Regulation guide

NIS2: the directive explained

NIS2 is the EU directive that raises the cybersecurity baseline for essential and important entities. This guide covers what the NIS2 directive requires, who it applies to, and how to approach NIS2 compliance without guesswork.

The basics

What is the NIS2 directive?

The NIS2 requirements in brief

The NIS2 directive sets baseline risk-management measures, incident-reporting duties and governance expectations. Meeting the NIS2 requirements means proving you have the controls, the evidence and the reporting workflow in place.

From NIS to NIS 2

NIS2 replaces the original NIS directive, widening scope and tightening enforcement. If you have heard it called "NIS 2" or the "NIS 2 directive", it is the same law.

Who is in scope

Essential and important entities across sectors like energy, transport, health, digital infrastructure and public administration fall under NIS2 requirements.

Why it matters

NIS2 introduces management accountability and real penalties, so NIS2 compliance is now a board-level obligation, not just an IT project.

Core NIS2 requirements

Risk-management measures

The Article 21 baseline: policies, cryptography, access control, supply chain security and more.

Incident reporting

A 24-hour early warning and a 72-hour notification for significant incidents.

Governance

Management bodies must approve and oversee cybersecurity risk measures.

Supply chain security

Assess and manage the security of suppliers and service providers.

Where to next

Turn NIS2 compliance into a plan

Compare open-source GRC tooling, review critical infrastructure protection, and see how DORA relates to NIS2.

Tooling

A GRC toolkit keeps your NIS2 evidence and risk register audit-ready.

Detection

A SIEM gives you the incident detection NIS2 reporting assumes.

Related rules

DORA and the Cyber Resilience Act sit alongside NIS2 for many organisations.

NIS2 frequently asked questions

When does NIS2 apply?

NIS2 entered into force in 2023 and member states were required to transpose it into national law, with obligations now applying to in-scope entities.

What are the NIS2 requirements?

Baseline risk-management measures under Article 21, incident-reporting duties, governance accountability and supply chain security.

Is NIS2 the same as NIS 2?

Yes. "NIS 2" and "NIS 2 directive" are common spellings of the NIS2 directive.

Ready to move on NIS2 compliance?

Join the NIS2 webinar or compare the open-source GRC tooling that supports it.