TLDR:
The NIS2 Directive (Directive 2022/2555) is EU cybersecurity legislation expanding the original NIS Directive (2016). Member States were required to transpose it into national law by October 2024. NIS2 covers a dramatically expanded set of “essential” and “important” entities across 18 sectors, imposing risk management obligations, incident reporting requirements, and management accountability for cybersecurity.
Scope
NIS2 applies to large and medium-sized entities in essential sectors (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, public administration, space) and important sectors (postal services, waste management, chemicals, food, manufacturing, digital providers, research). Smaller entities can also be in scope if they meet specific criteria (sole provider of an essential service, etc.). Many companies covered by NIS2 were not covered by NIS1—particularly across manufacturing, food, and digital services.
Key Obligations
NIS2 obligations include: risk management measures (policy, incident handling, business continuity, supply chain security, encryption, multi-factor authentication, asset management, vulnerability handling), executive accountability (management must approve and oversee cybersecurity measures), incident notification (24-hour early warning, 72-hour notification, 1-month final report), vulnerability disclosure coordination through CSIRTs, and registration with competent authorities. Importantly, executives can be personally liable for failures—including in some Member States the ability to ban executives from management roles.
Penalties and Enforcement
Penalties under NIS2 are substantial: up to €10 million or 2% of global turnover for essential entities, €7 million or 1.4% for important entities, with administrative fines, periodic penalty payments, and the possibility of management liability for serious failures. Compliance requires both technical measures and governance processes. For startups operating in covered sectors—especially digital services, healthcare, financial services—NIS2 compliance should be planned alongside GDPR compliance, with shared accountability for board-level cybersecurity oversight.