EU NIS2 Directive Published in Official Journal — December 27, 2022
Directive (EU) 2022/2555 (NIS2) is now in force, giving organisations until October 2024 to implement stronger cyber risk management, supply-chain controls, and staged incident reporting across essential and important sectors.
Executive briefing: Directive (EU) 2022/2555 (NIS2) entered the Official Journal on 27 December 2022, launching an 18-month transposition period that culminates on 17 October 2024. The directive expands cybersecurity obligations to a wider set of essential and important entities, strengthens supervisory powers, and raises the bar for board accountability, supply-chain assurance, and incident reporting across the EU.
Expanded scope and classification
NIS2 covers sectors of high criticality (energy, transport, banking, financial market infrastructures, health, drinking and wastewater, digital infrastructure, public administration, and space) and other critical sectors (postal, waste management, manufacturing of critical products, digital providers, research, and food). Entities meeting size thresholds (more than 250 employees, €50 million turnover, or €43 million balance sheet total) are generally included, with some specific criteria for medium-sized enterprises and public administrations.
Member States may designate additional entities based on national risk assessments. Companies must therefore monitor national laws to see whether they are classified as essential (subject to ex ante supervision and higher fines) or important (ex post supervision). Keep records of notifications from competent authorities and maintain an entity inventory with legal identifiers, sector classification, and supervisory contacts.
Risk management and governance obligations
Article 21 prescribes baseline cybersecurity measures, including risk analysis, incident handling, business continuity, supply-chain security, secure development, vulnerability management, cryptography, and multi-factor authentication. Boards or equivalent management bodies must approve cybersecurity risk-management measures, oversee implementation, and can be held personally liable for infringements.
Organisations should integrate NIS2 requirements into enterprise risk management frameworks. Establish a cybersecurity steering committee that aligns budgets, control priorities, and risk appetite with NIS2 expectations. Document board briefings, decisions, and training programmes. Evidence should include risk assessments, policy approvals, and follow-up actions.
Incident reporting regime
NIS2 mandates a staged reporting process: an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with an initial assessment, and a final report within one month (or after root-cause analysis concludes). Entities must also notify service recipients when incidents could impact service provision.
Prepare by mapping incident response plans to NIS2 timelines, ensuring CSIRT and national authority contact details are current. Implement automated alerting to capture incident severity, affected services, geographic spread, and cross-border impacts. Tabletop exercises should simulate multi-jurisdiction incidents, testing coordination between security operations, legal, communications, and executive teams.
Supply-chain and third-party security
NIS2 emphasises supply-chain risk management, requiring policies that consider the security of suppliers and service providers, including third-party ICT services. Organisations should maintain vendor inventories with risk ratings, due diligence results, contract clauses, and remediation actions. Align procurement processes with ENISA guidance and sectoral expectations, using questionnaires, onsite assessments, and continuous monitoring tools.
For high-risk suppliers (e.g., managed security services, cloud providers, industrial control system vendors), require independent certifications, penetration testing results, and incident-sharing agreements. Keep evidence of joint exercises, breach notification clauses, and exit strategies.
Supervision, enforcement, and penalties
Competent authorities can conduct audits, request information, carry out onsite inspections, and issue binding instructions. Essential entities face administrative fines up to the higher of €10 million or 2% of total worldwide annual turnover; important entities face fines up to €7 million or 1.4% of turnover. Member States may impose additional penalties, including temporary suspension of managers.
Maintain a regulatory engagement log documenting interactions with authorities, submissions of incident reports, remediation plans, and progress updates. Boards should review enforcement trends and allocate resources to address findings promptly.
Coordination with other frameworks
NIS2 interacts with DORA, the EU Cybersecurity Act, the proposed Cyber Resilience Act, and sectoral regulations such as the EU Aviation Security framework. Map overlapping requirements to avoid duplicated efforts. For financial entities subject to DORA, align ICT risk management, incident reporting, and third-party oversight programmes. For digital infrastructure providers, harmonise NIS2 controls with cloud security certifications (e.g., EUCS) and ISO/IEC 27001.
Implementation roadmap
- Scope confirmation. Identify in-scope entities, services, and subsidiaries. Engage legal teams to track national transposition drafts and confirm classification as essential or important.
- Gap analysis. Benchmark current policies, controls, and incident response capabilities against Article 21 requirements and ENISA best practices. Prioritise remediation projects based on business criticality and risk exposure.
- Governance enhancements. Update board charters, management reporting templates, and escalation procedures. Schedule quarterly cybersecurity briefings covering risk posture, incident trends, and remediation status.
- Technical control uplift. Deploy multi-factor authentication across privileged accounts, implement network segmentation, expand log collection, and integrate vulnerability scanning with patch management. Document test results, change approvals, and rollback plans.
- Incident management rehearsal. Conduct playbooks for ransomware, supply-chain compromise, insider threat, and operational technology incidents. Capture lessons learned, update communication templates, and validate post-incident review processes.
- Supply-chain governance. Refresh third-party risk frameworks, integrate NIS2 requirements into procurement contracts, and monitor supplier remediation progress through dashboards.
- Training and culture. Deliver tailored training for executives, technical staff, and suppliers. Track participation, comprehension scores, and follow-up actions.
- Documentation and evidence. Maintain a compliance repository with policies, risk assessments, audit reports, incident logs, and supervisory correspondence ready for inspection.
Outcome metrics and assurance
Define metrics aligned with NIS2 expectations: mean time to detect/respond, percentage of critical systems covered by vulnerability management, number of supplier assessments completed, and incident severity trends. Boards should review these metrics alongside qualitative analysis of emerging threats and resource needs.
Internal audit, risk, and compliance functions must test NIS2 controls regularly. Document sampling methodology, test scripts, and remediation tracking. For high-risk areas (e.g., OT environments), commission independent assessments to validate resilience. Coordinate with external auditors where cybersecurity disclosures intersect with financial reporting.
By operationalising NIS2 requirements ahead of national deadlines, organisations can reduce enforcement risk, strengthen trust with customers and regulators, and build a resilient posture that complements other EU cybersecurity initiatives.
Information-sharing and cross-border coordination
NIS2 strengthens collaboration through the CSIRTs network, the EU Cyber Crises Liaison Organisation Network (EU-CyCLONe), and coordinated vulnerability disclosure requirements. Entities should establish points of contact for these bodies, subscribe to threat intelligence feeds, and participate in information-sharing and analysis centres (ISACs) relevant to their sector. Maintain procedures for promptly sharing technical indicators with peers and authorities while protecting confidential information.
The directive also encourages voluntary sharing of cyber threats and near misses. Develop legal-approved templates for anonymised sharing, and ensure participation agreements address liability and data protection. During cross-border incidents, rehearse how to synchronise updates to multiple national authorities and the European Commission.
Documentation checklist
- Enterprise-wide cybersecurity policies and risk assessments reflecting Article 21 measures.
- Incident response plans with NIS2 reporting timelines, contact lists, and communication templates.
- Supplier due diligence files, contract summaries, and remediation logs demonstrating supply-chain oversight.
- Training records for directors, employees, and third parties covering NIS2 obligations.
- Audit reports, penetration test findings, and follow-up actions evidencing continuous improvement.
Maintaining this documentation in a structured repository will streamline supervisory inspections and support rapid responses to information requests.
Continue in the Cybersecurity pillar
Return to the hub for curated research and deep-dive guides.
Latest guides
-
Cybersecurity Operations Playbook — Zeph Tech
Use Zeph Tech research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.