Cyber Horizon
Back to Blog
NIS2EU RegulationCybersecurityCritical Infrastructure

NIS2 Directive: A Complete Compliance Guide for 2026

14 May 2026·9 min read·Cyber Horizon Team

NIS2 transposition deadline passed — October 2024

EU member states were required to transpose NIS2 into national law by 17 October 2024. Most have done so. If your organisation falls in scope, you are already subject to enforcement. The question is whether you are compliant.

The Network and Information Security Directive 2 (NIS2) — Directive (EU) 2022/2555 — represents the most significant expansion of EU cybersecurity regulation since the original NIS Directive of 2016. It dramatically broadens scope, strengthens enforcement, introduces personal liability for senior management, and mandates specific security measures across all in-scope entities.

Are You in Scope?

NIS2 covers two categories of entities — Essential and Important — across 18 sectors. Unlike NIS1 which was narrowly focused, NIS2 captures thousands more organisations.

Essential Entities

Large organisations (250+ employees or €50M+ turnover) in critical sectors

  • Energy (electricity, oil, gas, hydrogen)
  • Transport (air, rail, road, maritime)
  • Banking and financial market infrastructure
  • Health (hospitals, pharma, medical devices)
  • Drinking water and wastewater
  • Digital infrastructure (DNS, TLDs, cloud, datacentres)
  • ICT service management (B2B)
  • Public administration
  • Space

Important Entities

Medium organisations (50+ employees or €10M+ turnover) in additional sectors

  • Postal and courier services
  • Waste management
  • Chemical manufacturing
  • Food production and distribution
  • Medical device and electronics manufacturing
  • Digital providers (search engines, social platforms, marketplaces)
  • Research organisations

What NIS2 Requires

Article 21 of NIS2 mandates "appropriate and proportionate technical, operational and organisational measures" covering at minimum:

01

Risk Analysis and Information System Security Policies

A formal, documented risk management framework with board approval. This includes asset classification, threat modelling, and a defined risk appetite. Policies must be reviewed annually and after significant changes.

02

Incident Handling

Procedures for detecting, responding to, and recovering from incidents. NIS2 requires notification to the national CSIRT or competent authority within 24 hours of becoming aware of a significant incident, with a full report within 72 hours and a final report within one month.

03

Business Continuity and Crisis Management

BCP and DR plans covering backup management, disaster recovery, and crisis management. Plans must be tested and the results evidenced. This aligns closely with ISO 22301 requirements.

04

Supply Chain Security

Security assessments of direct suppliers and service providers. Organisations must consider the overall security posture of the supply chain, including software development practices of technology vendors.

05

Network and Information System Security

Vulnerability handling, security testing, and hardening of network and information systems. This includes patch management processes and configuration management.

06

Cybersecurity Hygiene and Training

Basic cyber hygiene practices including MFA, privileged access management, encryption, and endpoint security. Security awareness training mandatory for all staff and specialised training for security teams.

07

Cryptography and Encryption

Policies on the use of cryptography and, where appropriate, encryption for data in transit and at rest.

08

Human Resources, Access Control and Asset Management

Background checks for staff with access to critical systems, access control policies based on least privilege, and a complete asset inventory.

Management Accountability — A Critical New Element

NIS2 introduces personal liability for senior management — a significant departure from NIS1. Under Article 20, management bodies of essential entities must:

  • Approve cybersecurity risk management measures
  • Oversee implementation and be accountable for compliance
  • Undergo regular cybersecurity training
  • Potentially face temporary bans from management roles following serious breaches

This means boards and C-suites can no longer delegate cybersecurity entirely to the IT function. GRC programmes must now produce board-ready reporting and evidence trails demonstrating active management oversight.

Penalties for Non-Compliance

€10M

or 2% of global turnover

Essential entities — whichever is higher

€7M

or 1.4% of global turnover

Important entities — whichever is higher

NIS2 vs ISO 27001 — What's the Relationship?

Many organisations ask whether ISO 27001 certification covers NIS2. The answer is: partially. ISO 27001 provides a strong foundation and covers significant overlap with NIS2 Article 21 requirements. However, NIS2 adds specific obligations around incident reporting timelines, supply chain security, and management accountability that go beyond the ISO standard. Organisations with ISO 27001 should conduct a targeted gap assessment against NIS2 rather than assuming full coverage.

Map your controls to NIS2 automatically

Cyber Horizon pre-maps NIS2 Article 21 requirements across your control library, automates incident reporting workflows, and generates board-ready compliance evidence. Start your NIS2 gap assessment today.

Book a Demo