Regulation guide
NIS2: the directive explained
NIS2 is the EU directive that raises the cybersecurity baseline for essential and important entities. This guide covers what the NIS2 directive requires, who it applies to, and how to approach NIS2 compliance without guesswork.
The basics
What is the NIS2 directive?
The NIS2 requirements in brief
The NIS2 directive sets baseline risk-management measures, incident-reporting duties and governance expectations. Meeting the NIS2 requirements means proving you have the controls, the evidence and the reporting workflow in place.From NIS to NIS 2
NIS2 replaces the original NIS directive, widening scope and tightening enforcement. If you have heard it called "NIS 2" or the "NIS 2 directive", it is the same law.
Who is in scope
Essential and important entities across sectors like energy, transport, health, digital infrastructure and public administration fall under NIS2 requirements.
Why it matters
NIS2 introduces management accountability and real penalties, so NIS2 compliance is now a board-level obligation, not just an IT project.
Core NIS2 requirements
Risk-management measures
The Article 21 baseline: policies, cryptography, access control, supply chain security and more.
Incident reporting
A 24-hour early warning and a 72-hour notification for significant incidents.
Governance
Management bodies must approve and oversee cybersecurity risk measures.
Supply chain security
Assess and manage the security of suppliers and service providers.
Where to next
Turn NIS2 compliance into a plan
Tooling
A GRC toolkit keeps your NIS2 evidence and risk register audit-ready.
Detection
A SIEM gives you the incident detection NIS2 reporting assumes.
Related rules
DORA and the Cyber Resilience Act sit alongside NIS2 for many organisations.
NIS2 frequently asked questions
When does NIS2 apply?
NIS2 entered into force in 2023 and member states were required to transpose it into national law, with obligations now applying to in-scope entities.
What are the NIS2 requirements?
Baseline risk-management measures under Article 21, incident-reporting duties, governance accountability and supply chain security.
Is NIS2 the same as NIS 2?
Yes. "NIS 2" and "NIS 2 directive" are common spellings of the NIS2 directive.
Ready to move on NIS2 compliance?
Join the NIS2 webinar or compare the open-source GRC tooling that supports it.