← Back to all briefings
Cybersecurity 6 min read Published Updated Credibility 94/100

EU NIS2 Directive Published in Official Journal — December 27, 2022

NIS2 was published in the Official Journal on December 27, 2022. Member states have until October 17, 2024 to transpose it. More sectors, stricter requirements, and personal liability for management. Start your gap assessment now.

Kodi C.

Editor & Research Lead

Reviewed for accuracy by Kodi C.

Cybersecurity pillar illustration for Zeph Tech briefings
Cybersecurity threat, control, and response briefings

Directive (EU) 2022/2555 (NIS2) entered the Official Journal on 27 December 2022, launching an 18-month transposition period that culminates on 17 October 2024. The directive expands cybersecurity obligations to a wider set of essential and important entities, strengthens supervisory powers, and raises the bar for board accountability, supply-chain assurance, and incident reporting across the EU.

Expanded scope and classification

NIS2 covers sectors of high criticality (energy, transport, banking, financial market infrastructures, health, drinking and wastewater, digital infrastructure, public administration, and space) and other critical sectors (postal, waste management, manufacturing of critical products, digital providers, research, and food). Entities meeting size thresholds (more than 250 employees, €50 million turnover, or €43 million balance sheet total) are generally included, with some specific criteria for medium-sized enterprises and public administrations.

Member States may designate additional entities based on national risk assessments. Companies must therefore monitor national laws to see whether they are classified as essential (subject to ex ante supervision and higher fines) or important (ex post supervision). Keep records of notifications from competent authorities and maintain an entity inventory with legal identifiers, sector classification, and supervisory contacts.

Risk management and governance obligations

Article 21 prescribes baseline cybersecurity measures, including risk analysis, incident handling, business continuity, supply-chain security, secure development, vulnerability management, cryptography, and multi-factor authentication. Boards or equivalent management bodies must approve cybersecurity risk-management measures, oversee setup, and can be held personally liable for infringements.

Teams should integrate NIS2 requirements into enterprise risk management frameworks. set up a cybersecurity steering committee that aligns budgets, control priorities, and risk appetite with NIS2 expectations. Document board briefings, decisions, and training programs. Evidence should include risk assessments, policy approvals, and follow-up actions.

Incident reporting regime

NIS2 mandates a staged reporting process: an early warning within 24 hours of becoming aware of a significant incident, an incident notification within 72 hours with an initial assessment, and a final report within one month (or after root-cause analysis concludes). Entities must also notify service recipients when incidents could impact service provision.

Prepare by mapping incident response plans to NIS2 timelines, ensuring CSIRT and national authority contact details are current. Implement automated alerting to capture incident severity, affected services, geographic spread, and cross-border impacts. Tabletop exercises should simulate multi-jurisdiction incidents, testing coordination between security operations, legal, communications, and executive teams.

Supply-chain and third-party security

NIS2 emphasizes supply-chain risk management, requiring policies that consider the security of suppliers and service providers, including third-party ICT services. Teams should maintain vendor inventories with risk ratings, due diligence results, contract clauses, and remediation actions. Align procurement processes with ENISA guidance and sectoral expectations, using questionnaires, onsite assessments, and continuous monitoring tools.

For high-risk suppliers (for example, managed security services, cloud providers, industrial control system vendors), require independent certifications, penetration testing results, and incident-sharing agreements. Keep evidence of joint exercises, breach notification clauses, and exit strategies.

Supervision, enforcement, and penalties

Competent authorities can conduct audits, request information, carry out onsite inspections, and issue binding instructions. Essential entities face administrative fines up to the higher of €10 million or 2% of total worldwide annual turnover; important entities face fines up to €7 million or 1.4% of turnover. Member States may impose additional penalties, including temporary suspension of managers.

Maintain a regulatory engagement log documenting interactions with authorities, submissions of incident reports, remediation plans, and progress updates. Boards should review enforcement trends and allocate resources to address findings promptly.

Coordination with other frameworks

NIS2 interacts with DORA, the EU Cybersecurity Act, the proposed Cyber Resilience Act, and sectoral regulations such as the EU Aviation Security framework. Map overlapping requirements to avoid duplicated efforts. For financial entities subject to DORA, align ICT risk management, incident reporting, and third-party oversight programs. For digital infrastructure providers, harmonize NIS2 controls with cloud security certifications (for example, EUCS) and ISO/IEC 27001.

Rollout plan

  1. Scope confirmation. Identify in-scope entities, services, and subsidiaries. Engage legal teams to track national transposition drafts and confirm classification as essential or important.
  2. Gap analysis. Benchmark current policies, controls, and incident response capabilities against Article 21 requirements and ENISA good practices. Prioritize remediation projects based on business criticality and risk exposure.
  3. Governance improvements. Update board charters, management reporting templates, and escalation procedures. Schedule quarterly cybersecurity briefings covering risk posture, incident trends, and remediation status.
  4. Technical control uplift. Deploy multi-factor authentication across privileged accounts, implement network segmentation, expand log collection, and integrate vulnerability scanning with patch management. Document test results, change approvals, and rollback plans.
  5. Incident management rehearsal. Conduct playbooks for ransomware, supply-chain compromise, insider threat, and operational technology incidents. Capture lessons learned, update communication templates, and validate post-incident review processes.
  6. Supply-chain governance. Refresh third-party risk frameworks, integrate NIS2 requirements into procurement contracts, and monitor supplier remediation progress through dashboards.
  7. Training and culture. Deliver tailored training for executives, technical staff, and suppliers. Track participation, comprehension scores, and follow-up actions.
  8. Documentation and evidence. Maintain a compliance repository with policies, risk assessments, audit reports, incident logs, and supervisory correspondence ready for inspection.

Outcome metrics and assurance

Define metrics aligned with NIS2 expectations: mean time to detect/respond, percentage of critical systems covered by vulnerability management, number of supplier assessments completed, and incident severity trends. Boards should review these metrics alongside qualitative analysis of emerging threats and resource needs.

Internal audit, risk, and compliance functions must test NIS2 controls regularly. Document sampling methodology, test scripts, and remediation tracking. For high-risk areas (for example, OT environments), commission independent assessments to validate resilience. Coordinate with external auditors where cybersecurity disclosures intersect with financial reporting.

By operationalizing NIS2 requirements ahead of national deadlines, teams can reduce enforcement risk, strengthen trust with customers and regulators, and build a resilient posture that complements other EU cybersecurity initiatives.

Information-sharing and cross-border coordination

NIS2 strengthens collaboration through the CSIRTs network, the EU Cyber Crises Liaison organization Network (EU-CyCLONe), and coordinated vulnerability disclosure requirements. Entities should establish points of contact for these bodies, subscribe to threat intelligence feeds, and participate in information-sharing and analysis centers (ISACs) relevant to their sector. Maintain procedures for promptly sharing technical indicators with peers and authorities while protecting confidential information.

The directive also encourages voluntary sharing of cyber threats and near misses. Develop legal-approved templates for anonymized sharing, and ensure participation agreements address liability and data protection. During cross-border incidents, rehearse how to synchronize updates to multiple national authorities and the European Commission.

Documentation checklist

  • Enterprise-wide cybersecurity policies and risk assessments reflecting Article 21 measures.
  • Incident response plans with NIS2 reporting timelines, contact lists, and communication templates.
  • Supplier due diligence files, contract summaries, and remediation logs demonstrating supply-chain oversight.
  • Training records for directors, employees, and third parties covering NIS2 obligations.
  • Audit reports, penetration test findings, and follow-up actions evidencing continuous improvement.

Maintaining this documentation in a structured repository will simplify supervisory inspections and support rapid responses to information requests.

Related articles

Curated signals from the same pillar or overlapping topics.

Continue in the Cybersecurity pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Cybersecurity Operations Playbook

    Use our research to align NIST CSF 2.0, CISA KEV deadlines, and sector mandates across threat intelligence, exposure management, and incident response teams.

  • Network Security Fundamentals Explained Practically

    A practitioner-focused guide to network security fundamentals covering firewalls, segmentation, IDS/IPS, DNS security, VPNs, wireless security, zero trust architecture, and traffic…

  • Small Business Cybersecurity Survival Checklist

    A budget-conscious cybersecurity checklist built specifically for small businesses. This guide covers foundational security policies, network hardening, employee training, phishing…

Coverage intelligence

Published
Coverage pillar
Cybersecurity
Source credibility
94/100 — high confidence
Topics
European Union · NIS2 · Cybersecurity governance · Incident reporting · Supply chain security
Sources cited
3 sources (eur-lex.europa.eu, digital-strategy.ec.europa.eu, iso.org)
Reading time
6 min

References

  1. Directive (EU) 2022/2555 — Official Journal of the European Union
  2. European Commission — New rules to strengthen cybersecurity
  3. ISO/IEC 27001:2022 — Information Security Management Systems — International Organization for Standardization
  • European Union
  • NIS2
  • Cybersecurity governance
  • Incident reporting
  • Supply chain security
Back to curated briefings

Comments

Community

We publish only high-quality, respectful contributions. Every submission is reviewed for clarity, sourcing, and safety before it appears here.

    Share your perspective

    Submissions showing "Awaiting moderation" are in review. Spam, low-effort posts, or unverifiable claims will be rejected. We verify submissions with the email you provide, and we never publish or sell that address.

    Verification

    Complete the CAPTCHA to submit.