
NIS2
EU Directive 2022/2555 mandating cybersecurity obligations across essential and important entities in 18 sectors.
Last refreshed: 7 June 2026 · Appears in 2 active topics
Does ENISA's NIS360 risk-zone data give regulators their first direct enforcement target?
Timeline for NIS2
Mentioned in: UK cyber bill hits Lords with £17m cap
Cybersecurity: Threats and DefencesMentioned in: UK cyber bill drops payment regime
Cybersecurity: Threats and DefencesIdentified as a sector caught by CADA Level 2-4 obligations per Wilson Sonsini analysis
European Tech Sovereignty: Brussels adopts CADA, narrows its scopeReached full personal-liability enforcement force on 1 June 2026 in transposed member states
Cybersecurity: Threats and Defences: NIS2 fines now reach directors personallyProvided the regulatory framework against which ENISA documented maturity gaps for enforcement
Cybersecurity: Threats and Defences: ENISA puts water and rail in risk zoneWhat is the NIS2 Directive and who does it apply to?
What are the NIS2 fines for non-compliance?
Which EU countries have not yet implemented NIS2?
Background
The Network and Information Security Directive 2 (NIS2, Directive (EU) 2022/2555) entered into force on 16 January 2023, replacing the original NIS Directive (2016) with a substantially expanded scope. Member states faced a transposition Deadline of 17 October 2024. The Directive covers essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space) and important entities (postal services, waste management, chemicals, food, manufacturing, digital providers, and research), targeting organisations above 50 employees or €10m turnover in those sectors.
Key obligations include: 24-hour Early Warning and 72-hour full notification of significant incidents to the national competent authority; board-level accountability for cybersecurity risk management with individual liability for executives; supply-chain risk management requirements; minimum technical controls including MFA, encryption, and access management; and registration of domain-name registrars. Fine ceilings are €10m or 2% of global annual turnover (whichever is higher) for essential entities, and €7m or 1.4% for important entities — materially above NIS1 maxima.
By mid-2025, only 14 of 27 member states had fully transposed NIS2. The European Commission opened infringement proceedings against the remaining 13 in autumn 2025, escalating to reasoned opinions against 19 member states by April 2026. Germany, the Netherlands, Croatia, and Hungary transposed early or on time; France, Poland, and Spain were among the late cohort. The Directive's reach into supply chains, its board-accountability clause, and its fine ceiling at global revenue have made it the dominant compliance frame for European cybersecurity programmes.
NIS2's enforcement trajectory sharpened in April 2026 when ENISA released National Capabilities Assessment Framework 2.0 (NCAF 2.0) on 22 April — a structured maturity-scoring tool that lets member states benchmark their compliance position against NIS2 requirements. With 19 member states still under European Commission reasoned opinions for partial transposition, NCAF 2.0 signals a shift from political pressure to measurement-and-accountability.
On 28 May 2026, ENISA's NIS360 report gave national regulators a second enforcement instrument: a documented sector-level maturity gap. Three sectors crossed into the NIS360 risk zone for the first time — railway, drinking water and waste water — because their criticality outstrips their assessed capability. One in three water-sector entities has never conducted a risk assessment, creating a directly citable gap for NIS2 enforcement action by national competent authorities. For CISOs operating in EU markets, NIS2 compliance is no longer a 2024 Deadline story: it is an active enforcement and capability-benchmarking cycle with sector-specific audit targets now named in a public ENISA report.