The NIS2 Directive broadens the focus of NIS1 from technical cybersecurity alone to enterprise-wide resilience. It requires organizations to maintain essential services under threat, recover quickly from incidents, and protect supply chain stability.

With NIS2, if your systems fail, it’s not just consumers at risk – leadership can now face personal penalties, too. With enforcement in effect across all member states as of October 2024, you need to prepare now to ensure you’re compliant.

What NIS2 Requires from Your Organization

NIS2 revises the original NIS1 framework and now covers new industries, categorizes them, and places specific expectations upon those industries. Sectors that may have never had to think about cybersecurity regulation – like food or postal services – now face the same scrutiny as banks and hospitals.

NIS2 also tightens enforcement, raises penalties, and places direct accountability on leadership when compared with NIS1. That means, if you operate in the EU, non-compliance could cost your organization money and credibility, while also putting your leadership teams personally at risk. These implications point to one truth: under NIS2, everyone’s accountable for resilience.

What’s Changed from NIS1 to NIS2?

The most important change in NIS2 is that boards and executives are now personally responsible for compliance. They can no longer simply delegate accountability, which forces boards to oversee risk management and governance more closely.

NIS2 also broadens the coverage of regulated sectors and distinguishes between essential and important entities, designating areas of focus for both. Compliance is outlined by 10 minimum risk management measures, as well as reporting deadlines to ensure disclosure.

Overall, the aim is to lift cybersecurity and operational resilience to a board-level concern. Failure to comply has severe risks, including personal liability, removal from position, and sanctions. Proactive compliance doesn’t just avoid penalties; it also protects leadership and strengthens the entire organization.

Key Features Introduced by NIS2

NIS2 introduces several mandates compared with NIS1 that organizations must address immediately:

Area NIS1 NIS2
Scope Limited operators of essential services and select digital service providers Expands to critical industries, including manufacturing, food, chemicals, postal services, research, space, and public administration
Entity Classification None “Essential” (Annex I) and “Important” (Annex II)
Governance and Accountability Delegated Boards and executives are held accountable; persistent non-compliance may require leadership changes
Incident Reporting Loosely defined Initial notification in 24 hours, a detailed report after 72 hours, and a final report after one month
Risk Management Minimal guidance 10 specific risk measures
Penalties Varied EU-wide fines, binding instructions, public disclosure, and leadership liability

Entity Classification in Detail

  • Essential (Annex I): Wastewater, public administration, space
  • Important (Annex II): Postal and courier services, waste management (distinct from wastewater), chemicals production, food production, manufacturing, digital service providers, research

Essential entities support critical societal infrastructure. Failure to comply could mean disruptions to services that consumers depend on. Important entities may not be as critical to society, but lapses can still cause significant financial and reputational damage.

Under NIS2, essential entities have supervision requirements, while important entities are subject to retroactive supervision, meaning action will be taken if they’re not compliant. Member states can determine what constitutes “supervision” from a series of options outlined in the directive.

Fines and penalties are also higher for essential entities comparatively. Essential entities face administrative fines of up to €10 million or at least 2% of the company’s total annual global turnover in the previous fiscal year, whichever amount is higher. Non-compliant important entities face administrative fines of up to €7 million or at least 1.4% of the company’s total annual global turnover, whichever is higher. With these harsher penalties and a strict view of personal accountability for leadership, NIS2 aims to raise the stakes of non-compliance.

Who Has to Comply with NIS2?

Newly regulated sectors – and the leaders who oversee them – are now within the scope of NIS2. This directive isn’t just about coverage, it’s about who will be held responsible for disruptions. For your organization, NIS2 accountability extends beyond IT and involves:

  • Business continuity management (BCM): Keeping essential services running
  • Operational resilience: Coordinating recovery across business units
  • Governance, risk, and compliance (GRC): Ensuring oversight and governance protocols are followed
  • Cybersecurity: Defending against threats and supporting incident reporting

With this shared responsibility, cross-functional coordination is critical to keep services running and mitigate disruption risks. A lack of collaboration can lead to noncompliance risks like public disclosure or even mandatory leadership changes.

NIS2’s 10 Core Compliance Requirements

NIS2 requires 10 minimum risk management measures that your organization must put into practice. These measures are the baseline; regulators will expect proof, and leaders will be held accountable if they’re not met:

1. Risk analysis and information system security

Expectation: Identify vulnerabilities and set protective controls.
Gaps here are the root cause of most compliance failures, and boards will be asked why they were overlooked.

2. Incident handling

Expectation: Respond effectively to reduce operational and financial impact.
Deadlines are tight under NIS2, and a weak incident process risks missed deadlines.

3. Business continuity measures

Expectation: Maintain essential services during disruptions.
If your plan fails under pressure, essential services may go offline.

4. Supply chain security

Expectation: Prevent vendor-related disruptions or breaches.
One weak vendor can put your entire organization out of compliance. Regulators will not accept “our supplier failed” as an excuse.

5. Security in system acquisition, development, and maintenance, including vulnerability handling and disclosure

Expectation: Secure systems from the outset to reduce risks.
If security is bolted on too late, vulnerabilities multiply, leaving you accountable for preventable weaknesses.

6. Policies and procedures to assess the effectiveness of cybersecurity risk management measures

Expectation: Ensure risk controls remain effective over time.
Stale controls won’t satisfy regulators. Boards must show evidence that protections are tested and still effective.

7. Basic computer hygiene and trainings

Expectation: Equip employees to prevent breaches and mistakes.
Most breaches trace back to simple mistakes. Inadequate training can expose your organization to negligence penalties.

8. Policies on appropriate use of cryptography and encryption

Expectation: Protect sensitive data and communications.
Weak cryptography can expose customer data, triggering fines and public disclosure requirements that directly damage credibility.

9. Human resources security, access control policies, and asset management: 

Expectation: Limit exposure to internal and external threats.
Poor access control is one of the fastest ways to fail compliance audits.

10. Use of multi-factor, secured voice/video/text communication and secured emergency communication

Expectation: Enforce strong access and ensure communication during crises.
Weak authentication or broken communication channels can grind crisis response to a halt.

According to the guidelines, these measures must be implemented proportionately to risk, size, cost, and impact of incidents. Under the directive, the EU can also carry out risk assessments of critical services, systems, or supply chains, impose certification obligations, and adopt technical requirements relating to these measures.

These 10 measures should be seen as the floor, not the ceiling, of resilience. Regulators will expect you to demonstrate them in practice and will hold leaders personally accountable if any are neglected.

Common Barriers to NIS2 Compliance

Many organizations can run into these issues when trying to comply with NIS2:

  • Undesignated ownership across governance, operational, and IT teams
    • Pitfall: Everyone assumes “someone else” is responsible for compliance. Reporting deadlines can slip because no team feels truly accountable.
    • How to Avoid: Assign a single executive owner with cross-functional authority, then track responsibilities across all teams with transparency.
  • Misaligned cybersecurity and operational resilience strategies
    • Pitfall: Cybersecurity teams focus narrowly on technical defenses while business continuity teams focus on recovery, leaving a gap in between. This disconnect shows up when an incident occurs, and recovery plans don’t match the actual threat.
    • How to Avoid: Treat resilience and cybersecurity as one continuous process, not separate silos. Run joint tabletop exercises, so plans don’t collapse under pressure.
  • Disjointed compliance across locations and teams
    • Pitfall: Large organizations might let regional sites interpret NIS2 differently. Some over-comply, others under-comply, creating inconsistent reporting and audit gaps.
    • How to Avoid: Centralize compliance policies, then adapt locally where needed. Use software dashboards to keep a single source of truth.
  • Missed reporting and documentation deadlines
    • Pitfall: Teams scramble after an incident because escalation paths aren’t clear. Reports go out late or incomplete, triggering regulatory penalties.
    • How to Avoid: Predefine escalation protocols and automate evidence collection. Practice the 24/72-hour reporting cycle in advance, so it doesn’t fail in the moment.
  • Unmonitored suppliers
    • Pitfall: Companies assume suppliers have adequate controls but don’t verify. When a supplier breach occurs, regulators will hold you accountable.
    • How to Avoid: Build supplier risk reviews into contracts and require evidence of compliance. Monitor your vendors continuously, not just annually.

Most NIS2 failures don’t happen because organizations are ignoring the rules. They happen because of small gaps in ownership, timing, or supplier oversight. The difference between compliance and costly failure often comes down to whether these gaps are closed in advance.

How to Prepare for NIS2 Compliance

To be ready, organizations should:

  • Conduct a gap analysis to identify weaknesses against the 10 NIS2 measures.
  • Establish collaboration across BCM, GRC, and cybersecurity teams.
  • Strengthen vendor and supply chain oversight to prevent external disruptions.
  • Define governance and escalation protocols for timely, compliant decisions.
  • Integrate resilience into business planning with regular testing and continuity audits.

Organizations that take these steps now are better positioned to avoid reporting delays and service outages. The sooner you start, the more time you have to close gaps, and the less likely you are to be caught off guard when regulators demand proof.

How Risk Management Software Simplifies NIS2 Compliance

When teams are scrambling for evidence after an incident, software automates your entire evidence trail. Your organization can use software to close common NIS2 gaps by:

  • Conduct a gap analysis to identify weaknesses against the 10 NIS2 measures.
  • Centralizing data: Your organization has one audit-ready source of truth without scattered spreadsheets or conflicting reports.
  • Automating reporting: You can automate the 24/72-hour reporting workflow with time-stamped evidence, automatic escalations, and approval routing.
  • Linking leadership accountability to results: Make leadership responsibility visible with dashboards and action logs that map risks to owners and decisions.
  • Tracking compliance in real-time: Provide audit-ready executive snapshots on demand, so the board can see current posture and outstanding remediations.
  • Providing structured documentation: Capture tamper-evident paper trails, including time stamps, version histories, and attachments, so audits don’t cause chaos.

Automated workflows can help you hand regulators a timely, structured evidence package. Especially during a stressful crisis, you can maintain calm compliance rather than rushing to assemble documents and missing deadlines.

NIS2 sets a higher bar for resilience with new enforcement levers, like strict timelines, minimum measures, and personal penalties. As NIS2 is already in place, it’s time to ensure your organization has assigned accountability, automated incident reporting, and continuous monitoring in place.

With effective software, you can show an auditable snapshot of your NIS2 posture in time for your next board meeting. Overall, your organization’s ability to show regulators evidence on demand – and your personal accountability as a leader – is what defines success under NIS2.

For more information on resilience, read our ebook, Your Guide to Cyber Resilience, and to learn more about strengthening your cyber resilience program, check out Riskonnect’s Business Continuity Management and GRC software.