NIS2 explained: which companies are in scope and what they must do
The NIS2 Directive (Network and Information Security 2, Directive (EU) 2022/2555) is the biggest change in European cybersecurity legislation in a decade. Each EU member state transposes it into national law, and compared to the original NIS Directive it dramatically expands the range of in-scope entities — from a few hundred organisations to an estimated tens of thousands across the EU.
Who does NIS2 apply to
The Directive distinguishes two categories of entities based on sector and size:
Essential entities — large enterprises (250+ employees or turnover above €50M) in sectors of high criticality: energy, transport, banking, financial market infrastructure, health, drinking water and waste water, digital infrastructure, ICT service management, public administration and space.
Important entities — medium-sized enterprises (50+ employees or turnover above €10M) in the same sectors, plus enterprises in other critical sectors: postal services, waste management, chemicals, food, manufacturing (electronics, machinery, vehicles, medical devices), digital providers and research.
Small enterprises are generally outside the direct scope — but watch out for two catches. First, exceptions exist (for example, being the sole provider of a critical service in a region). Second, in-scope entities must address supply chain security — so if you supply a company covered by NIS2, its security requirements will end up in your contract.
Not sure where you stand? Take the 2-minute NIS2 self-check.
Key obligations
- Cybersecurity risk-management measures — risk analysis, security policies, access control, encryption, backups, vulnerability management and supply chain security.
- Incident reporting — a significant incident must be reported as an early warning within 24 hours of becoming aware of it, followed by a more detailed notification within 72 hours. A final report follows within one month.
- Management accountability — management bodies approve the measures, undergo training and bear personal responsibility for violations. This is the novelty that makes cybersecurity a boardroom topic.
- Registration — in-scope entities must register with the competent national authority in their member state.
Fines
For essential entities up to €10 million or 2% of worldwide turnover, for important entities up to €7 million or 1.4% of turnover. Beyond fines, sanctions can include suspension of certifications or a temporary ban on management functions.
How to prepare: ISO 27001 as the foundation
NIS2 does not prescribe a specific framework, but its requirements overlap almost perfectly with ISO/IEC 27001 — the information security management system (ISMS) standard. Policies, risk analysis, incident management, supply chain, training — all of these are mandatory components of an ISMS. A company with a working ISO 27001 has completed a substantial part of its NIS2 homework, and the certificate serves as strong evidence of due diligence towards the regulator.
The first step is documentation: an information security policy, a risk analysis, an incident response plan and other mandatory documents. This is exactly where ISOForge can save months of work — it generates audit-ready documentation tailored to your company and helps you maintain it after certification too: a risk register, an incident log with NIS2 deadlines, a supplier register and a compliance calendar.
Summary
- NIS2 applies to medium and large companies in 18 sectors — check whether you are in scope.
- Key deadlines: 24-hour early warning, 72-hour incident notification.
- Management bears personal responsibility.
- ISO 27001 is the most direct path to compliance — start with documentation.