Skip to content
FortaRisks
Back to the glossaryCompliance and regulation

NIS2

NIS2 is the European cybersecurity directive that replaces the 2016 NIS directive. It expands the sectors in scope, strengthens risk-management obligations, imposes tight incident-notification deadlines and holds senior management directly accountable.

Updated on July 2, 2026

What is NIS2?

NIS2 (Network and Information Security 2) is the European directive that replaces the original NIS directive adopted in 2016. It raises the cybersecurity bar across the European Union and was to be transposed into national law by member states by October 2024.

Where the first NIS directive targeted a narrow set of operators, NIS2 substantially broadens the scope, harmonizes obligations across countries and introduces a more dissuasive penalty regime.

Why it matters for your organization

NIS2 classifies organizations as "essential" or "important" entities, with differentiated obligations and penalties. Breaches can lead to fines of up to 10 million euros or 2% of worldwide turnover for essential entities.

An often underestimated point: the directive holds management bodies personally accountable. They must approve risk-management measures and undergo training. Cybersecurity becomes an explicit board-level topic.

The key obligations

  • Risk management: put in place proportionate technical and organizational measures, including supply-chain security.
  • Incident notification: meet the 24-hour, 72-hour and one-month deadlines.
  • Business continuity: backups, crisis management and recovery plans.
  • Supply-chain security: assess and govern the risk from direct suppliers and service providers.
  • Governance and accountability: documented management involvement and leadership training.
  • Registration: identify to the competent national authority.

Where organizations most often fall short

Many still believe NIS2 only concerns large energy or telecom operators. In practice, scope becomes real the moment a customer sends a security questionnaire or a contract adds a notification clause. Common gaps involve supply-chain security, the ability to meet the 24-hour deadline, and the lack of evidence of board involvement.

Frequently asked questions

Is my company in scope for NIS2?

NIS2 applies to medium and large entities (from 50 employees or 10 million euros in turnover) active in eighteen sectors deemed essential or important: energy, transport, health, banking, digital infrastructure, ICT service providers, public administration and more. Some smaller entities are covered when they play a critical role. Even outside scope, a company can be bound by requirements imposed by its customers or by contract.

What are the incident-notification deadlines under NIS2?

An early warning must reach the CSIRT or competent authority within 24 hours of becoming aware of a significant incident, a fuller notification within 72 hours, and a final report within one month.

See your real risk in a 30-minute demo.

A member of our team walks you through FortaRisks on threats relevant to your sector. No chatbot.