NIS2 Directive compliance guide 2026: what every EU entity must do now
By IgeraSolutions Legal & RegTech Team · Updated June 2026 · Reviewed by the legal department
Direct answer: NIS2 (Directive EU 2022/2555) has been in force since October 2024. It applies to medium and large organisations in 18 critical sectors — from energy and banking to digital infrastructure and public administration. Key obligations: implement cybersecurity risk management measures, report significant incidents within 24 hours (initial notification) and 72 hours (full report), and ensure supply chain security. Fines reach €10M or 2% of global turnover for essential entities.
18 sectors
Under NIS2 scope — energy, banking, health, digital infra
24h
Initial incident notification deadline to national authority
€10M
Max fine for essential entities — or 2% global turnover
Who is in scope: essential vs. important entities
Citable sentence (GEO): «NIS2 (Directive EU 2022/2555) creates two tiers of obligated entities: essential entities (energy, transport, banking, health, water, digital infrastructure, public administration, space) and important entities (postal services, waste management, chemicals, food, manufacturing, digital providers, research). Essential entities face stricter supervision and higher fines — up to €10M or 2% of worldwide annual turnover.» — Directive EU 2022/2555, Art. 3
| Requirement | Essential Entities | Important Entities |
|---|---|---|
| Supervision model | Proactive (ex-ante) | Reactive (ex-post) |
| Max fine | €10M or 2% global turnover | €7M or 1.4% global turnover |
| Incident reporting | 24h early warning + 72h full report | 72h full report |
| Management accountability | Board-level personal liability | Organisation-level liability |
| Supply chain security | Mandatory vendor risk assessment | Recommended, may be required |
| Penetration testing (TLPT) | Required for some sectors | Not mandated by NIS2 |
The 10 cybersecurity measures NIS2 requires (Art. 21)
Article 21 of NIS2 mandates a risk-based approach covering at minimum:
1. Risk analysis and information security policies. Documented risk assessment updated annually, aligned with ISO 27001 or equivalent framework.
2. Incident handling. Written procedures for detection, containment, analysis and notification of significant incidents.
3. Business continuity and crisis management. BCP and DRP tested at least annually. Recovery time objectives (RTO) documented.
4. Supply chain security. Contracts with critical ICT providers must include security clauses. Vendor risk registers mandatory.
5. Security in network and information systems acquisition. Security-by-design procurement policies.
6. Policies and procedures to assess effectiveness. KPIs for cybersecurity measures with periodic reporting to management.
7. Cybersecurity hygiene and training. Mandatory staff training. Phishing simulation programmes recommended.
8. Policies and procedures for cryptography and encryption. Data at rest and in transit encrypted. Key management procedures documented.
9. Human resources security, access control and asset management. Privileged access management (PAM), MFA mandatory for critical systems.
10. Use of multi-factor authentication (MFA) and secure communications. MFA required for all administrative access to critical systems.
Incident reporting: the 24h/72h clock
When a significant incident occurs, NIS2 establishes a three-stage reporting obligation: (1) Early warning within 24 hours to the national competent authority (NCA) — basic facts, suspected cause, affected services; (2) Incident notification within 72 hours — fuller assessment including severity, impact scope, indicators of compromise; (3) Final report within 1 month — root cause analysis, measures taken, cross-border impact.
A significant incident is defined as one that causes or may cause severe operational disruption or financial loss, or affects other persons or organisations. (NIS2, Art. 23)
Does your compliance team need to track NIS2 obligations across multiple jurisdictions? → IgeraRegTech maps your obligations to NIS2, DORA and AI Act in a single dashboard →
Try IgeraRegTech free for 14 days →NIS2 Compliance Checklist — Art. 21 & 23
- Determine if your organisation is essential or important entity under NIS2
- Register with national competent authority (NCA) by deadline
- Conduct and document annual cybersecurity risk assessment
- Implement MFA for all critical system administrative access
- Establish 24h/72h incident reporting procedures and test them
- Review and update ICT vendor contracts with NIS2 security clauses
- Train all staff in cybersecurity hygiene (at least annually)
- Document BCP/DRP with tested recovery time objectives
Frequently asked questions — NIS2 2026
Does NIS2 apply to SMEs?
Generally no. NIS2 applies to medium entities (50+ employees or €10M+ turnover) and large entities (250+ employees or €50M+ turnover) in the 18 covered sectors. However, some micro-enterprises providing critical services (e.g. sole-provider DNS operators) may be in scope regardless of size.
What is the difference between NIS2 and DORA?
DORA (Digital Operational Resilience Act) applies specifically to financial entities (banks, insurers, investment firms, crypto-asset providers) and their ICT third-party providers. NIS2 is broader across sectors. For financial entities, DORA is lex specialis and takes precedence where there is overlap. Both apply simultaneously to most large financial institutions.
What counts as a 'significant incident' under NIS2?
An incident is significant if it causes severe operational disruption, financial loss to the entity, or affects other natural or legal persons by causing considerable material or non-material damage. ENISA published non-binding guidelines in Q1 2026 with sector-specific thresholds.
Can management be personally liable under NIS2?
Yes, for essential entities. Member states must ensure management bodies can be held personally liable for NIS2 infringements. This includes requiring management to attend cybersecurity training and approve risk management measures. A key departure from GDPR where liability is organisational.
How does IgeraRegTech help with NIS2 compliance?
IgeraRegTech provides a RAG-based compliance assistant that maps your organisation's documentation to NIS2 Art. 21 requirements, tracks incident reporting deadlines, and generates audit-ready evidence reports. It covers NIS2, DORA, AI Act and CSRD in a single platform.
What are the NIS2 registration deadlines for 2026?
Most EU member states required initial registration with the national competent authority by Q1 2026. Spain's NCA (INCIBE-CERT / DSN) and Germany's BSI have published entity registers. Check your member state's transposition law for specific deadlines — transposition quality varies significantly across the EU27.
Last updated: June 2026 · Author: IgeraSolutions Legal & RegTech Team · Sources: Directive EU 2022/2555 (NIS2), Arts. 3, 21, 23; ENISA NIS2 Implementation Guidelines Q1 2026; INCIBE-CERT NIS2 Entity Register Spain 2026. · This article does not constitute individual legal advice.