NIS2: Which Organisations Are Affected and What They Must Do

The NIS2 Directive (2022/2555) significantly broadens the scope of cybersecurity regulation across the EU. Millions of organisations are now within scope, up from a few thousand under the original NIS1 Directive.

18 Sectors Covered

Highly critical sectors (Annex I) include energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration and space. Critical sectors (Annex II) include postal services, waste management, chemicals, food, manufacturing, digital providers and research.

Size Criteria

Entities with 50+ employees or over EUR 10 million turnover operating in a covered sector fall within scope. Essential entities are large organisations in highly critical sectors; important entities are medium-sized organisations across all covered sectors.

Key Obligations

Compliance centres on cybersecurity governance, risk management, supply chain security, and incident notification to the national competent authority (e.g. NCSC in the UK, BSI in Germany) — 24 hours for the early warning, 72 hours for the full report.

*This article is for informational purposes only and does not constitute legal advice.*