GRCEye
GRCEye
Start free trial Sign in
All articles
ComplianceEU
April 22, 2026
12 min read

NIS2 Directive Explained: What CISOs Need to Know in 2026

Two years after publication, NIS2 enforcement is now a daily reality for CISOs across the EU. Here is the practical guide to scope, obligations, deadlines, and how to make the most of the controls you already have.

GT

GRCEye Team

GRCEye Team

Why NIS2 matters now

NIS2 (Directive (EU) 2022/2555) replaced the original NIS Directive in October 2024 and dramatically expanded the cybersecurity obligations of EU organizations. Two years on, national supervisory authorities have moved past education and into active enforcement. Fines have already been issued in the Netherlands, Belgium, and Italy.

If you are a CISO in any of the eighteen sectors covered by NIS2 — energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space, postal services, waste management, manufacturing of chemicals, food, manufacturing of medical devices, manufacturing of electronics, manufacturing of vehicles, or digital providers — your board is going to ask three questions in 2026:

  1. Are we in scope?
  2. What does NIS2 actually require us to do?
  3. How exposed are we if we fail?

This article gives you defensible answers to all three.

Who is in scope

NIS2 distinguishes between essential entities (Annex I) and important entities (Annex II), with stricter supervisory regimes for essential entities. Both categories generally apply to organizations with at least 50 employees and €10M annual turnover, though some sectors (digital infrastructure, qualified trust service providers, top-level domain registries) have no size threshold.

Three things often surprise CISOs reviewing scope for the first time:

  • Subsidiaries count. A medium-sized EU subsidiary of a US tech giant can be in scope even if the parent isn't.
  • Sector classification is broader than under NIS1. Manufacturers of medical devices and vehicles are now explicitly covered. So are postal and courier services.
  • Member states can extend scope. Several countries — including Germany and France — have national transposition that captures additional entities not listed in the EU directive.

If you cannot definitively answer "are we in scope" by the end of Q2 2026, that is itself a finding. Document the scoping analysis, get sign-off from legal, and revisit annually.

The ten security obligations (Article 21)

NIS2 prescribes a baseline of risk-management measures. They are intentionally outcome-based rather than prescriptive — which is good for CISOs who already run ISO 27001 or NIST CSF programs, because most controls map directly. The ten domains:

  • Risk analysis and information security policies — documented, reviewed annually, board-approved.
  • Incident handling — including detection, response, and recovery procedures.
  • Business continuity — backup management, disaster recovery, and crisis management.
  • Supply chain security — security of the relationships between an entity and its direct suppliers.
  • Network and information system security — including procedures around acquisition, development, and maintenance of systems.
  • Policies and procedures for cybersecurity testing and audits — including the assessment of effectiveness.
  • Basic cyber hygiene practices and cybersecurity training — for staff.
  • Cryptography policies — encryption and key management.
  • Human resources security, access control, and asset management.
  • Multi-factor authentication, secured voice/video/text communications, and emergency communication systems.

If you have an active ISO 27001:2022 ISMS, you are already covering 90% of NIS2 Article 21 by virtue of Annex A. The cross-walks published by ENISA confirm this. NIS2 specifically requires you to document the mapping, not to re-implement the controls.

Incident reporting timelines

This is where NIS2 imposes real pressure on the SOC and incident response function. The directive requires three escalating notifications to the national CSIRT or competent authority:

  • Early warning — within 24 hours. Notify that an incident *may* be ongoing. Indicate whether it appears caused by malicious actions and whether it could have cross-border impact.
  • Incident notification — within 72 hours. Provide an initial assessment of severity, impact, and indicators of compromise.
  • Final report — within one month. Detailed description, root cause, applied/ongoing mitigations, and cross-border impact.

Two practical implications:

  1. Your IR runbook needs explicit NIS2 timers. Most existing runbooks were calibrated to GDPR's 72-hour breach notification. NIS2 adds a 24-hour clock for "may be ongoing" — significantly tighter.
  2. Significant incident is broadly defined. The directive considers an incident significant if it has caused or is capable of causing severe operational disruption or financial loss, or if it has affected (or is capable of affecting) other natural or legal persons through considerable material or non-material damage. Err on the side of notification.

Supply chain security — the part everyone underestimates

Article 21(2)(d) requires entities to address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers". In plain language: NIS2 wants to see vendor risk management evidence.

That means:

  • A documented vendor inventory with risk tiering.
  • Security assessments before onboarding critical vendors.
  • Contractual clauses requiring suppliers to maintain security and notify of incidents.
  • Ongoing monitoring of vendor risk posture, especially for critical ICT service providers.

This obligation overlaps heavily with DORA (for financial entities) and with what most mature security programs already do. The difference is that NIS2 makes it statutory and supervisory authorities can request evidence.

Governance and management body responsibilities

Article 20 imposes obligations directly on the management body of in-scope entities. Senior leaders — board members, executive officers — must:

  • Approve the cybersecurity risk-management measures.
  • Oversee their implementation.
  • Receive regular cybersecurity training.

This is the single biggest cultural shift NIS2 introduces compared to NIS1. If your board is not getting quarterly cybersecurity briefings with documented training records, you have a finding waiting to happen.

Penalties and personal liability

Maximum administrative fines under NIS2:

  • Essential entities: up to €10M or 2% of total worldwide annual turnover, whichever is higher.
  • Important entities: up to €7M or 1.4% of total worldwide annual turnover, whichever is higher.

Several member states have additionally introduced personal liability for senior managers in cases of repeated non-compliance. The Netherlands and Belgium can suspend executive officers from their cybersecurity oversight role. This is a structural change CISOs need to brief their boards on directly.

A pragmatic NIS2 readiness checklist

If you want to walk into a supervisory inspection prepared, the bare minimum portfolio is:

  • A scoping memo confirming entity classification and applicable obligations.
  • An information security policy approved by the management body within the last 12 months.
  • A risk register with documented risk-treatment decisions.
  • Incident response procedures with explicit NIS2 reporting timers.
  • A business continuity plan with at least one tested recovery exercise per year.
  • A vendor inventory with risk tiers and security assessments for critical suppliers.
  • Training records for staff and management body covering cybersecurity awareness.
  • A continuity of operations runbook for the cybersecurity function itself.

A purpose-built GRC platform can produce this portfolio as artefacts of routine operation rather than as a separate compliance project. That is the difference between NIS2 being a quarterly fire drill and being something the function does in the background.

Closing thought

NIS2 is one of the few regulations where being a strong security organization automatically makes you compliant. Most of the obligations describe what mature security teams already do. The supervisory expectation is that you can prove it on demand: scope memo, policies, risk register, incident logs, vendor evidence, training records, board minutes. If you can produce that file in 48 hours when an authority asks, you are in good shape. If you cannot, the gap is operational discipline rather than missing capability — and that is fixable in a quarter.

Frequently asked questions

Is NIS2 the same as the original NIS Directive?

No. NIS2 (Directive (EU) 2022/2555) replaced the original NIS Directive in October 2024. It expanded sector scope from 7 to 18, introduced direct obligations on management bodies, established stricter incident reporting timelines, and significantly increased penalties.

How does NIS2 relate to GDPR?

GDPR governs personal data; NIS2 governs the security of network and information systems. They overlap on incident notification but apply to different categories of incidents. A breach of personal data is reportable under GDPR (within 72 hours), and if the same breach also affects critical operations or services, it is also reportable under NIS2 (early warning within 24 hours).

Do small companies need to comply with NIS2?

Generally NIS2 applies to medium and large entities (≥50 employees, ≥€10M turnover). However, certain sectors — DNS providers, top-level domain registries, qualified trust service providers, public administration — apply regardless of size. Some member states have also extended scope nationally. Always verify against your specific national transposition.

Can ISO 27001 certification cover NIS2?

ISO 27001:2022 covers most of NIS2 Article 21 obligations through Annex A controls, but ISO 27001 alone is not sufficient. NIS2 also requires explicit management body involvement, the specific incident notification timelines (24h/72h/1 month), and supervisory cooperation duties that go beyond ISMS scope. Treat ISO 27001 as the foundation, not the destination.

What is the maximum fine for NIS2 non-compliance?

For essential entities: up to €10 million or 2% of total worldwide annual turnover, whichever is higher. For important entities: up to €7 million or 1.4% of turnover. Several member states have also introduced personal liability provisions for senior managers in cases of repeated non-compliance.

Ready to operationalize this?

GRCEye gives security teams a single platform for risk, compliance, audit, vendor risk, and policy — with AI that runs on your own infrastructure.

Start free trial Talk to us

Continue reading

Frameworks

ISO 27001 vs SOC 2: Which Framework Should Your Company Pursue First?

The two best-known security certifications cover overlapping controls but solve different commercial problems. A practical decision framework for CISOs choosing where to invest the first compliance budget.

14 min readRisk Management

Risk Quantification Explained: From Heatmaps to Monte Carlo

Boards do not buy 'high-medium-low' anymore. Here is how to translate qualitative risk ratings into the financial language your CFO uses, using statistical methods that have been standard in finance for thirty years.

15 min read