EU Directive 2022/2555

NIS2 Directive

The Network and Information Security Directive 2 strengthens cybersecurity requirements across the EU. Essential and important entities must comply by October 2024.

Start NIS2 Assessment View Requirements

€10M

Maximum fine

or 2% global revenue

24hrs

Early warning

Initial notification

Sectors covered

Essential & important

2024

Deadline

October 17th

Who Must Comply with NIS2?

NIS2 significantly expands the scope of organizations that must comply with EU cybersecurity requirements.

Essential Entities

Stricter requirements & supervision

Energy (electricity, oil, gas)
Transport (air, rail, water, road)
Banking & financial markets
Health sector
Drinking water & wastewater
Digital infrastructure
ICT service management
Public administration
Space

Important Entities

Lighter-touch regulation

Postal & courier services
Waste management
Chemical manufacturing
Food production & distribution
Medical device manufacturing
Computer & electronics manufacturing
Digital providers (marketplaces, search, social)
Research organizations

Size threshold: Generally applies to medium-sized enterprises (50+ employees, €10M+ turnover) and large enterprises, but some entities are covered regardless of size.

Key NIS2 Requirements

NIS2 mandates comprehensive cybersecurity risk management measures

Risk Management Policies

Implement policies for risk analysis and information system security, including threat assessment and vulnerability management.

Incident Handling

Establish procedures for preventing, detecting, and responding to cybersecurity incidents with defined escalation paths.

Business Continuity

Ensure business continuity with backup management, disaster recovery, and crisis management procedures.

Supply Chain Security

Manage security risks in relationships with suppliers and service providers, including contractual requirements.

Security in Procurement

Address security in network and information systems acquisition, development, and maintenance.

Effectiveness Assessment

Regular testing and auditing of cybersecurity risk management measures and their effectiveness.

Incident Reporting Timeline

NIS2 introduces strict incident notification requirements with specific deadlines.

24 hours

Early Warning

Initial notification to CSIRT/authority about significant incidents

72 hours

Incident Notification

Detailed assessment including severity, impact, and indicators of compromise

1 month

Final Report

Complete report with root cause, mitigation measures, and cross-border impact

Non-Compliance Risks

NIS2 Penalties

Essential Entities

Higher tier penalties

€10M

or 2% of total annual worldwide turnover

Plus potential personal liability for management

Important Entities

Lower tier penalties

€7M

or 1.4% of total annual worldwide turnover

Whichever is higher applies

How Dependra Helps with NIS2

Our platform helps you assess your supply chain security and identify vendors that could expose you to NIS2 compliance risks.

Map your digital supply chain dependencies
Identify third-party security risks
Assess vendor compliance posture
Monitor for security incidents in your stack
Generate NIS2 compliance documentation
Find EU-based secure alternatives

Start NIS2 Assessment

Supply Chain Risk Score: 87/100

3 Vendors require review

Related Regulations

GDPR

Data protection and privacy regulation

DORA

Digital resilience for financial services

ISO 27001

Information security management

ePrivacy

Electronic communications privacy

AI Act

Artificial intelligence regulation

SOC 2

Service organization controls

Official Resources

NIS2 Directive Full Text

Official EU legislation

ENISA NIS2 Guidance

EU Cybersecurity Agency resources

NIS2 Quick Facts

Full Name: Network and Information Security Directive 2
Directive Number: EU 2022/2555
Adopted: December 14, 2022
Transposition Deadline: October 17, 2024
Replaces: NIS Directive (2016/1148)

Ready for NIS2 Compliance?

Assess your cybersecurity posture and supply chain risks before the deadline.

Start NIS2 Assessment View Demo