-cap exceptions
NIS 2 catches entities by sector and by size. Annex I lists eleven essential sectors. Annex II lists seven important sectors. The size threshold is 50 employees or €10 million in annual turnover. Some entity types are caught regardless of size.
NIS 2 incident reporting: 24 hours, 72 hours, one month
Article 23 of NIS 2 sets a three-stage incident reporting obligation. An early warning to the competent authority within 24 hours of becoming aware of a significant incident. An incident notification within 72 hours. A final report within one month.
NIS 2 management liability: what governing bodies are accountable for
Article 20 of NIS 2 makes the management bodies of in-scope entities directly accountable for approving cybersecurity risk management measures, overseeing their implementation, and following appropriate training. Several national transpositions add personal liability, including temporary bans from management positions.