Complete NIS2 Guide 2025

The original NIS Directive (Network and Information Security), adopted in 2016, was the European Union's first binding legislation on cybersecurity. It required Member States to designate competent national authorities and establish minimum security requirements for operators of essential services and digital service providers. While it laid the groundwork for a common approach, its uneven implementation across countries exposed significant gaps in harmonisation.

In response to rapidly evolving cyber threats and persistent fragmentation between Member States, the European Commission published the NIS2 Directive (2022/2555) on 27 December 2022. This legislation comprehensively overhauled the previous framework: it substantially broadened the scope of covered entities, strengthened security obligations, increased sanctions, and mandated enhanced cooperation between national authorities. The Directive entered into force on 17 October 2024, the deadline by which Member States were required to transpose its provisions into national law.

In the United Kingdom, which is no longer bound by EU directives post-Brexit, the government has introduced the Cyber Security and Resilience Bill as its own equivalent framework, overseen by the National Cyber Security Centre (NCSC). UK businesses operating in the EU or supplying EU-regulated entities remain directly subject to NIS2 obligations in relevant Member States. It is advisable to monitor both frameworks and align security practices accordingly.

NIS2 distinguishes between two categories of entities subject to obligations: Essential Entities (EE) and Important Entities (IE). This distinction determines the level of supervisory oversight and the applicable sanctions. Essential Entities are large organisations (more than 250 employees or more than €50 million annual turnover) operating in the highly critical sectors of Annex I. Important Entities cover medium-sized organisations (more than 50 employees or more than €10 million turnover) in sectors covered by Annex I or Annex II.

The Directive covers 18 sectors split across two annexes. Annex I (highly critical sectors) includes: energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, and space. Annex II adds: postal and courier services, waste management, manufacture, production and distribution of chemicals, food production and distribution, manufacturing of medical devices and electronics, digital providers, and research.

Even if your organisation does not fall directly under a covered sector, you may still be affected if you supply services or products to an Essential or Important Entity. NIS2 requires in-scope entities to ensure that their critical suppliers also maintain an adequate level of security, in practice through contractual clauses, security questionnaires, and audits.

Article 21 of the NIS2 Directive defines the technical, operational, and organisational measures that in-scope entities must implement. These measures must be proportionate to the level of risk, the size of the entity, and the potential impact of incidents. Eight core obligations are defined.

First, governance and management accountability: governing bodies must approve cybersecurity measures and bear personal liability for serious failures. Second, cybersecurity risk management: regular risk assessments, identification of critical assets, and a documented security policy. Third, supply chain security: evaluation and oversight of critical suppliers through contractual clauses, security questionnaires, and audits for the most critical vendors.

Fourth, incident management and 72-hour notification: an early warning to the national authority within 24 hours of detecting a significant incident, a full notification within 72 hours, and a final report within one month. Fifth, business continuity: formalised and regularly tested business continuity plans (BCP) and disaster recovery plans (DRP). Sixth, human resources security: background checks for sensitive roles, cybersecurity training, and immediate revocation of access upon departure. Seventh, use of cryptography: encryption of sensitive data in transit and at rest, documented key management and certificate lifecycle procedures. Eighth, access control and authentication: multi-factor authentication (MFA) mandatory for critical systems, and an IAM policy based on the principle of least privilege.

NIS2 establishes a significantly more stringent sanctions regime than its predecessor. Fines are calculated by taking the higher of a fixed ceiling and a percentage of global annual turnover, ensuring deterrence regardless of the entity's size. For Essential Entities, the maximum fine is €10,000,000 or 2% of global annual turnover. For Important Entities, it is €7,000,000 or 1.4% of global annual turnover.

A major innovation compared to NIS1 is the introduction of personal liability for senior managers in the event of serious breaches of cybersecurity obligations. Member States may impose individual sanctions against natural persons holding management functions within Essential Entities, up to and including a temporary ban on exercising management roles. This provision is designed to ensure that governance bodies take direct responsibility for cybersecurity policy.

The NCSC and sector-specific regulators hold broad powers to enforce compliance: on-site and off-site security audits, requests for information, compliance orders with deadlines, and the naming of non-compliant organisations (name and shame). For Essential Entities, audits may be initiated proactively without a prior incident having occurred.

Achieving NIS2 compliance is a multi-month organisational project. The following five-step plan is based on ENISA guidance and early compliance experience across European organisations.

Step 1 (months 1-2) — Asset mapping: identify and catalogue all digital assets (servers, applications, network equipment, workstations, cloud access) and classify them by business criticality. Step 2 (months 2-3) — Risk assessment: conduct a risk analysis identifying threats, vulnerabilities, and potential impacts for each critical asset, using a structured methodology such as ISO 27005 or NCSC's CAF. Step 3 (months 3-6) — Implement controls: deploy technical and organisational measures prioritised by your risk assessment (MFA, encryption, network segmentation, patch management, backups, incident detection) and document each measure implemented.

Step 4 (months 6-9) — Staff training: raise awareness across all staff on cyber risks and best practices; provide targeted training for IT teams on new incident detection and notification procedures; include senior leadership in governance and NIS2 liability training. Step 5 (ongoing) — Audit and continuous improvement: schedule regular internal and external audits, update your risk assessment at least annually or after any major change, test your business continuity plan through crisis simulation exercises, and maintain up-to-date documentation of all compliance activities.

Several official resources will help you deepen your understanding of NIS2 and begin your compliance journey.

The full text of Directive (EU) 2022/2555 is available on EUR-Lex, the official journal of the European Union. The NCSC (National Cyber Security Centre) publishes practical guidance, the Cyber Assessment Framework (CAF), and sector-specific advice on its website (ncsc.gov.uk). ENISA (the EU Agency for Cybersecurity) provides technical guidelines and implementation recommendations for Member States and in-scope entities.

For UK organisations subject to the domestic Cyber Security and Resilience Bill, the NCSC's CAF provides a structured compliance framework aligned with NIS2 principles. For risk management methodology, ISO/IEC 27005 and the NCSC's risk management guidance are well-suited frameworks to meet the risk analysis requirements of NIS2.