NIS2 Directive Requirements: What Your Organisation Must Do in 2026

NIS2 directive requirements have been legally enforceable across the EU since 18 October 2024, when Directive (EU) 2022/2555 came into effect. If your organisation operates in one of 18 covered sectors and employs 50 or more people, or exceeds €10m in annual turnover, you are almost certainly in scope. ENISA and the European Commission estimate roughly 160,000 EU entities are covered, compared to around 10,000–15,000 under NIS1. Most of them have not finished preparing.

As of early 2026, around 20 of 27 member states had adopted primary transposing legislation, according to Wavestone’s transposition tracker, though the European Commission applies a stricter standard. On 7 May 2025 it sent reasoned opinions to 19 member states for failing to notify full transposition. The Commission requires notification of all implementing measures, including secondary regulations and sector-specific rules, not just the framework law. A member state can have a primary act on the books and still draw a reasoned opinion for incomplete secondary legislation. Germany adopted its NIS2 Implementation Act (NIS2UmsuCG), which entered into force on 6 December 2025. The directive was adopted in December 2022. Brussels has learned to set its watch to member-state time.

Most companies treat cybersecurity the way most people treat insurance: until it happens to you, or to someone you know, you find other priorities. That mindset is no longer affordable in 2026. The first enforcement actions will change it. NIS2 is bigger than an IT checklist. Cybersecurity is a board-level responsibility under this directive, not an IT department problem. Higher security standards mean more stable supply chains, and they are part of a broader geopolitical goal: cyber-secure critical infrastructure across Europe and greater independence from non-EU providers.

Implementing NIS2 without grinding operations to a halt is possible. The most effective organisations automate compliance where they can, standardise processes, use managed security partners, build reusable template systems and reduce IT stack complexity. Like GDPR, most companies will do the minimum required to stay operational. Fair enough. But when a ransomware attack runs for ten days, the costs do not stay in the IT department.

NIS2 Directive Requirements Under Article 21: Ten Measures Your Organisation Must Implement

NIS2 requires all in-scope entities to implement ten categories of cybersecurity risk-management measures under Article 21. These are minimum legal requirements, and member states can add further obligations on top.

The ten measures, directly from Article 21(2): (a) policies on risk analysis and information system security; (b) incident handling; (c) business continuity, backup management, disaster recovery and crisis management; (d) supply chain security, covering direct suppliers and service providers; (e) security in network and information system acquisition, development and maintenance, including vulnerability handling and disclosure; (f) policies to assess the effectiveness of risk-management measures; (g) basic cyber hygiene and cybersecurity training; (h) policies on cryptography and, where appropriate, encryption; (i) human resources security, access control and asset management; (j) multi-factor authentication or continuous authentication, plus secured communications and emergency communication systems where appropriate.

Article 21(1) includes a proportionality clause: measures must be appropriate to actual risks, accounting for size, exposure and implementation cost. How that proportionality plays out in practice depends on which category your organisation falls into. NIS2 draws a sharp line between essential entities and important entities, and that line determines your supervisory regime and maximum fine exposure. Essential entities, large organisations with 250 or more employees or €50m or more in annual turnover operating in the 11 Annex I sectors of high criticality, are subject to ex ante supervision under Article 32: regulators can inspect proactively, without waiting for an incident or complaint. Maximum fines for essential entities reach at least €10m or 2% of global annual turnover, whichever is higher, under Article 34. Important entities, meaning smaller Annex I organisations plus all Annex II sector entities, face ex post supervision under Article 33: authorities typically act reactively, after an incident or complaint. Maximum fines for important entities reach at least €7m or 1.4% of global annual turnover. A 60-person food manufacturer and a cloud infrastructure provider both face the same ten Article 21 categories. They do not face the same regulator standing over their shoulder.

The ENISA Technical Implementation Guidance published on 26 June 2025 provides detailed practical guidance on the cybersecurity measures defined in Commission Implementing Regulation (EU) 2024/2690. It was developed primarily for digital-sector entities, but its 13 thematic areas, evidence examples and mapping to ISO/IEC 27001 and CEN/TS 18026:2024 are a useful reference for any in-scope organisation. Organisations already certified against ISO 27001 will find the gap analysis substantially shortened. In our assessment, three to six months is a realistic closure timeline for well-scoped certifications, though actual duration depends on the age and breadth of the certificate. The hardest category in practice is supply chain: Article 21(3) requires entities to account for vulnerabilities specific to each direct supplier, which means reviewing vendor contracts and security postures, not just internal systems.

Article 20 adds a governance layer that is often missed. Management bodies, boards, C-suites, equivalent governance structures, must formally approve the cybersecurity risk-management framework and oversee its implementation. The directive makes the management body liable as an organ for infringements. Individual personal liability of executives is a matter of national implementation. Germany has gone furthest: NIS2UmsuCG Section 38 BSIG establishes a non-delegable personal duty for managing directors to approve and supervise cybersecurity risk measures, with personal liability to the company for damages caused by culpable breach. Germany’s sanctions regime under §65 BSIG also sets fines of up to €500,000 for registration violations specifically. France, Belgium and Spain have their own national variations. Management bodies must also complete cybersecurity training. After years of saying “the board is responsible,” the Commission is now writing it into law with euro amounts attached.

Report a Significant Incident Within 24 Hours or Face Supervisory Action

Article 23 runs on a three-stage clock that starts the moment your organisation becomes aware of a significant incident. There is no grace period for investigation.

Your incident-reporting playbook needs to work at 3 a.m. on a bank holiday, because Article 23’s 24-hour clock does not care about office hours.

Within 24 hours: an early warning to your national CSIRT or competent authority, noting whether the incident is suspected malicious and whether it has cross-border impact. No detailed analysis is required at this stage.

Within 72 hours: a full incident notification updating the early warning, with an initial severity and impact assessment and indicators of compromise where available.

Within one month: a final report covering root cause analysis, threat type, mitigation measures applied and any cross-border effects. If the incident is still ongoing at the one-month mark, submit a progress report instead, then the final report within one month of handling completion.

An incident qualifies as significant under Article 23(3) if it “has caused or is capable of causing severe operational disruption of services or financial loss,” or if it “has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage.”

For digital-sector entities specifically (cloud providers, CDN operators, DNS services, online marketplaces, social-network platforms and trust service providers), Commission Implementing Regulation (EU) 2024/2690 sets quantitative thresholds: an incident is significant if direct financial loss exceeds €500,000 or 5% of total annual turnover (whichever is lower), if trade secrets are exfiltrated, or if a natural person’s health or life is at risk. Entities outside the digital sector are not formally bound by those thresholds but should treat them as a practical calibration point.

One overlap to flag: if the incident also involves personal data, GDPR’s 72-hour breach notification clock runs simultaneously. NIS2’s early-warning deadline is tighter. These also run to different authorities. NIS2 notifications go to your national CSIRT or competent authority; GDPR breach notifications go to your national data protection authority. Separate institutions, separate forms, separate reporting chains. Some national authorities have begun coordinating (Germany’s BSI and BfDI, for example), but parallel reporting is the default assumption.

Most organisations are broadly ready for incident reporting in principle. GDPR enforcement forced them to build the underlying processes. Our read: the frameworks exist, the reflex does not. NIS2’s window is 24 hours, not 72. And it runs to a different authority: your national CSIRT, not your DPA. For companies without a dedicated security team available around the clock, the honest question is whether 24/7 coverage is actually realistic. Testing the playbook before you need it is the only way to find out.

Which Companies Are Actually Exempt — and the Supply-Chain Trap Most Miss

NIS2 covers 18 sectors across two annexes, but the exemptions are narrower than most companies assume, and the supply-chain provisions catch many organisations that believe they are out of scope.

Annex I lists 11 sectors of high criticality: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration and space. Annex II adds 7 further sectors: postal and courier services, waste management, chemicals, food, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers and research organisations.

The size cut-off is 50 or more employees, or annual turnover or balance sheet above €10m. Below that, a company is out of scope unless it falls into Article 2(2)’s “regardless of size” categories: public electronic communications providers, trust service providers, TLD registries, DNS service providers, sole providers of an essential service in their member state, and entities whose disruption would cause significant systemic or cross-border impact. These categories are directly bound by the directive regardless of headcount or revenue, not just subject to contractual pressure from their customers.

Explicitly excluded by the directive: public administration in national security, defence and law enforcement (Article 2(7)); micro and small enterprises below both thresholds unless Article 2(2) applies.

Financial entities in scope of DORA (Regulation (EU) 2022/2554) are the other major carve-out. DORA is lex specialis to NIS2 for ICT risk management and incident reporting. DORA covers 20 categories of financial entities under Article 2(1), including credit institutions, payment institutions, electronic money institutions, investment firms, insurance and reinsurance undertakings, crypto-asset service providers and 14 others, plus ICT third-party service providers designated as critical by the European Supervisory Authorities. Entities in those categories satisfy NIS2 Articles 21 and 23 through DORA compliance. Article 3 NIS2 (essential/important entity status), Article 27 (registration in the national register of essential and important entities), and cooperation obligations under NIS2 Chapters VI and VII still apply in full.

The supply-chain trap: most suppliers and vendors to in-scope entities are not directly bound by the directive. Article 21(2)(d) requires their clients to assess supply-chain security. In practice, that means contract-level flow-down. If you supply software, managed IT services or cloud infrastructure to an essential or important entity, NIS2 requirements will arrive via your customer’s procurement team regardless of your own formal scope status.

Five Steps In-Scope Organisations Should Complete in 2026

In-scope organisations should complete five actions as quickly as possible: confirm scope, register with their national competent authority, run an Article 21 gap analysis, build an incident-reporting playbook and get board approval in writing. Eat the frog now. Companies that start with the hardest gaps close them in months. Companies that wait for more clarity end up stuck halfway through a gap analysis when the first supervisory assessment lands.

Determine whether you are in scope

Map your sector against Annex I and Annex II using NACE codes. Apply the 50-employee / €10m threshold, remembering to aggregate linked and partner enterprises as defined under Commission Recommendation 2003/361/EC. Your competent authority is determined by your main establishment (Article 26 for digital service providers; place of establishment otherwise).

Register with your national competent authority

Deadlines are set by member state law and vary. Germany’s BSI registration deadline was 6 March 2026, three months from the NIS2UmsuCG entering into force on 6 December 2025. The BSI has publicly indicated it will not immediately sanction late registrations, but that patience is not indefinite. The three-month window for new entrants is specific to German law; timelines differ in other member states. Italy’s ACN portal opened on 1 December 2024, with general registration running through February 2025. Belgium’s general deadline passed 18 March 2025. Find your national implementing act before assuming you have time.

Run an Article 21 gap analysis using the ENISA guidance

Use the ENISA Technical Implementation Guidance (26 June 2025) as a benchmark, noting it was developed primarily for digital-sector entities covered by Implementing Regulation 2024/2690, though its framework is a useful reference for all in-scope organisations. Prioritise supply-chain security (Article 21(2)(d)), multi-factor authentication (Article 21(2)(j)) and incident-handling procedures (Article 21(2)(b)). These are the areas most likely to surface in early supervisory assessments.

Build and test your incident-reporting playbook

Document who declares a significant incident, who notifies the competent authority and where the 24-hour early-warning template lives. Run a tabletop exercise before you need it. The clock does not stop for internal escalation.

Get board approval in writing

Article 20 requires the management body to formally approve the cybersecurity risk-management framework. Minute the approval. Untrained boards and missing documentation are the easiest non-compliance for a regulator to verify.

One forward-looking note: the Commission’s 20 January 2026 amendment proposal would introduce a new “small mid-caps” category (fewer than 750 employees and €150m annual turnover or €129m balance sheet), extend coverage to submarine cable operators and European Digital Identity Wallet providers, and introduce mandatory ransomware reporting including payment details. It is a proposal, not yet law, with a 12-month transposition period envisaged after adoption, putting full effect into 2027 at the earliest. Nothing in it changes current obligations. Monitor it.

NIS2 and the EU AI Act share more overlap than most compliance teams realise. Both impose risk-management requirements, board-level accountability and incident response obligations.

Not sure where your organisation stands on either? Take the free AI Act Readiness Assessment.