NIS2 explained: Compliance requirements, deadlines, and penalties

Key Takeaway: NIS2 (Directive EU 2022/2555) is mandatory EU cybersecurity legislation covering 18 critical sectors, with the first compliance audit deadline set for June 30, 2026. Article 23 enforces a strict 24-72-30 incident reporting timeline, and Article 20 holds management bodies personally accountable. Fines reach €10M or 2% of global turnover for essential entities.

The Network and Information Security 2 (NIS2) Directive, formally Directive (EU) 2022/2555, replaced the original 2016 NIS Directive and entered into force on January 16, 2023. As of May 2026, the European Commission has referred seven Member States to the Court of Justice of the EU for failure to transpose, and the deadline for in-scope entities to complete their first NIS2 compliance audit is June 30, 2026.

What NIS2 covers and how it works

NIS2 sets a comprehensive set of rules and guidelines for managing security risks across network and information systems. It mandates an "all-hazards approach" under Article 21, meaning entities must protect systems against cyber, physical, environmental, and human threats — not just digital attacks. Core obligations include incident reporting, cybersecurity risk management, supply chain security, and management body accountability.

Implementation is overseen at the national level by competent authorities and CSIRTs, working with the European Union Agency for Cybersecurity (ENISA). ENISA's Technical Guidance (June 2025) provides specific control mappings to NIST CSF 2.0 and ISO 27001/27002, which national regulators now treat as primary evidence of compliance.

NIS2 also promotes coordinated vulnerability disclosure and information sharing between Member States, with ENISA operating an EU-wide vulnerability database for publicly known vulnerabilities in ICT products and services.

Who must comply: Essential and important entities

NIS2 applies to medium and large entities — generally those with 50+ employees or €10M+ in annual turnover — operating in 18 critical sectors. The directive splits in-scope organizations into two tiers, with different supervisory regimes and fine ceilings.

Some entities are in scope regardless of size, including DNS providers, TLD name registries, and certain public administration bodies. Non-EU providers offering in-scope services in the EU — such as cloud services, data centers, CDNs, managed security services, and online marketplaces — must designate an EU representative under Article 26.

How NIS2 differs from the original NIS Directive

The NIS2 Directive builds on the 2016 NIS Directive but materially expands scope, harmonizes enforcement, and elevates accountability. Practitioners migrating from NIS1 programs should focus on the deltas rather than re-baselining from scratch.

The 24-72-30 incident reporting timeline

Article 23 imposes a tiered reporting structure to the national CSIRT or competent authority. The window is aggressive enough that manual workflows typically miss the 24-hour mark, which is why automated detection-to-notification triggers are now considered table stakes.

1. Early warning — within 24 hours of becoming aware of a significant incident: a concise notification to the CSIRT or competent authority.
2. Incident notification — within 72 hours: an update with initial severity assessment, impact, and indicators of compromise.
3. Final report — within one month: root cause analysis, mitigation measures, and cross-border impacts.

ENISA's June 2025 mapping to the European Cybersecurity Skills Framework (ECSF) flags the Cyber Legal, Policy and Compliance Officer role as the coordination point with the CISO for preparing the 24-hour early warning and briefing senior management.

Cybersecurity risk management requirements under Article 21

Article 21 mandates an all-hazards approach with a minimum set of technical and organizational measures. Entities must implement controls covering:

• Risk analysis and information system security policies
• Incident handling
• Business continuity, backup management, and crisis management
• Supply chain security, including supplier and service provider relationships
• Security in network and information systems acquisition, development, and maintenance
• Vulnerability handling and disclosure
• Cryptography and, where appropriate, encryption
• Access control, asset management, and multi-factor authentication
• Human resources security, training, and secure communications

The directive does not name Zero Trust explicitly, but its access control, MFA, segmentation, and continuous monitoring requirements are operationally aligned with Zero Trust principles. Practitioners should document how their access architecture maps to Article 21(2)(d) and (i) rather than claiming Zero Trust as a compliance shortcut.

Supply chain security obligations

Article 21(2)(d) creates direct obligations for third-party risk: entities must assess the cybersecurity posture of direct suppliers, the quality and resilience of their products and services, and the security of supplier development practices. In practice, this means extending third-party risk management programs to include NIS2-equivalent contractual clauses, supplier incident notification obligations that allow the entity to meet its own 24-hour window, and continuous monitoring of critical ICT suppliers. The EU Cooperation Group's coordinated risk assessments of critical supply chains (such as 5G and cloud) inform sector-specific expectations.

Management body accountability and personal liability

NIS2 Article 20 holds management bodies of essential and important entities directly responsible for approving and overseeing cybersecurity risk management measures. Member States can impose personal liability — including temporary bans from management functions for executives of essential entities. Germany's December 2025 BSI Act transposition explicitly elevates NIS2 to a board-level issue with director liability. Management bodies are also required to undergo regular cybersecurity training.

This is one of the sharpest deltas from NIS1, and a primary reason internal audit and compliance teams should be briefing the audit committee on NIS2 readiness ahead of the June 30, 2026 audit deadline. Optro's on-demand webinar on DORA and NIS2 provides additional context for internal audit teams preparing for these parallel EU regimes.

Compliance requirements for in-scope businesses

Compliance with NIS2 is a legal obligation, not a voluntary posture. To meet the directive's requirements, in-scope entities must operationalize incident reporting, implement the Article 21 measures, and document management body oversight.

Practical first steps for GRC teams:

• Assess current posture against Article 21's minimum measures and identify gaps against ENISA's June 2025 Technical Implementation Guidance.
• Map existing controls to NIST CSF 2.0 and ISO 27001. National regulators in Italy, Belgium, Slovenia, and Ukraine accept these as primary compliance evidence.
• Update incident response playbooks to trigger the 24-hour early warning automatically from detection systems.
• Extend cybersecurity risk management to suppliers, including contractual clauses for incident notification and security baselines.
• Brief the management body on Article 20 obligations and document evidence of training and oversight.

Essential entities should also track jurisdiction-specific transposition timelines. Germany transposed in December 2025; Spain remained pending publication in the BOE as of early 2026.

Administrative fines for non-compliance

NIS2 harmonizes administrative fines across Member States and distinguishes ceilings by tier.

Beyond fines, competent authorities can issue binding instructions, order security audits at the entity's expense, suspend certifications or authorizations, and — for essential entities — temporarily ban executives from management functions. As of May 2026, the Commission has escalated infringement proceedings against seven Member States to the CJEU, signaling that supervisory intensity is increasing rapidly per Forrester's analysis of the referrals.

How NIS2 interacts with ISO 27001 and NIST CSF 2.0

ISO 27001 is a voluntary international ISMS certification standard; NIS2 is mandatory EU legislation with legal penalties. Certification alone does not confer NIS2 compliance, but ISO 27001 controls map closely to Article 21 and are explicitly referenced as compliance evidence in Belgium's CyFun framework, Slovenia's national guidelines, and ENISA's June 2025 Technical Implementation Guidance.

Across Europe, specific frameworks have emerged as recognized evidence:

• NIST CSF 2.0 — integrated into Italy's updated National Framework for Cybersecurity; adopted by Ukraine for critical information infrastructure
• ISO/IEC 27001 and 27002 — referenced by Belgium's CyFun, Slovenia's guidelines, and Ukraine's national standards
• CIS Controls and IEC 62443 — used within Belgium's framework, with IEC 62443 covering OT and industrial environments

Cross-border GRC teams should maintain a single control inventory mapped to all four frameworks to demonstrate compliance efficiently across multiple jurisdictions.

The future of NIS2 and cyber resilience

NIS2 is unlikely to be the final iteration of EU cybersecurity legislation. Emerging technologies — artificial intelligence, IoT, and 5G — are reshaping the threat landscape, and Member States are still finalizing technical annexes. Practitioners should expect ENISA to continue publishing implementation guidance and sector-specific addenda, particularly around AI, OT, and supply chain risk. White & Case's 2025 analysis of enforcement developments tracks how Member State practice has diverged in the first year post-transposition.

Collaboration between the public and private sectors is also central to the directive's design. The EU Cooperation Group, ENISA, and national CSIRTs increasingly act as a coordinated supervisory network, and entities operating across multiple Member States should expect more joint inspections and coordinated enforcement actions through 2026 and beyond.

The practitioner takeaway is straightforward: integrate risk identification, assessment, response, and monitoring into a single workflow — and align controls with NIST CSF 2.0 or ISO 27001 — so that NIS2 evidence is generated as a byproduct of day-to-day operations rather than scrambled together ahead of an audit. Practitioners scaling these controls across multiple sectors often consolidate them inside a cyber risk management platform.

Frequently asked questions

Who needs to comply with NIS2?

NIS2 applies to medium and large entities — generally 50+ employees or €10M+ in annual turnover — operating in 18 critical sectors across the EU. Essential entities include energy, transport, banking, health, drinking water, digital infrastructure, ICT service management, public administration, and space. Important entities include postal services, waste management, chemicals, food, manufacturing, digital providers, and research. DNS providers, TLD registries, and certain public administration bodies are in scope regardless of size.

When did NIS2 take effect, and what are the key deadlines?

NIS2 entered into force on January 16, 2023, with a Member State transposition deadline of October 17, 2024. The deadline for in-scope entities to complete their first NIS2 compliance audit has been set at June 30, 2026. As of May 2026, the European Commission has referred seven Member States to the CJEU for failure to transpose. Germany transposed in December 2025; Spain remains pending publication in the BOE as of early 2026.

What is the NIS2 incident reporting timeline?

Article 23 requires a tiered 24-72-30 reporting structure to the national CSIRT or competent authority. Entities must submit an early warning within 24 hours of becoming aware of a significant incident, an incident notification with initial severity assessment and indicators of compromise within 72 hours, and a final report covering root cause, mitigation, and cross-border impact within one month.

Can management or board members be held personally liable under NIS2?

Yes. Article 20 holds management bodies of essential and important entities directly responsible for approving and overseeing cybersecurity risk management measures. Member States can impose personal liability, including temporary bans from management functions for executives of essential entities. Germany's December 2025 BSI Act explicitly makes NIS2 a board-level issue with personal director liability.

What is the difference between NIS2 and ISO 27001?

ISO 27001 is a voluntary international ISMS certification standard, while NIS2 is mandatory EU legislation (Directive EU 2022/2555) with legal penalties. ISO 27001 certification does not on its own confer NIS2 compliance, but its controls map closely to NIS2's Article 21 requirements and are explicitly referenced as compliance evidence in Belgium's CyFun framework, Slovenia's national guidelines, and ENISA's June 2025 Technical Implementation Guidance.

Does NIS2 require Zero Trust architecture?

NIS2 does not explicitly mandate Zero Trust by name, but Article 21's required measures — strict access control, MFA, network segmentation, continuous monitoring, and identity-based authentication — are operationally aligned with Zero Trust principles. ENISA's Technical Implementation Guidance and several national frameworks (including Belgium's CyFun) treat Zero Trust as a recommended approach to satisfying access control and asset management requirements.

Does NIS2 apply to non-EU companies?

Yes, in specific categories. Non-EU entities offering in-scope services in the EU — including DNS service providers, TLD name registries, cloud services, data centers, content delivery networks, managed services, managed security services, online marketplaces, search engines, and social networking platforms — must designate an EU representative under Article 26. That representative's Member State becomes the competent jurisdiction for supervision.

About the authors

John Volles, CISA, is a Director of Information Security Compliance responsible for managing Optro’s compliance, risk, and privacy obligations as well as helping customers understand Optro’s security posture and position. John joined Optro from EY, where he reviewed and implemented client compliance programs and supporting technologies. Connect with John on LinkedIn.