6 What is NIS2? An Executive Overview NIS2 is the European Union’s updated cybersecurity directive. It establishes a shared legal baseline for security and resilience across EU member states. The directive replaces the original NIS framework and reflects how deeply digital systems, data, and networks now support economies and public services. Unlike voluntary standards, NIS2 creates mandatory legal obligations. Organizations that deliver essential or widely used services must meet its requirements through national laws in each member state. At a high level, the directive focuses on governing, managing, and reporting cybersecurity risk in an increasingly interconnected digital environment. Key timing note: EU member states were required to transpose NIS2 into national law by October 17, 2024. In practice, this means many organizations are already operating under national NIS2-aligned requirements or will be as enforcement ramps up in their jurisdiction. Why the EU introduced an updated cybersecurity directive The original NIS framework provided a starting point, but gaps became clear over time. Cyber threats increased in scale and impact. Ransomware disrupted hospitals, transport systems, and public services. Supply chain attacks showed how a single weakness could cascade across many organizations and countries. Enforcement also varied widely between member states. These inconsistencies created legal uncertainty and uneven levels of protection. The updated directive addresses these issues by expanding scope, clarifying expectations, and strengthening oversight. The emphasis shifts from protecting a limited set of operators to managing systemic cyber risk across connected environments. Who is covered by NIS2? NIS2 significantly broadens the range of organizations within scope. It classifies entities as essential or important based on sector and size, typically applying to medium and large organizations. Essential entities include sectors such as energy, transport, healthcare, banking and financial market infrastructure, public administration, and digital infrastructure. Important entities include manufacturing, food production, waste management, and many digital and managed service providers. Some smaller organizations may also fall within scope if they provide services that are critical to society or the economy. Because NIS2 is implemented through national law, organizations should assess applicability using both EU guidance and the rules in their specific member state. Core obligations and expectations The directive defines baseline expectations for cybersecurity risk management and operational resilience. Organizations must address: Risk assessment and mitigation Incident handling and reporting Business continuity and crisis management Supply chain security The focus is on outcomes rather than prescribed technologies. Organizations choose how to meet the requirements, but governance plays a central role. Management bodies approve cybersecurity measures and oversee implementation. Cybersecurity is treated as a business risk, not just a technical concern. NIS2 also introduces clear incident reporting duties. Organizations must notify authorities of significant incidents within defined timeframes and provide follow-up updates as investigations progress. Penalties create real financial exposure. For certain infringements, national authorities can impose administrative fines of up to: €10 million or 2% of total worldwide annual turnover (whichever is higher) for essential entities €7 million or 1.4% of total worldwide annual turnover (whichever is higher) for important entities Governance and accountability NIS2 places explicit responsibility on senior management. Leaders must understand cyber risk, approve security measures, and ensure effective execution. Executives do not manage technical controls, but they are accountable for outcomes. This approach integrates cybersecurity into standard enterprise risk management and board-level oversight. For essential entities, supervisory authorities also have stronger enforcement options. Depending on national implementation, this can include measures aimed at individuals with managerial responsibilities if an organization fails to comply with enforcement actions. How NIS2 compares to ISO 27001 NIS2 and ISO 27001 serve different purposes. ISO 27001 is a voluntary international standard for information security management systems. Organizations adopt it to demonstrate a structured and auditable approach to security. NIS2 is a legal requirement. It defines mandatory minimum expectations for governance, risk management, incident reporting, and resilience. Certification to ISO 27001 can support implementation, but it does not guarantee compliance. Standards help organizations structure their programs, while the directive defines the obligation. How NIS2 compares to US cybersecurity regulation The United States has no single equivalent to NIS2. US cybersecurity regulation follows a fragmented, sector-based model. Different rules apply to financial services, healthcare, critical infrastructure, and government systems at federal and state levels. Many US organizations rely on voluntary frameworks such as the NIST Cybersecurity Framework. These frameworks support risk management but generally do not carry the force of law. In contrast, NIS2 applies a centralized, cross-sector legal framework across the EU. Using frameworks to support compliance NIS2 does not mandate a specific cybersecurity framework. It defines required outcomes. Many organizations use frameworks such as ISO 27001 or NIST CSF to organize controls, assess gaps, and apply risk-based decision-making. Frameworks support compliance efforts, but they do not replace legal requirements. Why NIS2 matters beyond compliance NIS2 is not only a compliance exercise. It emphasizes resilience, recovery, and continuity. The directive assumes that incidents will occur and requires organizations to prepare for disruption and restore services effectively. Many organizations use NIS2 as a catalyst to mature cybersecurity practices. By aligning security investments with operational risk and business continuity, they can get value beyond regulatory adherence. A shared baseline for managing cyber risk in the EU NIS2 establishes a minimum cybersecurity baseline across a wide range of sectors, but it is not a complete security strategy. It defines what organizations are expected to achieve, not exactly how they must achieve it. For compliance, risk, and executive teams, the directive provides clarity. It aligns cybersecurity with governance, accountability, and operational resilience, and it sets consistent expectations across the EU. Organizations that approach NIS2 as a foundation rather than a checklist are better positioned to adapt to evolving threats, regulatory scrutiny, and business change over time. NIS2 establishes a minimum regulatory baseline across a wide range of sectors. It does not prescribe a complete cybersecurity strategy, but it clearly defines expectations for governance, accountability, and risk management. Organizations remain responsible for determining how these obligations are met within their own operating and regulatory contexts.
