Continue your mission
The Network and Information Systems Directive 2 (NIS2, Directive 2022/2555) is the EU's updated cybersecurity legislation that significantly expands the scope, requirements, and enforcement of cybersecurity obligations across essential and important entities in the European Union.
# NIS2 Directive
The Network and Information Systems Directive 2 (NIS2, Directive 2022/2555) is the EU's updated cybersecurity legislation that significantly expands the scope, requirements, and enforcement of cybersecurity obligations across essential and important entities in the European Union. Replacing the original NIS Directive (2016), NIS2 covers a much broader range of sectors, introduces harmonized security requirements, mandates incident reporting within 24 hours, and establishes significant penalties for non-compliance. Member states were required to transpose NIS2 into national law by October 17, 2024.
NIS2 categorizes covered entities into two groups with differentiated obligations:
Essential Entities (higher scrutiny): Energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, and space.
Important Entities (lighter oversight but still regulated): Postal and courier services, waste management, chemicals, food, manufacturing (medical devices, computers, electronics, machinery, motor vehicles), digital providers (online marketplaces, search engines, social networks), and research organizations.
Size Threshold: Generally applies to medium and large enterprises (50+ employees or 10M+ EUR annual turnover) in covered sectors, though certain entities are covered regardless of size (DNS providers, TLD registries, qualified trust service providers).
Core requirements:
Enforcement and penalties:
The original NIS Directive (2016) covered only a narrow set of operators of essential services and digital service providers. NIS2 dramatically expands coverage to an estimated 160,000+ entities across the EU. Many organizations that never had cybersecurity regulatory obligations now face mandatory requirements.
Three aspects make NIS2 particularly impactful:
First, management accountability. For the first time, C-suite executives and board members can face personal penalties for cybersecurity governance failures. This elevates cybersecurity from an IT issue to a board-level governance obligation.
Second, supply chain requirements. Organizations must assess and manage cybersecurity risks in their supply chains, creating cascading compliance requirements for vendors and partners.
Third, harmonized incident reporting. The 24-hour early warning requirement is among the strictest globally and forces organizations to have mature detection and reporting capabilities.
NIS2 is a core focus of CDA's Risk Governance & Assurance (RGA) domain under the Perpetual Compliance Assurance (PCA) methodology. The directive's scope means nearly every organization with EU operations or EU customers needs a compliance strategy.
CDA's operational approach:
CDA emphasizes the management liability provisions. We ensure that executive leadership understands their personal obligations and has documented evidence of cybersecurity oversight and training.
CDA Theater missions that address topics covered in this article.
Written by Evan Morgan
Found an issue? Help improve this article.