AboutStandardsBlog ✦ AI AssessmentGet a Quote →

NIS2 Directive — A Practical Compliance Guide for EU Organisations

The NIS2 Directive significantly expands the scope of EU cybersecurity regulation. This guide breaks down who is affected, what is required, and how to build a pragmatic compliance roadmap.

REGULATORY 9 min read

What Is the NIS2 Directive?

The Network and Information Security Directive 2 (NIS2), formally Directive (EU) 2022/2555, is the European Union's updated legislative framework for cybersecurity. It replaces the original NIS Directive (2016/1148) and was adopted by the European Parliament and Council in December 2022. Member States were required to transpose NIS2 into national law by 17 October 2024, and enforcement is now actively under way across the EU.

NIS2 was introduced because the original directive resulted in fragmented implementation across Member States, limited sectoral coverage, and insufficient enforcement mechanisms. The updated directive addresses these gaps by broadening scope, harmonising requirements, and introducing substantially higher penalties for non-compliance.

Who Does NIS2 Apply To?

NIS2 dramatically expands the number of organisations in scope. Rather than relying solely on national designation, it introduces a size-cap rule: any medium or large enterprise operating in a covered sector is automatically subject to the directive. The directive classifies entities into two tiers:

Essential Entities include organisations in sectors of high criticality:

  • Energy (electricity, oil, gas, hydrogen, district heating)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructures
  • Health (hospitals, laboratories, pharmaceutical manufacturing)
  • Drinking water and wastewater management
  • Digital infrastructure (DNS, TLD registries, cloud computing, data centres, CDNs, trust service providers)
  • ICT service management (B2B managed service and security service providers)
  • Public administration (central government bodies)
  • Space

Important Entities cover additional critical sectors:

  • Postal and courier services
  • Waste management
  • Chemical manufacturing, production, and distribution
  • Food production, processing, and distribution
  • Manufacturing (medical devices, electronics, machinery, motor vehicles)
  • Digital providers (online marketplaces, search engines, social networking platforms)
  • Research organisations

The distinction matters primarily for supervision and penalties: essential entities face proactive oversight, while important entities are subject to reactive, ex-post supervision.

Key Compliance Requirements

Article 21 of NIS2 mandates that organisations adopt appropriate and proportionate technical, operational, and organisational measures to manage cybersecurity risks. These must follow an all-hazards approach and cover, at minimum, the following areas:

Risk Management and Governance

Management bodies must approve cybersecurity risk-management measures and oversee their implementation. Crucially, NIS2 introduces personal accountability: members of management can be held liable for non-compliance. Mandatory cybersecurity training for management is also required under Article 20.

Incident Reporting

NIS2 establishes a multi-stage incident reporting framework with strict timelines:

  • Early warning — within 24 hours of becoming aware of a significant incident
  • Incident notification — within 72 hours, including an initial assessment of severity and impact
  • Final report — within one month, with a detailed description of the incident, root cause analysis, and mitigation measures applied

Supply Chain Security

Organisations must assess and address cybersecurity risks within their supply chain, including direct suppliers and service providers. This requires due diligence in procurement, contractual security requirements, and ongoing monitoring of third-party risk posture.

Business Continuity

Measures must include backup management, disaster recovery, and crisis management procedures to ensure the continuity of essential services during and after an incident.

Additional Requirements

  • Policies on the use of cryptography and, where appropriate, encryption
  • Human resources security, access control, and asset management
  • Multi-factor authentication (MFA) and continuous authentication solutions
  • Secured voice, video, and text communications
  • Vulnerability handling and disclosure policies

Penalties for Non-Compliance

NIS2 introduces a tiered penalty structure that aligns with the precedent set by the GDPR:

  • Essential entities: administrative fines of up to EUR 10 million or 2% of global annual turnover, whichever is higher
  • Important entities: administrative fines of up to EUR 7 million or 1.4% of global annual turnover, whichever is higher

Beyond financial penalties, national competent authorities can impose temporary suspensions of certifications or authorisations, and may prohibit individuals from exercising management functions. This personal liability provision is one of the most significant enforcement levers in NIS2.

NIS2 and ISO 27001 — A Natural Alignment

Organisations that hold or are working towards ISO/IEC 27001:2022 certification are well positioned for NIS2 compliance. The overlap is substantial: both frameworks require a risk-based approach, documented policies, incident management, access control, business continuity planning, and supplier security management.

However, ISO 27001 alone does not guarantee full NIS2 compliance. Key gaps may include:

  • The specific incident reporting timelines mandated by NIS2 (24h / 72h / 1 month)
  • Management body liability and mandatory training provisions
  • Sector-specific requirements imposed by national transposition laws
  • Participation in coordinated vulnerability disclosure schemes

Using ISO 27001 as the foundational framework and layering NIS2-specific controls on top is an efficient and widely recommended compliance strategy.

Implementation Timeline

The directive entered into force on 16 January 2023, with a transposition deadline of 17 October 2024. As of early 2026, the majority of EU Member States have adopted national implementing legislation, although some jurisdictions are still finalising specific enforcement mechanisms.

Organisations that have not yet begun compliance work should treat this as an urgent priority. National authorities are conducting audits and enforcement actions, and the regulatory landscape will continue to tighten throughout 2026.

A practical implementation roadmap includes:

  • Phase 1: Determine whether your organisation falls within scope (sector, size, criticality)
  • Phase 2: Perform a gap analysis against Article 21 requirements and existing controls
  • Phase 3: Establish governance structures, including management body responsibilities
  • Phase 4: Implement technical and organisational measures (risk management, incident response, supply chain controls)
  • Phase 5: Test incident reporting procedures and integrate them into existing ISMS workflows
  • Phase 6: Conduct internal audits and management reviews to verify ongoing compliance

How BALTUM Can Support Your NIS2 Compliance

BALTUM provides end-to-end support for organisations navigating NIS2 compliance. Our services include scoping assessments to determine applicability, gap analyses mapped to both NIS2 and ISO 27001, development of required policies and procedures, incident response planning, supply chain risk assessment frameworks, and management training programmes.

Whether you are building on an existing ISO 27001 ISMS or starting from scratch, BALTUM's consultants can design a compliance programme that is proportionate, efficient, and aligned with your business objectives. Contact us to schedule an initial consultation.