Continue your mission
The EU NIS2 Directive (Directive 2022/2555), effective October 18, 2024, is a substantial expansion of the original NIS Directive covering 18 sectors, mandatory risk management measures, 24/72-hour incident notification, personal liability for boards, and fines up to 10M EUR or 2% of global revenue. Any organization providing services to EU customers in covered sectors must comply.
NIS2 (Network and Information Security Directive 2, formally Directive 2022/2555) is the European Union's core cybersecurity regulatory instrument, effective October 18, 2024. It is the successor to the original NIS Directive of 2016 and represents the most significant expansion of EU cybersecurity obligations since the General Data Protection Regulation (GDPR). Where the original NIS Directive covered seven sectors with discretionary enforcement and minimal penalties, NIS2 covers 18 sectors, imposes 10 mandatory risk management requirements, mandates incident notification within 24 hours of awareness, and creates personal liability for corporate management bodies (boards of directors and equivalent governance structures) for non-compliance.
NIS2 is not a voluntary framework or a best-practice reference. It is law in all EU member states. Organizations operating in covered sectors that fail to comply face administrative fines (up to 10 million EUR or 2% of global annual revenue for essential entities, up to 7 million EUR or 1.4% of global annual revenue for important entities), operational sanctions, and personal accountability for executives and board members up to and including temporary bans from management roles.
The directive's scope extends beyond EU-headquartered organizations. Any entity providing services to customers in EU member states within covered sectors, regardless of where the entity is incorporated or headquartered, is subject to NIS2 requirements in the jurisdictions where it provides those services. This makes NIS2 a practical compliance requirement for U.S.-headquartered technology, healthcare, logistics, and manufacturing companies with EU operations or EU customer bases.
Understanding NIS2 requires understanding what the original NIS Directive failed to achieve, what the EU's broader cybersecurity regulatory architecture looks like, and what the 10 mandatory measures actually require organizations to implement.
---
The original NIS Directive (Directive 2016/1148) was the EU's first horizontal cybersecurity legislation. "Horizontal" means it applied across sectors rather than being sector-specific (like GDPR's focus on personal data or the EBA's guidance for financial institutions). NIS covered seven sectors: energy, transport, banking, financial market infrastructure, health, drinking water, and digital infrastructure. It required member states to designate "operators of essential services" within those sectors, mandate that designated operators implement security measures and report significant incidents, and create national Computer Security Incident Response Teams (CSIRTs).
The original directive had well-documented weaknesses. First, member states implemented it inconsistently: the designation process for "operators of essential services" produced wildly different outcomes across the EU, with some member states designating thousands of operators and others designating dozens in comparable economic sectors. Second, enforcement was minimal: fines under NIS varied enormously by member state, with some member states setting maximum penalties below 500,000 EUR and conducting few if any enforcement actions. Third, scope was too narrow: seven sectors excluded large portions of critical digital infrastructure, including large parts of the ICT supply chain, cloud providers, and the expanded digital service economy that grew substantially after 2016.
NIS2 was designed to address all three problems. It harmonizes implementation by removing member state discretion on scope (the 18-sector coverage is defined directly in the directive, not delegated to member states), standardizes enforcement by setting EU-wide minimum penalty floors, and dramatically expands scope to cover the actual critical digital infrastructure of the modern economy.
NIS2 also aligns with the EU's parallel regulatory instruments. It sits alongside DORA (Digital Operational Resilience Act, effective January 2025) for financial sector digital resilience, the Cyber Resilience Act (CRA) for connected products, and the AI Act for AI system governance. Together these instruments create an interlocking EU digital regulation architecture where NIS2 provides the baseline cybersecurity governance layer, and sector-specific instruments add depth in their respective domains.
---
NIS2 matters at three levels: for organizations within its scope, for organizations in the supply chains of those organizations, and for the global conversation about what mandatory cybersecurity governance looks like.
For in-scope organizations. The personal liability provisions are the most significant departure from NIS1 and from most non-EU cybersecurity regulations. Article 20 of NIS2 requires that management bodies approve cybersecurity risk management measures, oversee their implementation, and can be held personally liable for violations. Member states can temporarily ban individuals from management roles for non-compliance. This is a structural change in how cybersecurity governance works: the CISO can no longer absorb all organizational accountability for security outcomes. Boards must actually govern security, not just receive periodic briefings.
The 24-hour early warning requirement for significant incidents changes incident response timelines for any organization accustomed to building incident reports over days. Organizations that lack real-time incident detection capability will struggle to comply. The 24-hour window requires detection, assessment, preliminary root cause analysis, and notification preparation to happen simultaneously within the first day of awareness, a capability that requires investment in detection tooling and pre-planned notification workflows.
For supply chain organizations. Article 21 of NIS2 includes supply chain security as one of the 10 mandatory risk management measures. Essential and important entities must assess and address cybersecurity risks in their ICT service providers and suppliers. This cascades NIS2 obligations into the supply chains of in-scope organizations: a managed service provider (MSP) serving EU healthcare entities will face contractual NIS2 requirements from its customers whether or not the MSP is independently in scope. Cloud providers, SaaS vendors, and IT services firms with EU critical infrastructure customers will be contractually required to demonstrate security practices aligned with NIS2 requirements.
For the global cybersecurity governance conversation. NIS2 is the most detailed and enforceable mandatory cybersecurity governance law currently in force in any major economy. The SEC cybersecurity disclosure rules (2023) created disclosure obligations for public companies; they did not prescribe specific security measures or mandate incident notification to regulators within 24 hours. NIS2 does both. As other jurisdictions observe the EU's regulatory trajectory, NIS2 is shaping what "serious" cybersecurity regulation looks like globally.
The GDPR comparison is instructive but limited. GDPR established the regulatory precedent of extraterritorial application, large fines, and data protection by design. NIS2 applies the same enforcement architecture to operational cybersecurity. The difference: GDPR addressed what happens to personal data; NIS2 addresses whether systems are secure enough to protect that data and the critical services that run on them.
---
NIS2 creates two tiers of covered organizations with different obligation levels and penalty structures.
Essential entities operate in sectors of high criticality: energy (electricity, gas, oil, district heating and cooling, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, health (healthcare providers, EU reference laboratories, medical device manufacturers), drinking water, wastewater, digital infrastructure (internet exchange points, DNS service providers, TLD name registries, cloud computing service providers, data center service providers, content delivery networks, trust service providers, electronic communications network providers), ICT service management (B2B managed service providers and managed security service providers), public administration (central and state government), and space.
Important entities operate in other critical sectors: postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing (medical devices, computers and electronics, electrical equipment, general-purpose machinery, motor vehicles, other transport equipment), digital providers (online marketplaces, online search engines, social networking services), and research organizations.
Size threshold: The directive applies to medium and large enterprises: entities with 50 or more employees or annual revenue exceeding 10 million EUR. Small and micro enterprises are generally excluded unless they are the sole provider of a service critical to a member state.
The 10 mandatory risk management measures (Article 21):
These 10 measures are minimum requirements. Member states may impose additional requirements for specific sectors.
Incident notification requirements operate on a three-stage timeline. Within 24 hours of becoming aware of a significant incident, the entity must submit an early warning to its national CSIRT or competent authority including: whether the incident is suspected to be caused by unlawful or malicious acts, whether it has a cross-border impact, and the preliminary classification of the incident. Within 72 hours, a full incident notification is required, including an initial assessment of severity, impact, and indicators of compromise. Within one month of the initial notification, a final report is required covering a detailed description of the incident, type of threat, root cause analysis, applied and ongoing mitigation measures, and cross-border impact assessment.
"Significant incident" is defined as one that has caused or is capable of causing severe operational disruption, financial loss, or material damage to other natural or legal persons. The definition is intentionally broad. Organizations must develop internal criteria for making the "significant incident" determination rapidly, because the 24-hour clock begins upon awareness, not upon completion of a full investigation.
Personal liability (Article 20): Management bodies must approve cybersecurity risk management measures and oversee their implementation. Management body members can be held personally liable for failures to comply and can be temporarily prohibited from exercising management functions. Organizations must offer management body members training and must consider offering training to all employees periodically.
Penalties: Essential entities face administrative fines up to 10 million EUR or 2% of total global annual revenue (whichever is higher). Important entities face fines up to 7 million EUR or 1.4% of total global annual revenue. Non-monetary sanctions include binding instructions, implementation of security audit recommendations, public disclosure of the violation, and designation of a compliance monitor.
Enforcement architecture: Each EU member state designates one or more competent authorities responsible for NIS2 supervision and enforcement. ENISA (the EU Agency for Cybersecurity) coordinates across member states and publishes technical guidance. The European Cyber Crises Liaison Organisation Network (EU-CyCLONe) handles cross-border incident response at the EU level. National CSIRTs receive incident notifications and provide technical assistance.
Extraterritorial application: Non-EU organizations providing services to EU member states in covered sectors are subject to NIS2 for those services. They must designate a representative in one of the EU member states where they offer services. Enforcement against non-EU entities operates through the representative and, in practice, through the ability of competent authorities to restrict service delivery in the EU.
---
NIS2 is a direct regulatory expression of what CDA's Perpetual Compliance Assurance (PCA) methodology is built to address. The fundamental NIS2 compliance challenge is not implementing 10 security measures. Most mature organizations have roughly equivalent controls in place. The challenge is demonstrating continuous compliance: that risk management measures are implemented, effective, and producing evidence on an ongoing basis that satisfies supervisory authority expectations.
The 24-hour incident notification requirement alone reshapes how organizations must instrument their security operations. Detection must be real time, not retrospective. Incident severity classification must happen concurrently with incident containment, not after. Notification workflows must be pre-authorized and pre-drafted. The regulatory timeline forces a level of operational security maturity that organizations accustomed to quarterly compliance reviews have not built.
PCA addresses NIS2 through continuous evidence collection across all 10 mandatory measures. Rather than assembling compliance documentation in advance of a supervisory review, PCA maintains live evidence artifacts: current risk assessment documentation, tested incident response procedures with documented last-test dates, backup verification logs, supply chain security assessment records, training completion records, and cryptography policy versions. When a supervisory authority requests evidence of compliance, the response time is hours, not weeks.
For CDA's EU-facing clients and U.S. clients with EU operations, NIS2 compliance architecture follows the PDM structure. The 10 mandatory measures map across multiple PDM domains: supply chain security and risk analysis sit in RGA; incident handling and cryptography span TID and DPS; access control, MFA, and human resources security sit in IAT; network security and vulnerability management sit in VSD and SPH. NIS2 compliance requires coordinated posture across the full Shield, not isolated attention to any single domain.
The board liability provisions align with CDA's position on executive-layer governance. CDA engagements for NIS2-scoped clients include board governance design as a deliverable: defining which board member or management body member owns NIS2 accountability, what reporting structures exist, and what evidence the board reviews to exercise its oversight obligation. This is not compliance theater. The NIS2 personal liability regime means that insufficient board engagement with cybersecurity outcomes creates direct personal financial and professional risk for individual executives.
For U.S.-headquartered clients with EU operations, NIS2 is often the forcing function that creates the first real executive-level engagement with cybersecurity governance. CDA uses that forcing function productively: a NIS2 compliance program built on PDM principles produces governance artifacts (risk assessments, incident response procedures, supply chain security policies, board reporting structures) that simultaneously satisfy NIS2, align with NIST CSF, and position the organization for SOC 2, ISO 27001, and U.S. regulatory requirements with minimal duplication of effort.
---
---
---
CDA Theater missions that address topics covered in this article.
A GRC platform is software that centralizes governance, risk, and compliance operations into a single system of record.
Internal audit is an independent, objective assurance function that evaluates whether an organization's controls are designed appropriately and operating effectively.
Board-level cybersecurity reporting is the practice of translating an organization's security posture, risk profile, and material incidents into the language of governance: financial exposure, liability, regulatory standing, and competitive position.
Written by Evan Morgan
Found an issue? Help improve this article.