Linkedin X-twitter Youtube Facebook Instagram
Enactia Logo 2026 (Yellow and Black)
Request Trial
Enactia company logo symbolizing governance, risk, and compliance management
Request Trial
AgencyAICSRCyberData ProtectionDesignDevelopmentEnactiaGRCSoftware

NIS2 Compliance Guide: 2026 Roadmap for EU Entities

HomeAgencyNIS2 Compliance Guide: 2026 Roadmap for EU Entities

NIS2 is the Network and Information Security Directive (EU) 2022/2555, the European Union’s revised cybersecurity regulation, in force since 16 January 2023 and replacing the 2016 NIS Directive from 18 October 2024. It applies to roughly 160,000 organisations across the EU — a 16-fold increase on the original NIS scope — covering 18 sectors and two categories of regulated entity (“essential” and “important”). NIS2 imposes ten minimum cybersecurity risk-management measures (Article 21), a three-stage incident reporting cascade (Article 23: 24-hour early warning, 72-hour notification, one-month final report), personal accountability for management bodies (Article 20), and fines up to €10 million or 2% of global annual turnover. This guide walks compliance leaders, CISOs, and boards through what NIS2 now requires, who is in scope at which level, and how to build a 12-month roadmap to audit-readiness.

Who is in scope: the 160,000-entity question

NIS2 dramatically expands the regulated population. Two filters determine whether your organisation is in scope, and at what level:

  1. Sector — Annex I lists “essential” sectors and Annex II lists “important” sectors. Together they cover 18 categories including energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal and courier services, waste management, manufacture of critical products (chemicals, medical devices, food), digital providers (online marketplaces, search engines, social platforms), research, and managed service providers.
  2. Size — “Medium-sized” or larger entities in those sectors are in scope: 50+ employees OR EUR 10m+ turnover/balance sheet. The Recommendation 2003/361/EC SME definition is used.

Sub-threshold exceptions exist for entities considered critical regardless of size: DNS service providers, top-level domain name registries, trust service providers, providers of public electronic communications networks or services, qualified trust service providers, and certain public administration bodies.

Categorisation follows from sector + size:

  • Essential entity: large entity (250+ employees or > EUR 50m turnover) in an Annex I sector, or a sector-specific exception (qualified trust service providers, top-level domain registries, etc.).
  • Important entity: medium entity (50–249 employees or EUR 10–50m turnover) in an Annex I sector, or any in-scope entity in an Annex II sector at medium size or above.

For the full classification walk-through with worked examples, see our NIS2 essential vs important entities guide.

The ten Article 21 cybersecurity risk-management measures

Article 21(2)(a)–(j) lists ten minimum measures every essential and important entity must adopt. They must be “appropriate and proportionate” and follow an “all-hazards” approach.

LetterMeasureWhat it means operationally
(a)Policies on risk analysis and information system securityA documented risk-management framework with periodic assessment
(b)Incident handlingDetection, response, internal escalation, post-incident review
(c)Business continuity (backup management, disaster recovery, crisis management)BCP, DR, tested RTO/RPO, crisis comms
(d)Supply chain securityDue diligence on direct suppliers and ICT service providers; contractual security clauses
(e)Security in network and information systems acquisition, development and maintenanceSecure SDLC, vulnerability handling and disclosure
(f)Policies and procedures to assess the effectiveness of cybersecurity risk-management measuresInternal audit, metrics, management review
(g)Basic cyber hygiene practices and cybersecurity trainingWorkforce training programme with completion evidence
(h)Policies and procedures regarding the use of cryptography and, where appropriate, encryptionCrypto policy, key management, encryption at rest and in transit
(i)Human resources security, access control policies and asset managementHR vetting, RBAC, asset inventory, classification
(j)Use of multi-factor authentication or continuous authentication, secured voice/video/text comms, and secured emergency commsMFA on remote access and admin; encrypted internal channels for high-impact comms

The European Commission’s October 2024 implementing regulation supplements Article 21 with sector-specific technical and methodological requirements for digital providers (covered under the Commission Implementing Regulation (EU) 2024/2690). Sector regulators may add further requirements in transposition.

Article 20: management accountability and personal liability

NIS2 makes management bodies — not security teams — formally accountable. Specifically:

  • Management bodies must approve the cybersecurity risk-management measures and oversee their implementation.
  • Members of management bodies must follow training, and offer similar training to staff, on cybersecurity risks.
  • Where an entity is non-compliant, supervisory authorities may impose administrative sanctions on the management body personally — including temporary disqualification from managerial roles in essential entities.

The practical consequence: boards now ask for evidence in board meetings, not just policy approval. CISOs and DPOs report against measurable progress, not against checklists.

Article 23: the 24/72/one-month reporting cascade

A “significant incident” — broadly, one that causes or can cause severe operational disruption, financial loss, or impact on natural or legal persons — triggers a three-stage reporting cascade to the national CSIRT (Computer Security Incident Response Team) or competent authority.

  • Within 24 hours of becoming aware of the incident: an early warning indicating whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have a cross-border impact.
  • Within 72 hours: an incident notification updating the early warning with an initial assessment of severity and impact, and indicators of compromise where available.
  • Within one month: a final report including a detailed description, type of threat, applied mitigation measures, and (where applicable) the cross-border impact.

In cases of an ongoing incident at the one-month mark, the entity submits a progress report and a final report within one month of incident closure. For the operational decision tree, sector-specific routes, and a worked timeline, see our NIS2 incident reporting cascade guide.

Penalties and enforcement

NIS2 introduces a clear two-tier penalty regime.

CategoryMaximum administrative fine
Essential entitiesEUR 10 million or 2% of global annual turnover, whichever is higher
Important entitiesEUR 7 million or 1.4% of global annual turnover, whichever is higher

Member states may set higher national ceilings. Supervisory authorities have audit and on-site inspection powers; for essential entities they include ex-ante supervision. Personal management sanctions (including temporary disqualification) sit alongside corporate fines.

A 12-month NIS2 implementation roadmap

Months 1–2: Scoping and gap assessment

  • Confirm whether your entity is in scope, and as essential or important.
  • Identify the national CSIRT and competent authority for each member state you operate in.
  • Inventory in-scope systems, networks, suppliers, and processes.
  • Score current controls against Article 21(a)–(j) and the implementing regulation. Output: a gap register with owners.

Months 3–4: Governance and policy

  • Brief the management body on Article 20 obligations; book training.
  • Approve a NIS2 cybersecurity strategy, the risk-management framework, and the cybersecurity policy at board level.
  • Author or refresh the policies that map to Article 21 (risk, incident response, BCP, crypto, supplier security, HR security, MFA, training).

Months 5–8: Operational and technical controls

  • Stand up incident detection and reporting: 24/7 detection capability, on-call rota, CSIRT submission template tested against the 24h SLA.
  • Deploy MFA on remote access and administrative accounts as a minimum; widen to all internet-facing services.
  • Backup and DR: immutable backups, documented RTOs/RPOs, at least one technical recovery test.
  • Supply chain: due-diligence questionnaire for ICT service providers; contract clauses for incident notification and audit rights.
  • Cyber hygiene programme: workforce training with completion records.

Months 9–10: Cross-border, supply chain, training

  • For multi-member-state operators: map per-country reporting routes, fine ceilings, transposition-specific scope deviations.
  • Refresh contracts with cross-border data and incident-notification clauses.
  • Run a tabletop exercise of the 24/72/one-month cascade with a realistic scenario.

Months 11–12: Audit and registration

  • Internal audit of all Article 21 measures.
  • Register with the competent authority (timing depends on member state).
  • Close residual gaps. Submit any required attestations or self-declarations.

Five common NIS2 pitfalls

  1. Confusing NIS2 with GDPR. Both have 72-hour clocks but for different events; NIS2’s 24-hour early warning has no GDPR equivalent and the reporting routes differ (CSIRT vs DPA).
  2. Treating NIS2 as IT-only. Article 20’s management accountability puts the obligation on the board; pure IT ownership fails.
  3. Stopping at ISO 27001 evidence. ISO 27001:2022 covers roughly 70% of the Article 21 measures; the 30% gap (incident handling, BC/crisis, supply chain, hygiene/training, MFA/secure comms) still needs explicit work. See our NIS2 to ISO 27001 cross-mapping for the gap-by-gap detail.
  4. Forgetting the member-state deltas. Some member states transpose with stricter scope, higher fines, or sector regulators in addition to the cyber regulator. See our NIS2 country transposition tracker.
  5. Under-resourcing the 24-hour clock. If detection is a daytime function, the SLA fails. 24/7 detection is mandatory in practice.

How Enactia helps with NIS2

Enactia’s cross-mapping engine maintains a NIS2 control catalogue mapped to Article 21(a)–(j) and the European Commission’s implementing regulation, with one-evidence-many-frameworks support across NIS2, ISO 27001:2022, DORA, the EU AI Act, GDPR, and the sector regulator requirements (for example ECB DORA expectations for financial entities also subject to NIS2). The incident workflow can be configured to the 24/72/one-month SLA with member-state-specific CSIRT routing. Book a demo now to see your existing ISMS evidence mapped to NIS2 live.

Frequently asked questions

When did NIS2 take effect?

NIS2 entered into force on 16 January 2023 and member states were required to transpose it into national law by 17 October 2024 (applicable from 18 October 2024). Transposition completeness varies by member state; see the country tracker for current status.

What is the difference between essential and important entities?

Essential entities are typically large (250+ employees or > EUR 50m turnover) in Annex I sectors, or fall under sector-specific exceptions (e.g. qualified trust service providers). Important entities are medium-sized (50–249 employees or EUR 10–50m turnover) in Annex I sectors, or any in-scope entity in Annex II sectors. Essential entities face higher fine ceilings and ex-ante supervision; important entities face ex-post supervision.

How does NIS2 incident reporting work?

A significant incident triggers an Article 23 cascade: a 24-hour early warning, a 72-hour notification with initial impact assessment and indicators of compromise, and a one-month final report (or progress report if the incident remains open). All three go to the national CSIRT or competent authority.

What are the maximum fines under NIS2?

Essential entities: up to EUR 10 million or 2% of global annual turnover, whichever is higher. Important entities: up to EUR 7 million or 1.4% of global annual turnover. Member states may legislate higher national ceilings.

If I have ISO 27001:2022, am I NIS2 compliant?

No. ISO 27001:2022 covers roughly 70% of the Article 21 measures by ENISA’s mapping. Five measures (risk analysis, secure SDLC, effectiveness assessment, cryptography, HR/access/asset management) are fully covered; five (incident handling, BC/crisis, supply chain, hygiene/training, MFA/secure comms) are partially covered. The 30% gap needs explicit NIS2-tagged work.

Can NIS2 disqualify managers personally?

Yes. For essential entities, supervisory authorities may temporarily disqualify members of the management body from holding managerial roles where the entity has materially failed to comply with NIS2. National transposition determines the exact procedure.

Need to get NIS2-ready before your competent authority comes calling? Book a demo now and our compliance team will run an Article 21 measure-by-measure gap analysis against your current ISMS in 30 minutes.

Tags:

Older Post

ADHICS v2.0 vs v1.0: What Changed and How to Update Controls

Next Post

NIS2 Essential vs Important Entities: Scope Decision Guide

Related Posts

NIS2 Country Transposition Tracker 2026: Status by Member State

NIS2 to ISO 27001:2022 Mapping: Reuse 70% of Your ISMS