What is NIS2? The EU Directive Reshaping Cybersecurity Obligations

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 — known as the NIS2 Directive — establishes measures for a high common level of cybersecurity across the European Union. It was published in the Official Journal of the EU on 27 December 2022 and entered into force on 16 January 2023, replacing the original NIS Directive (Directive (EU) 2016/1148).

The original NIS Directive, adopted in 2016, was the first piece of EU-wide cybersecurity legislation. While it laid the groundwork for cross-border cooperation and baseline security obligations, its implementation revealed significant shortcomings: divergent national transpositions led to fragmented requirements, the scope was too narrow to address evolving threats, and enforcement mechanisms lacked teeth. The European Commission's impact assessment identified that only 23% of organizations covered by NIS1 were adequately implementing its requirements.

NIS2 was designed to address these deficiencies through four strategic pillars: (1) a dramatically expanded scope covering more sectors and entity types, (2) harmonized cybersecurity risk management measures, (3) streamlined and mandatory incident reporting obligations, and (4) stronger supervisory and enforcement powers for national competent authorities. The Directive also strengthens the role of the Cooperation Group and the CSIRTs Network, and establishes the European Cyber Crises Liaison Organisation Network (EU-CyCLONe) for coordinated management of large-scale cybersecurity incidents.

The most consequential change in NIS2 is its dramatically expanded scope. The original NIS Directive covered seven sectors — energy, transport, banking, financial market infrastructures, health, drinking water supply, and digital infrastructure. NIS2 expands coverage to eighteen sectors, organized into two Annexes that determine entity classification.

Annex I lists sectors of high criticality: energy (electricity, district heating, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructures, health (healthcare providers, EU reference laboratories, manufacturers of medical devices and in vitro diagnostics, entities manufacturing pharmaceutical products), drinking water, waste water, digital infrastructure (IXPs, DNS providers, TLD registries, cloud computing, data centres, CDNs, trust service providers, public electronic communications networks and services), ICT service management (B2B: managed service providers and managed security service providers), public administration (central government, regional level as defined by member states), and space.

Annex II lists other critical sectors: postal and courier services, waste management, manufacture/production/distribution of chemicals, food production/processing/distribution, manufacturing (medical devices, computer/electronic/optical products, electrical equipment, machinery and equipment n.e.c., motor vehicles/trailers/semi-trailers, other transport equipment), digital providers (online marketplaces, search engines, social networking platforms), and research organisations.

This expansion means that an estimated 160,000 entities across the EU now fall within scope — roughly ten times the number covered under NIS1. Sectors such as waste water management, space, public administration, and food production had no cybersecurity obligations at EU level before NIS2.

NIS2 introduces a two-tier classification system that replaces the operator of essential services (OES) and digital service provider (DSP) categories from NIS1. Under NIS2, entities are classified as either essential or important, and the classification determines the supervisory regime and penalty ceiling.

Essential entities are defined in Article 3(1) and include: entities in Annex I sectors that exceed the medium-sized enterprise ceiling (i.e., large enterprises — 250+ employees or EUR 50M+ turnover and EUR 43M+ balance sheet total), qualified trust service providers, TLD name registries, DNS service providers, providers of public electronic communications networks or publicly available electronic communications services that are medium-sized enterprises, public administration entities at central government level, any entity identified as critical under Directive (EU) 2022/2557 (CER Directive), entities identified as OES under NIS1 by member states if they choose to maintain that status, and sole providers of a service essential for societal or economic activities.

Important entities constitute the remaining in-scope entities — those in Annex I or Annex II sectors that meet the size threshold but do not qualify as essential. This is the default classification: if an entity is in scope and not designated essential, it is automatically important.

The practical difference lies in supervision and penalties. Essential entities are subject to an ex-ante supervisory regime: authorities can conduct proactive inspections, audits, and random checks without waiting for an incident. Important entities are supervised ex-post — authorities generally intervene only when evidence of non-compliance surfaces. The maximum administrative fine for essential entities is EUR 10,000,000 or 2% of worldwide annual turnover (whichever is higher), while for important entities the ceiling is EUR 7,000,000 or 1.4% of worldwide annual turnover.

NIS2 applies a size-cap rule aligned with the EU SME definition established in Commission Recommendation 2003/361/EC. As a general principle, the Directive applies to entities that qualify as medium-sized enterprises or larger — meaning entities with 50 or more employees, or an annual turnover and/or annual balance sheet total exceeding EUR 10 million.

This size-cap approach was a deliberate design choice to create legal certainty and avoid the fragmented, designation-based approach of NIS1. Under NIS1, member states had to individually identify and designate operators of essential services, which led to wildly inconsistent scoping across the EU. Under NIS2, any entity operating in a covered sector that meets the size threshold is automatically in scope.

However, the Directive includes several important exceptions where entities fall in scope regardless of size. These include: providers of public electronic communications networks or publicly available electronic communications services, trust service providers, TLD name registries and DNS service providers, entities that are the sole provider of a service in a member state that is essential for the maintenance of critical societal or economic activities, entities whose disruption could have significant impact on public safety, public security, or public health, and entities identified by member states under their national transposition as essential or important based on risk assessment.

Member states may also extend NIS2 obligations to local and regional public administration entities based on a risk assessment, and they must identify entities in scope by 17 April 2025 through a national registry.

Article 4 of the NIS2 Directive establishes the lex specialis principle: where a sector-specific EU legal act imposes cybersecurity risk management or incident reporting obligations that are at least equivalent in effect to those in NIS2, the sector-specific act prevails. This principle is directly relevant for entities simultaneously subject to NIS2 and the Digital Operational Resilience Act (Regulation (EU) 2022/2554 — DORA).

DORA applies to financial entities (credit institutions, investment firms, insurance undertakings, payment institutions, and others listed in Article 2 of DORA) as well as their critical ICT third-party service providers. For these financial entities, DORA's ICT risk management framework (Chapter II), ICT incident reporting (Chapter III), digital operational resilience testing (Chapter IV), and ICT third-party risk management (Chapter V) requirements are considered lex specialis to the corresponding NIS2 provisions.

In practice, this means that a bank or insurance company subject to DORA does not need to separately implement NIS2 cybersecurity risk management measures under Article 21 or NIS2 incident reporting under Article 23 — provided it fully complies with the equivalent DORA requirements. However, NIS2 still applies in areas where DORA does not provide equivalent coverage, such as supply chain security obligations beyond ICT third parties, or governance requirements that go beyond DORA's management body provisions.

The lex specialis relationship is not a blanket exemption. It operates at the level of individual obligations: each NIS2 requirement must be individually assessed for equivalence with the corresponding DORA provision. Organizations subject to both should conduct a detailed mapping exercise to identify where DORA coverage satisfies NIS2 and where supplementary measures are needed.

NIS2 has extraterritorial reach. The Directive applies not only to entities established in the EU but also to certain categories of entities established outside the EU that provide services within the Union.

Under Article 26, the following non-EU entity types must designate a representative in the EU if they provide services within the Union: DNS service providers, TLD name registries, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, providers of online marketplaces, online search engines, or social networking services platforms. The representative must be established in one of the member states where the services are offered.

The jurisdiction rules follow a main establishment principle for EU-based entities — each entity falls under the jurisdiction of the member state where it has its main establishment (Article 26(1)(a)). For the non-EU entities required to designate a representative, the entity is deemed to fall under the jurisdiction of the member state where the designated representative is established.

This territorial scope has significant implications. A US-based cloud provider serving EU customers must designate an EU representative and comply with NIS2 obligations including cybersecurity risk management measures and incident reporting. Similarly, a managed security service provider headquartered in Asia but serving EU clients is subject to NIS2. The practical enforcement mechanism is through the designated representative, who can be held accountable by the relevant national competent authority.

Member states are required to notify the Commission of the list of entities and their representatives by 17 April 2025, and to update this list every two years thereafter.