Try for free

NIS2 explained: which companies are in scope and what they must do

The NIS2 Directive (Network and Information Security 2, Directive (EU) 2022/2555) is the biggest change in European cybersecurity legislation in a decade. Each EU member state transposes it into national law, and compared to the original NIS Directive it dramatically expands the range of in-scope entities — from a few hundred organisations to an estimated tens of thousands across the EU.

Who does NIS2 apply to

The Directive distinguishes two categories of entities based on sector and size:

Essential entities — large enterprises (250+ employees or turnover above €50M) in sectors of high criticality: energy, transport, banking, financial market infrastructure, health, drinking water and waste water, digital infrastructure, ICT service management, public administration and space.

Important entities — medium-sized enterprises (50+ employees or turnover above €10M) in the same sectors, plus enterprises in other critical sectors: postal services, waste management, chemicals, food, manufacturing (electronics, machinery, vehicles, medical devices), digital providers and research.

Small enterprises are generally outside the direct scope — but watch out for two catches. First, exceptions exist (for example, being the sole provider of a critical service in a region). Second, in-scope entities must address supply chain security — so if you supply a company covered by NIS2, its security requirements will end up in your contract.

Not sure where you stand? Take the 2-minute NIS2 self-check.

Key obligations

  1. Cybersecurity risk-management measures — risk analysis, security policies, access control, encryption, backups, vulnerability management and supply chain security.
  2. Incident reporting — a significant incident must be reported as an early warning within 24 hours of becoming aware of it, followed by a more detailed notification within 72 hours. A final report follows within one month.
  3. Management accountability — management bodies approve the measures, undergo training and bear personal responsibility for violations. This is the novelty that makes cybersecurity a boardroom topic.
  4. Registration — in-scope entities must register with the competent national authority in their member state.

Fines

For essential entities up to €10 million or 2% of worldwide turnover, for important entities up to €7 million or 1.4% of turnover. Beyond fines, sanctions can include suspension of certifications or a temporary ban on management functions.

How to prepare: ISO 27001 as the foundation

NIS2 does not prescribe a specific framework, but its requirements overlap almost perfectly with ISO/IEC 27001 — the information security management system (ISMS) standard. Policies, risk analysis, incident management, supply chain, training — all of these are mandatory components of an ISMS. A company with a working ISO 27001 has completed a substantial part of its NIS2 homework, and the certificate serves as strong evidence of due diligence towards the regulator.

The first step is documentation: an information security policy, a risk analysis, an incident response plan and other mandatory documents. This is exactly where ISOForge can save months of work — it generates audit-ready documentation tailored to your company and helps you maintain it after certification too: a risk register, an incident log with NIS2 deadlines, a supplier register and a compliance calendar.

Summary

Need ISO documentation?

ISOForge generates audit-ready documentation tailored to your company — in English, at a fraction of consultant cost.

Learn more