NIS2 Directive
The EU cybersecurity baseline for essential and important entities
The NIS2 Directive establishes a high common level of cybersecurity across the European Union. It replaces the original NIS Directive (2016/1148) with expanded scope, stricter supervisory measures, and harmonised enforcement provisions across 27 Member States. FortisEU operationalises NIS2 compliance with automated evidence collection, incident reporting workflows, and supply chain risk management.
Directive (EU) 2022/2555
NIS2 Fine Calculator
Estimate your organisation's maximum NIS2 penalty exposure based on entity classification, turnover, and infringement severity.
NIS2 Template Pack
Pre-built policy templates, risk assessment frameworks, and incident response plans mapped to Article 21 requirements.
NIS2 vs DORA Comparison
Side-by-side analysis of NIS2 and DORA requirements, scope, and enforcement mechanisms for dual-regulated entities.
Common Questions
Who is in scope of the NIS2 Directive?
NIS2 applies to essential and important entities across 18 sectors including energy, transport, banking, health, digital infrastructure, ICT service management, public administration, and space. Entities are classified based on sector, size (medium or large under the EU SME definition: 50+ employees or EUR 10M+ turnover), and criticality. Member States may also designate smaller entities that meet specific risk criteria.
What are the maximum penalties under NIS2?
Essential entities face fines up to EUR 10,000,000 or 2% of total worldwide annual turnover, whichever is higher. Important entities face fines up to EUR 7,000,000 or 1.4% of total worldwide annual turnover. Member States may also impose periodic penalty payments and suspend certifications or authorisations for essential entities.
Can management bodies be held personally liable under NIS2?
Yes. Article 20 requires management bodies of essential and important entities to approve cybersecurity risk-management measures and to oversee their implementation. Management bodies must undergo cybersecurity training. Member States must ensure that management bodies can be held liable for infringements, including through temporary prohibition from exercising managerial functions in essential entities.
How does NIS2 relate to DORA?
DORA (Regulation (EU) 2022/2554) is lex specialis to NIS2 for financial entities. Where DORA applies more specific ICT risk management, incident reporting, or resilience testing requirements, those provisions take precedence over the corresponding NIS2 requirements. Financial entities subject to DORA still fall within NIS2 scope but comply with the more specific DORA provisions rather than the general NIS2 measures.
Does NIS2 apply to third-country providers serving the EU?
Yes. Non-EU entities that provide services within the EU and fall within NIS2 scope must designate a representative in one of the Member States where they provide services. DNS service providers, TLD name registries, cloud computing providers, data centre operators, CDN providers, managed service providers, managed security service providers, online marketplaces, search engines, and social networking platforms established outside the EU but serving the EU market are explicitly covered.
What are the incident reporting obligations under NIS2?
NIS2 mandates a multi-stage incident reporting process. Within 24 hours of becoming aware of a significant incident, entities must submit an early warning to the CSIRT or competent authority. Within 72 hours, a formal incident notification with an initial assessment must follow. A final report is due within one month, including root cause analysis, mitigation measures, and cross-border impact. Intermediary updates may be requested at any time.
Operationalise NIS2 Compliance
Turn NIS2 requirements into automated workflows, evidence collection, and audit-ready outputs. Create an account or schedule a personalised demo.