The NIS2 Directive required EU member states to transpose it into national law by 17 October 2024. Most have done so or are in final stages. National cybersecurity authorities — ENISA's network of Computer Security Incident Response Teams and sector-specific regulators — are actively assessing compliance in essential and important sectors. What they're finding is a familiar pattern: organisations that understood NIS2 was coming but underestimated how different it is from NIS1.
Who NIS2 actually covers
NIS1 covered operators of essential services and digital service providers in specific categories. NIS2 significantly expands this scope. It now covers medium and large organisations in 18 sectors:
Essential sectors (higher obligations): Energy, transport, banking, financial market infrastructures, health, drinking water, wastewater, digital infrastructure, ICT service management (B2B), public administration, space.
Important sectors (slightly lower thresholds): Postal and courier services, waste management, manufacture and distribution of chemicals, food production and distribution, manufacturing of medical devices, computers, electronics, machinery, and motor vehicles, and digital providers (search engines, social networks, online marketplaces).
If your organisation has 50 or more employees and €10 million or more in annual turnover, and operates in any of these sectors, you are likely within scope. The "size cap" exemption that excluded smaller operators under NIS1 has been substantially narrowed.
The five gaps regulators are finding
Gap 1: No cyber risk management framework. NIS2 Article 21 requires covered entities to implement measures addressing: incident handling, business continuity, supply chain security, network and system security, vulnerability disclosure, cryptography and encryption, access control, and multi-factor authentication. Many organisations have policies that address some of these in isolation. Very few have an integrated framework that treats them as interconnected controls with documented ownership and review cycles.
Gap 2: Missing incident notification procedures. NIS2 requires early warning to the national CSIRT within 24 hours of becoming aware of a significant incident. A full notification is due within 72 hours. A final report is due within one month. "Significant incident" has a specific definition: an incident that has caused or could cause severe disruption to service or financial losses, or affected other natural or legal persons.
Most organisations have breach notification procedures written for GDPR's 72-hour window. NIS2's 24-hour early warning requirement is different and stricter. Many organisations are discovering their procedures don't trigger fast enough.
Gap 3: Untested business continuity and disaster recovery. NIS2 requires not just documented BCP/DR plans but tested ones. "Tested" means exercises have been conducted, results documented, and plans updated based on findings. Regulators are asking for test records, not just plan documents.
Gap 4: Supply chain security not addressed. Article 21 explicitly requires security measures concerning supply chain, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers. This means assessing the cybersecurity practices of your critical technology vendors — not just signing a contract that says they'll be secure.
This is the gap most organisations have entirely skipped. It requires inventorying critical suppliers, assessing their security posture, and having a process for ongoing monitoring. It's operationally complex, and almost nobody has done it systematically.
Gap 5: Management accountability not established. NIS2 Article 20 makes management bodies — boards and senior executives — personally accountable for cybersecurity. Management must approve risk management measures, oversee their implementation, and are individually liable for infringements. They must also receive regular cybersecurity training to be able to fulfil this responsibility.
In practice, this means cybersecurity can no longer be delegated entirely to IT. Boards need to be briefed on the organisation's NIS2 compliance status. Executives need documented training. Regulators are beginning to ask for evidence of both.
What the fines look like
For essential entities: up to €10 million or 2% of global annual turnover (whichever is higher).
For important entities: up to €7 million or 1.4% of global annual turnover.
More significantly, NIS2 allows national authorities to temporarily prohibit individuals who hold managerial positions from exercising management functions in the organisation if a serious NIS2 infringement is found. This personal liability mechanism has no equivalent in most prior EU regulatory frameworks outside of financial services.
Where to start if you haven't
First: confirm whether you're in scope. The sector definitions and size thresholds vary slightly by member state — check the national implementation law in each jurisdiction you operate in.
Second: conduct a gap assessment against the Article 21 technical measures. Document what you have and what you're missing.
Third: fix the 24-hour incident notification trigger. This is the most time-sensitive operational gap because it requires process changes that cut across IT, legal, and communications functions.
Fourth: brief your management body. Get cybersecurity onto the board agenda. Document the briefing.
NIS2 has been enforceable law since October 2024. The question isn't whether you need to comply. It's whether you're ahead of the investigation or behind it.