TL;DR
  • NIS2 is fully enforceable across EU member states. National competent authorities are conducting their first major audit cycles now. Non-compliance is not a future risk — it is a present one.
  • Scope is broad: essential entities (energy, health, transport, banking, water, digital infrastructure) and important entities (postal, waste, food, chemicals, manufacturing, digital providers) with 50+ employees or €10M+ turnover.
  • Article 21 mandates 10 minimum security measures including risk analysis, incident response, business continuity, supply chain security, and cryptography. Each must be documented and evidenced.
  • Incident reporting has three stages: 24-hour early warning, 72-hour formal notification, and a one-month final report. Missing any stage is a separate compliance failure.
  • Penalties reach €10 million or 2% of global annual turnover for essential entities. Management liability is personal under Article 20.

The EU’s Network and Information Security Directive 2 — NIS2 — entered into force in January 2023 with a transposition deadline of October 2024. As of mid-2026, every EU member state has transposed the directive into national law. National competent authorities (NCAs) have established their supervisory regimes and are conducting their first structured audit cycles. For the organisations in scope, this is no longer a compliance preparation exercise. It is a live enforcement environment.

NIS2 represents a substantial expansion of scope and teeth compared to the original NIS Directive. The original directive covered seven “operators of essential services” sectors and a narrow set of digital service providers. NIS2 expands to 18 sectors, lowers the size thresholds that trigger coverage, introduces personal liability for management bodies, and raises maximum penalties to a level comparable with GDPR. It also adds explicit requirements around supply chain security, cryptography, and multi-factor authentication that were absent from the original.

This article explains who is in scope, what the 10 minimum security measures actually require, what the incident reporting timeline looks like in practice, and provides a structured checklist that compliance teams can use to assess their current posture against NIS2’s requirements.

Who is in scope: essential vs important entities

NIS2 creates two tiers of covered entities with different supervisory regimes and penalty levels. The distinction matters because essential entities face proactive, ex-ante supervision — meaning authorities can audit them at any time — while important entities face reactive, ex-post supervision triggered by incidents or complaints. Both tiers are subject to the same substantive security requirements under Article 21.

NIS2 scope overview — essential vs important entities
Sector Tier Size threshold Max penalty
Energy (electricity, oil, gas, hydrogen) Essential 250+ employees or €50M+ turnover €10M / 2% turnover
Transport (air, rail, water, road) Essential 250+ employees or €50M+ turnover €10M / 2% turnover
Banking & financial market infrastructure Essential 250+ employees or €50M+ turnover €10M / 2% turnover
Health (hospitals, labs, pharma, med devices) Essential 250+ employees or €50M+ turnover €10M / 2% turnover
Drinking water & wastewater Essential Any size €10M / 2% turnover
Digital infrastructure (DNS, TLD, IXP, cloud, CDN, data centres, trust services, public comms networks) Essential Any size (DNS/TLD/trust); 250+ for others €10M / 2% turnover
Postal & courier services Important 50+ employees or €10M+ turnover €7M / 1.4% turnover
Waste management Important 50+ employees or €10M+ turnover €7M / 1.4% turnover
Chemicals production & distribution Important 50+ employees or €10M+ turnover €7M / 1.4% turnover
Food production, processing & distribution Important 250+ employees or €50M+ turnover €7M / 1.4% turnover
Manufacturing (medical devices, electronics, machinery, motor vehicles) Important 250+ employees or €50M+ turnover €7M / 1.4% turnover
Digital providers (online marketplaces, search engines, social networks) Important 50+ employees or €10M+ turnover €7M / 1.4% turnover
Research organisations (public sector) Important Member state discretion €7M / 1.4% turnover
Micro enterprises (<50 employees, <€10M) Out of scope

Note that the size thresholds apply at the entity level, not the group level. A subsidiary of a large corporation that itself employs fewer than 50 people and turns over less than €10 million may be out of scope even if its parent group is an essential entity — though NCAs have discretion to extend coverage where smaller entities perform critical functions. Some member states have also exercised their discretion to extend NIS2 obligations to entities below the thresholds where they consider them critical to national infrastructure.

The most important scope question for professional services firms is whether they qualify as digital providers or as part of the supply chain of essential entities. A managed security services provider, a cloud platform used by hospitals, or a software vendor supplying critical infrastructure is almost certainly in scope regardless of size. The supply chain provisions in NIS2 mean that even out-of-scope companies may face contractual NIS2 requirements from their essential-entity customers.

The Article 21 minimum security measures

Article 21 of NIS2 sets out the minimum technical and organisational measures that all covered entities must implement. The measures are not exhaustive — entities must take “appropriate and proportionate” measures based on their risk profile — but these ten areas are the explicit floor that supervisors will check against.

MEASURE 01

Cybersecurity risk analysis and information system security policies

Documented risk management framework covering assets, threats, vulnerabilities, and risk treatment decisions. Must be reviewed at defined intervals and following significant incidents. Policies must be approved by management and cover all systems used in service delivery.

MEASURE 02

Incident handling and reporting procedures

Documented incident response plan including detection, classification, escalation, containment, eradication, recovery, and post-incident review procedures. Must include explicit integration with NIS2’s three-stage reporting timeline to the national CSIRT.

MEASURE 03

Business continuity, backup management, and disaster recovery

Documented BCP and DRP with tested recovery time objectives (RTOs) and recovery point objectives (RPOs). Backup procedures must be tested, geographically separated, and include recovery of critical systems within defined timeframes. Crisis management procedures must address cybersecurity incidents specifically.

MEASURE 04

Supply chain security including third-party relationships

Assessment of cybersecurity risks posed by direct suppliers and service providers. Contractual security requirements for critical suppliers. Inventory of suppliers with access to systems or data. This is one of the most operationally demanding requirements and is discussed separately below.

MEASURE 05

Security in network and information systems acquisition, development, and maintenance

Secure development practices, vulnerability management, patch management, and security testing procedures. Covers both in-house development and purchased software. Requires procedures for handling vulnerabilities in network and information systems.

MEASURE 06

Policies and procedures to assess effectiveness of cybersecurity risk management

Defined KPIs and KRIs for cybersecurity. Regular reviews of security measure effectiveness. Internal audit or equivalent assessment function. Management reporting on cybersecurity posture at defined intervals.

MEASURE 07

Basic cyber hygiene practices and cybersecurity training

Documented and evidenced cybersecurity awareness programme covering all staff. Training at onboarding and at regular intervals. Specific training for roles with elevated access or security responsibilities. Cyber hygiene baseline covering password management, phishing awareness, device security, and software updates.

MEASURE 08

Policies and procedures regarding cryptography and encryption

Documented cryptography policy covering algorithms, key lengths, key management, and certificate lifecycle. Encryption of data at rest and in transit. The European Union Agency for Cybersecurity (ENISA) guidance references current NIST and ECRYPT-CSA recommendations as the algorithm baseline — which now explicitly includes post-quantum algorithms for long-lived data.

MEASURE 09

Human resources security, access control policies, and asset management

Joiners/movers/leavers procedures. Principle of least privilege enforced and documented. Multi-factor authentication for remote access, administrative interfaces, and access to sensitive data. Asset inventory covering hardware, software, data assets, and cloud services. Background screening procedures for roles with elevated access.

MEASURE 10

Use of multi-factor authentication, secured communications, and secure emergency communications

MFA mandatory for all remote access to network and information systems. Encrypted communications for sensitive internal and external communications. Out-of-band communication channel for incident response and emergency coordination that is independent of primary systems.

Supply chain obligations: what NIS2 actually requires

Supply chain security under NIS2 (Article 21(2)(d)) is one of the areas where organisations are most often caught under-prepared. The requirement is not simply to have a supplier questionnaire. It requires a structured programme that includes: identification of all direct suppliers and service providers that have access to or influence over your network and information systems; assessment of the cybersecurity practices of those suppliers; and contractual requirements that flow your NIS2 obligations down to critical suppliers.

In practice, this means a covered entity needs to maintain a supplier inventory that includes the supplier’s access level, the criticality of the supplier to service delivery, and an assessment of the supplier’s security posture. For critical suppliers, this should include evidence of the supplier’s own security certifications (ISO 27001, SOC 2 Type II), contractual rights to audit, and incident notification obligations that give the covered entity at least enough notice to meet its own 24-hour early warning deadline.

The supply chain provisions also have an extraterritorial reach implication. If you are a professional services firm supplying an essential entity in Germany, even if you are based outside the EU, your customer’s NIS2 supply chain obligations require them to assess your security posture. Increasingly, NIS2-covered customers are requiring their suppliers to demonstrate NIS2-equivalent security practices as a condition of contract renewal. This creates de facto NIS2 obligations for many out-of-scope firms.

Incident reporting: the three-stage timeline

NIS2 Article 23 creates a three-stage incident reporting obligation that is more demanding than most organisations appreciate until they actually experience a significant incident.

NIS2 incident reporting — three-stage timeline
T+0

Incident detected or becomes known

The clock starts when the entity becomes aware of a “significant incident” — defined as one that causes or is capable of causing severe operational disruption, financial loss, or impact to other persons. Note: the clock starts at awareness, not at the time of the incident itself.

T+24h

Early warning to national CSIRT or NCA

Must indicate whether the incident is suspected to be the result of unlawful or malicious action, whether it has or may have cross-border impact, and its severity. This is a preliminary notification — you do not need the full picture. Failure to notify within 24 hours is itself a compliance breach, separate from the underlying incident.

T+72h

Incident notification to national CSIRT or NCA

Full notification including: initial assessment of severity and impact; type of incident and likely cause if known; applied and ongoing mitigation measures; cross-border impact assessment. Updates to earlier information must be included. If the incident is ongoing, progress on investigation and containment must be described.

T+1 month

Final incident report to national CSIRT or NCA

Detailed description of the incident including severity and impact; root cause analysis; mitigation measures applied; cross-border impact if any; and lessons learned. For ongoing incidents, an interim report may be submitted at the one-month point with a final report within one month of resolution.

The practical implication is that organisations need to pre-build their incident reporting process before an incident occurs. The 24-hour window is too short to draft a reporting template, identify the correct CSIRT contact, establish an escalation chain, and draft a notification from scratch while simultaneously managing an active incident. Most organisations that have tested this in tabletop exercises find that without prior preparation, they miss the 24-hour window.

Covered entities are also required to notify affected recipients of their services “without undue delay” where the incident is likely to adversely affect them. This is separate from the CSIRT reporting obligation and may need to happen within hours, not days, depending on the nature of the incident. The overlap between NIS2 breach notification and GDPR Article 33/34 notification (where personal data is involved) adds further complexity — the timelines and recipients differ, and both apply simultaneously to incidents affecting personal data on covered systems.

Penalty exposure: Under NIS2, national competent authorities can impose administrative fines of up to €10 million or 2% of total worldwide annual turnover (whichever is higher) on essential entities, and €7 million or 1.4% of turnover on important entities. Article 20 introduces personal liability for management bodies — board members and executives can be held personally responsible for infringements and prohibited from exercising managerial functions. This is a significant escalation from the original NIS Directive and brings NIS2 enforcement closer to GDPR in terms of individual accountability.

Management body obligations under Article 20

One of the most significant innovations in NIS2 compared to its predecessor is the explicit personal accountability of management bodies. Article 20 requires that management bodies of essential and important entities approve the cybersecurity risk management measures and oversee their implementation. Management body members who breach these obligations can be held personally liable.

This means that NIS2 compliance is not a function that can be delegated entirely to an IT or security team and signed off at arm’s length by the board. Management bodies must receive regular cybersecurity training sufficient to understand the risks their organisation faces and the adequacy of their risk management measures. They must be able to demonstrate engagement with cybersecurity risk at a strategic level, not just sign off on a policy document once a year.

In practical terms, this requires organisations to build cybersecurity reporting into their board-level governance cycle, ensure that board members receive structured cybersecurity awareness training at least annually, and document board oversight of the cybersecurity programme. NCAs conducting supervisory reviews will look for evidence of management body engagement — board minutes, training records, and cybersecurity agenda items are all discoverable.

Practical NIS2 compliance checklist

The following checklist is structured around the Article 21 measures and the key procedural obligations in Articles 20 and 23. It is designed to be used as an internal gap assessment tool, not as a substitute for legal advice on your specific circumstances.

Governance & management body (Article 20)
  • Management body has formally approved the cybersecurity risk management framework in writing, with dated sign-off
  • Board-level cybersecurity reporting is in place — minimum quarterly, covering material risks and incidents
  • All management body members have completed NIS2-relevant cybersecurity awareness training in the past 12 months
  • A named individual (CISO or equivalent) has documented responsibility for NIS2 compliance
  • Personal liability implications of Article 20 have been briefed to all management body members by legal counsel
Risk analysis & security policies (Measure 01)
  • Asset inventory covering all network and information systems used in service delivery, maintained and dated
  • Documented cybersecurity risk assessment with threat identification, vulnerability assessment, and risk treatment decisions
  • Information security policies approved by management, version-controlled, and reviewed in the past 12 months
  • Risk assessment reviewed following any significant change to systems or threat landscape
  • Residual risk formally accepted by management with documented rationale
Incident handling & reporting (Measures 02, Article 23)
  • Incident response plan documented, tested, and dated within the past 12 months
  • “Significant incident” classification criteria defined and documented, aligned with NIS2 recitals
  • 24-hour early warning process documented with named owner and pre-drafted notification template
  • 72-hour full notification process documented with named owner and template
  • One-month final report process documented
  • National CSIRT contact details and notification portal access confirmed and tested
  • Escalation chain for out-of-hours incidents defined and communicated to relevant staff
  • Process for notifying affected service recipients documented and tested
  • GDPR Article 33 notification process mapped against NIS2 timeline — no conflicts or gaps
Business continuity & recovery (Measure 03)
  • Business continuity plan covering cybersecurity-specific scenarios documented and tested
  • Disaster recovery plan with tested RTOs and RPOs for critical systems
  • Backup procedures documented, tested, and covering all critical systems and data
  • Backup restoration tested within the past 12 months with documented results
  • Geographically separated backup storage confirmed
  • Out-of-band crisis communication channel available and tested (does not rely on primary systems)
Supply chain security (Measure 04)
  • Supplier inventory maintained covering all direct suppliers with access to or influence over systems
  • Supplier criticality classification defined (critical, important, standard)
  • Security assessments completed for all critical suppliers in the past 12 months
  • Contractual security requirements included in all critical supplier contracts (incident notification, right to audit, data security obligations)
  • Critical supplier contracts include 24-hour incident notification to you, enabling your own reporting deadline compliance
  • Supplier security review scheduled and tracked as part of the procurement renewal cycle
Cryptography, access control & MFA (Measures 08, 09, 10)
  • Cryptography policy documented covering approved algorithms, key lengths, and key management procedures
  • Encryption of data at rest confirmed for all systems holding sensitive or personal data
  • Encryption of data in transit confirmed for all external and internal communications carrying sensitive data
  • MFA enforced for all remote access to systems — no exceptions for named accounts or legacy systems
  • MFA enforced for all administrative interfaces and privileged access paths
  • Access control policy documented with principle of least privilege enforced
  • Joiners/movers/leavers process documented with defined timelines for access revocation
  • Asset inventory covering hardware, software, data assets, and cloud services maintained and dated

October 2026 enforcement focus: Based on NCA public statements and ENISA guidance, the priority areas for initial supervisory attention in the current cycle are: management body accountability evidence, incident reporting capability (can you actually hit the 24-hour window?), supply chain security documentation, and MFA deployment. If you are behind on all four, prioritise MFA and incident reporting — they are the fastest to evidence and the most likely to be tested by an actual incident before your broader programme is complete.

What to do if you are behind

If an assessment against the checklist above reveals significant gaps, the approach that NCAs have indicated they expect is not perfection before October — it is a documented, managed programme with evidence of progress. NCAs have been explicit in guidance from Germany’s BSI, France’s ANSSI, and the Netherlands’ NCSC that they will take a risk-proportionate approach to early enforcement, with organisations that can demonstrate good-faith compliance efforts and a credible remediation timeline receiving more latitude than those with no programme at all.

The minimum credible response to a gap assessment is: a documented risk assessment acknowledging the gaps, a prioritised remediation plan with owners and deadlines, and evidence of management body approval and oversight of that plan. This does not eliminate your compliance obligation, but it demonstrates the good-faith engagement that NIS2’s proportionality principle recognises.

For organisations that are significantly behind, prioritise in this order: MFA (highest impact on breach risk, fastest to deploy), incident reporting process (next incident will expose the gap immediately), supply chain inventory (takes time to build, and auditors check it early), and management body training (required before the first supervisory review). Security policies, risk assessments, and BCP/DRP documentation can follow once the operational controls are in place, but do not wait on documentation — start both tracks simultaneously.

NIS2 requires documented security controls. HubSecure provides them built-in.

Access control, MFA, encrypted communications, audit logs, incident tracking, and supply chain risk assessment — HubSecure covers NIS2’s Article 21 measures by design, not by bolt-on. Built for regulated teams that cannot afford to fail a supervisory review.

Reserve your founding seat