NIS2 compliance: what the EU cybersecurity directive requires and how to prepare

NIS2, the EU’s second Network and Information Systems Directive, became enforceable on October 17, 2024, the deadline for member states to transpose it into national law. It replaced the original 2016 NIS Directive with a substantially broader scope, a more prescriptive set of security obligations, and an enforcement regime sharp enough to make non-compliance a board-level financial risk rather than an IT housekeeping item.

The operational implications are still being worked through across the EU. Member-state transposition has happened on different timelines and at different levels of strictness, and the population of “essential” and “important” entities is materially larger than under NIS1. For businesses operating in, or selling into, the EU, NIS2 isn’t a future consideration. It’s a current legal obligation, and the supply chain provisions extend its reach well beyond the entities directly named.

This guide focuses on the operational side of NIS2 compliance. What the directive actually requires, who it applies to, how the incident reporting timeline works in practice, and how IT teams and MSPs can build a defensible compliance program. For the broader board-level governance angle, including personal liability for senior management, see Whether you’re based in the EU or not, NIS2 is a board-level concern.

What is NIS2?

NIS2 (Directive EU 2022/2555) is the EU’s updated cybersecurity directive, published in December 2022 and required to be transposed into national law by member states by October 17, 2024. It replaces the original NIS Directive (2016) with expanded scope, more prescriptive requirements, and significantly stronger enforcement.

The directive’s purpose is straightforward. Raise the baseline of cybersecurity across the EU, ensure critical services can withstand and recover from cyber incidents, and create accountability at the leadership level rather than treating cybersecurity as a purely technical concern.

The expansion from NIS1 to NIS2 is significant. NIS1 covered a narrow set of essential services (energy, transport, water, health, digital infrastructure). NIS2 extends to 18 sectors, including manufacturing, food, chemicals, postal services, public administration, and digital providers, and it captures a much broader set of entities within each sector. National transposition laws can go further than the directive’s minimums, which means the precise compliance picture for any given business depends on the member state where it operates as well as the directive itself.

Who NIS2 applies to

NIS2 categorizes covered organizations into two tiers based on criticality, with different levels of supervisory scrutiny applied to each.

Essential entities are organizations in highly critical sectors. Energy (electricity, oil, gas, district heating, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (internet exchange points, DNS, TLD registries, cloud providers, data centers, CDNs, trust service providers), ICT service management (managed services and managed security services), public administration, and space.

Important entities are organizations in other critical sectors. Postal and courier services, waste management, manufacturing of critical products (chemicals, pharmaceuticals, medical devices, computers, electronics, vehicles), food production and distribution, digital providers (online marketplaces, search engines, social networking platforms), and research organizations.

Size thresholds matter. NIS2 generally applies to medium-sized enterprises (50 or more employees or €10 million or more in annual turnover) and large enterprises in the covered sectors. Micro and small enterprises are typically excluded except where they provide specific high-criticality services, where size doesn’t shield them.

MSPs are explicitly covered. NIS2 names “providers of managed services” and “providers of managed security services” as ICT service management entities in scope, recognizing the supply chain risk that MSP compromise creates for the clients those MSPs serve. The supply chain exposure also runs in the other direction. Even an organization that is not itself in a covered sector may face indirect NIS2 obligations through contractual flow-down clauses if it supplies services or products to in-scope entities.

What NIS2 requires: the ten core measures

NIS2 Article 21 requires covered entities to implement “appropriate and proportionate technical, operational, and organizational measures” to manage cybersecurity risks. The directive identifies ten minimum areas these measures must address:

1. Risk analysis and information security policies. Documented risk management processes and security policies, regularly reviewed and updated.

2. Incident handling. Documented detection, response, and recovery processes, with defined roles and communication procedures.

3. Business continuity. Backup management, disaster recovery, and crisis management capability, the ability to maintain or rapidly restore critical functions after an incident.

4. Supply chain security. Assessment and management of security risk from suppliers and service providers, including security requirements written into supplier contracts. This is the clause that explicitly covers MSP relationships.

5. Security in network and information systems acquisition, development, and maintenance. Secure development practices, vulnerability handling, and security testing.

6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures. Measure whether the controls in place are actually working. Audits, tests, and performance metrics.

7. Cybersecurity hygiene practices and training. Awareness and training for staff at all levels, not just IT.

8. Policies and procedures on the use of cryptography and, where appropriate, encryption. Encryption of data in transit and at rest where sensitivity warrants it.

9. Human resources security, access control policies, and asset management. Background screening, least-privilege access, and complete asset inventory.

10. Multi-factor authentication, continuous authentication, and secured communications. MFA on critical systems and accounts, plus secured voice, video, and text channels.

The ten areas are minimums, not a ceiling. The “appropriate and proportionate” language in Article 21 means a covered entity must address any material cybersecurity risk, even if it doesn’t fit neatly into one of the ten categories. National transposition laws sometimes spell this out more prescriptively than the directive does.

Incident reporting: the 24-hour rule

The incident reporting obligation is, in operational terms, the part of NIS2 most likely to catch organizations short. The timeline is tiered and tight.

A significant incident, defined as one with a substantial impact on service provision, has to be reported through three stages. Within 24 hours of becoming aware of the incident, the covered entity must send an early warning to the relevant national CSIRT (Computer Security Incident Response Team) or competent authority. This is an initial notification. It doesn’t require a complete investigation, but it does require the entity to know an incident has occurred and have a process to file the early warning fast enough to meet the deadline.

Within 72 hours, the entity must follow up with a fuller incident notification covering the nature, severity, and assessed impact, plus any initial indicators of compromise or root cause information available.

Within one month, a final report has to be filed with a comprehensive description of the incident, the root cause, the measures taken, and any cross-border impact.

The 24-hour early warning is the part that breaks operational reality for organizations without 24/7 monitoring. Consider what the rule actually requires. A ransomware deployment that begins at 03:00 on a Saturday morning is detected and triaged at 09:00 Monday when the office reopens. By 09:00 Monday, the early warning clock has already burned through 30 hours, the entity is already 6 hours past the deadline. The 24-hour rule is, in effect, a continuous monitoring requirement enforced by regulatory deadline rather than by control language. Organizations relying on business-hours-only detection, or on alert routing that can sit in a queue overnight, will not meet it reliably.

Enforcement and penalties

The NIS2 enforcement regime is substantially stronger than NIS1’s, with the difference most visible in three areas.

Financial penalties scale with entity type. Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines of up to €7 million or 1.4% of global annual turnover, whichever is higher. Because the cap is based on global turnover rather than EU revenue, a multinational with a small EU footprint can still face a substantial fine.

Senior management can be held personally accountable. Member states may temporarily prohibit named individuals from holding management roles where they are found to have failed their NIS2 obligations through gross negligence. This is a meaningful shift away from cybersecurity as an IT problem, but the detailed governance implications are covered in the companion post on why NIS2 is a board-level concern.

Supervisory powers are broad. National competent authorities can conduct audits, request information and evidence, issue formal warnings, and require specific remedial security measures. Essential entities face proactive supervisory scrutiny on a regular cadence. Important entities are generally supervised reactively, in response to incidents or evidence of non-compliance.

How NIS2 fits with GDPR, ISO 27001, and DORA

NIS2 doesn’t exist in isolation. It overlaps with other regulatory and standards frameworks that EU-operating organizations are often already working toward.

GDPR

Both NIS2 and GDPR apply to organizations processing personal data in the EU, and both address incident response and organizational security. NIS2’s 24-hour early warning is tighter than GDPR’s 72-hour data breach notification, and where an incident involves both personal data and disruption to a covered service, both timelines run in parallel. Coordination between the data protection officer and the incident response lead matters, the same event has to go to two different regulators on two different clocks.

ISO 27001

ISO 27001 aligns strongly with NIS2 on risk management, incident handling, and business continuity. Certification doesn’t automatically equal NIS2 compliance, particularly on sector-specific requirements and the 24-hour reporting clock, but it provides a defensible foundation. Organizations already certified can usually map most of their existing ISMS controls to NIS2’s ten measures with documented gaps for what remains.

DORA

Financial sector entities may be subject to both NIS2 and the Digital Operational Resilience Act (DORA). DORA imposes additional ICT risk management requirements specific to financial services, and where both apply, controls should be designed to satisfy both regimes without duplicated effort. Treating DORA and NIS2 as separate compliance programs running on the same controls is a common implementation mistake.

Preparing for NIS2 compliance: a practical path

The work breaks down into five stages.

1. Determine applicability and member-state context. Confirm whether the organization is in a covered sector, whether it meets the size threshold, and which member state’s transposition law applies. For MSPs serving in-scope clients, identify which client contracts already include or imply NIS2 flow-down obligations.

2. Run a gap assessment against the ten measures. Map current controls to each of the ten Article 21 areas. Flag material gaps, particularly in 24-hour incident detection capability, supply chain security assessment, and MFA coverage on critical accounts. These are the three areas where most organizations come up short.

3. Close the highest-risk gaps first. Incident detection and notification capability is usually the most operationally urgent gap. MFA deployment across all administrative and high-value accounts is the fastest control to deploy for the size of the risk reduction it delivers. Supply chain assessment can be slower-burning but should not be deprioritized, the largest NIS2 enforcement risk for many organizations sits in suppliers they haven’t yet reviewed.

4. Engage leadership formally. NIS2’s personal accountability provisions mean senior management cannot delegate this to IT and assume it’s handled. Brief the board on the directive’s obligations, document the conversation, and get explicit sign-off on the risk management program. Documented leadership engagement is itself part of the compliance evidence.

5. Document and evidence continuously. NIS2 compliance is evidenced, not assumed. Risk assessments, security policies, incident response runbooks, training records, supplier security assessments, and MFA deployment proofs all need to be captured and kept current. The audit trail matters as much as the controls themselves.

Compliance Manager GRC supports NIS2 gap assessment and continuous compliance management across the ten Article 21 measures, alongside the other frameworks an organization is likely to be working toward (GDPR, ISO 27001, CIS Controls, sector-specific standards). Explore Compliance Manager GRC for the operational side of running a NIS2 program across multiple frameworks at once.

NIS2 and MSPs: scope, supply chain, and contract flow-down

For MSPs, NIS2 creates obligations in two directions.

The first direction is direct. Managed services and managed security services are named ICT service management categories under NIS2. An MSP of meaningful size operating in or serving the EU is itself an essential or important entity, depending on its profile, and faces the same ten-measure obligation and the same 24-hour reporting requirement as its clients.

The second direction is indirect, through the supply chain clause. Every in-scope client of the MSP has a regulatory obligation to assess and manage the cybersecurity risk its suppliers represent. That obligation translates, in practice, into security questionnaires, evidence requests, audit rights in contracts, and required attestations. MSPs serving in-scope clients should expect, and prepare for, a significant uptick in client-driven supplier security due diligence.

The commercial opportunity sits in the same place as the obligation. Clients that have to evidence supply chain security, MFA coverage, and incident response capability across their own environments need somewhere to source those services. MSPs that can demonstrate their own NIS2 compliance posture and offer managed services aligned to the ten-measure framework are positioned to absorb that demand. Compliance Manager GRC, paired with the broader Kaseya 365 platform’s security and documentation capabilities, gives MSPs the multi-tenant infrastructure to deliver NIS2-aligned services without rebuilding a compliance practice per client.

NIS2 compliance is not a project that ends. The directive is now in force, the population of in-scope entities is being actively identified by national regulators, and the 24-hour reporting clock is running whether an organization has built the capability to meet it or not. The organizations that come out of the first wave of enforcement actions cleanly are the ones who treated NIS2 as a permanent change in the operating model rather than a temporary compliance scramble. The ones that don’t will discover, in regulator briefings rather than internal audits, exactly which of the ten measures they were thin on.