Skip to content
You can now search across every topic, entity and event.What's new
NIS2
LegislationEU

NIS2

EU Directive 2022/2555 mandating cybersecurity obligations across essential and important entities in 18 sectors.

Last refreshed: 7 June 2026 · Appears in 2 active topics

Key Question

Does ENISA's NIS360 risk-zone data give regulators their first direct enforcement target?

Timeline for NIS2

#1014 Jul
#710 Jun

Mentioned in: UK cyber bill drops payment regime

Cybersecurity: Threats and Defences
#83 Jun

Identified as a sector caught by CADA Level 2-4 obligations per Wilson Sonsini analysis

European Tech Sovereignty: Brussels adopts CADA, narrows its scope
#71 Jun

Reached full personal-liability enforcement force on 1 June 2026 in transposed member states

Cybersecurity: Threats and Defences: NIS2 fines now reach directors personally
#628 May

Provided the regulatory framework against which ENISA documented maturity gaps for enforcement

Cybersecurity: Threats and Defences: ENISA puts water and rail in risk zone
View full timeline →
Common Questions
What is the NIS2 Directive and who does it apply to?
NIS2 (Directive (EU) 2022/2555) is the EU's core cybersecurity law. It applies to essential entities (energy, transport, health, digital infrastructure, etc.) and important entities (manufacturing, postal, chemicals, food, etc.) above 50 employees or €10m turnover in 27 EU member states.Source: EUR-Lex
What are the NIS2 fines for non-compliance?
Essential entities face fines of up to €10m or 2% of global annual turnover, whichever is higher. Important entities face up to €7m or 1.4% of global annual turnover.Source: Directive (EU) 2022/2555 Article 34
Which EU countries have not yet implemented NIS2?
As of April 2026, 19 member states remain under European Commission reasoned opinions for partial or no transposition. Only 14 of 27 had fully transposed by mid-2025; Germany, the Netherlands, and Croatia were among the early movers.Source: ENISA

Background

The Network and Information Security Directive 2 (NIS2, Directive (EU) 2022/2555) entered into force on 16 January 2023, replacing the original NIS Directive (2016) with a substantially expanded scope. Member states faced a transposition Deadline of 17 October 2024. The Directive covers essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space) and important entities (postal services, waste management, chemicals, food, manufacturing, digital providers, and research), targeting organisations above 50 employees or €10m turnover in those sectors.

Key obligations include: 24-hour Early Warning and 72-hour full notification of significant incidents to the national competent authority; board-level accountability for cybersecurity risk management with individual liability for executives; supply-chain risk management requirements; minimum technical controls including MFA, encryption, and access management; and registration of domain-name registrars. Fine ceilings are €10m or 2% of global annual turnover (whichever is higher) for essential entities, and €7m or 1.4% for important entities — materially above NIS1 maxima.

By mid-2025, only 14 of 27 member states had fully transposed NIS2. The European Commission opened infringement proceedings against the remaining 13 in autumn 2025, escalating to reasoned opinions against 19 member states by April 2026. Germany, the Netherlands, Croatia, and Hungary transposed early or on time; France, Poland, and Spain were among the late cohort. The Directive's reach into supply chains, its board-accountability clause, and its fine ceiling at global revenue have made it the dominant compliance frame for European cybersecurity programmes.

NIS2's enforcement trajectory sharpened in April 2026 when ENISA released National Capabilities Assessment Framework 2.0 (NCAF 2.0) on 22 April — a structured maturity-scoring tool that lets member states benchmark their compliance position against NIS2 requirements. With 19 member states still under European Commission reasoned opinions for partial transposition, NCAF 2.0 signals a shift from political pressure to measurement-and-accountability.

On 28 May 2026, ENISA's NIS360 report gave national regulators a second enforcement instrument: a documented sector-level maturity gap. Three sectors crossed into the NIS360 risk zone for the first time — railway, drinking water and waste water — because their criticality outstrips their assessed capability. One in three water-sector entities has never conducted a risk assessment, creating a directly citable gap for NIS2 enforcement action by national competent authorities. For CISOs operating in EU markets, NIS2 compliance is no longer a 2024 Deadline story: it is an active enforcement and capability-benchmarking cycle with sector-specific audit targets now named in a public ENISA report.

More questions
How does NIS2 affect company boards and executives?
NIS2 introduces individual liability for senior management: boards must approve cybersecurity risk-management measures and can be held personally liable for violations. Executives may face temporary bans from management roles if an essential entity breaches its obligations.Source: Directive (EU) 2022/2555 Article 20
How long do organisations have to report a cyber incident under NIS2?
Organisations must send an Early Warning to their national competent authority within 24 hours of becoming aware of a significant incident, followed by a full notification within 72 hours, and a final report within one month.Source: Directive (EU) 2022/2555 Article 23
Source Material