NIS2 vs NIS1: What Changed and Why Readiness Programmes Fail When Treated as a Minor Update

The NIS2 Directive (Directive (EU) 2022/2555) entered into force on 16 January 2023 and replaced the original NIS Directive (Directive (EU) 2016/1148) on 18 October 2024. Whilst the numbering suggests a simple version increment — NIS1 to NIS2 — the reality is far more consequential. NIS2 is not an amendment or a targeted update. It is a wholesale replacement that fundamentally changes the scope, obligations, enforcement, and governance expectations of EU cybersecurity regulation.

This article provides a comprehensive, dimension-by-dimension comparison of NIS1 and NIS2. It explains what changed, why it changed, and — critically — why organisations that treat NIS2 as a minor update to their existing NIS1 programmes consistently fail to achieve readiness.

Background: Why NIS1 Was Replaced

The original NIS Directive was adopted on 6 July 2016 as the first piece of EU-wide legislation on cybersecurity. It was a landmark achievement that established cooperation mechanisms, created national competent authorities, and introduced security and notification obligations for operators of essential services and digital service providers.

However, by the time the European Commission began its review in 2020, NIS1's structural limitations had become impossible to ignore:

Fragmented Transposition

NIS1 gave Member States wide discretion in identifying which entities qualified as Operators of Essential Services (OES). The result was radical inconsistency. A hospital operator might be designated as an OES in Germany but not in neighbouring Austria. An energy company could face stringent obligations in one jurisdiction and minimal requirements in another. This fragmentation undermined the Directive's goal of achieving a common level of security and created compliance complexity for cross-border operators.

Narrow Scope

NIS1 covered only seven sectors: energy, transport, banking, financial market infrastructures, health, drinking water, and digital infrastructure. This left entire industries critical to the economy and society — manufacturing, food production, waste management, public administration, postal services, space — completely outside the regulatory perimeter. With only approximately 10,000–15,000 entities in scope across the entire EU, the Directive's impact on the overall cybersecurity posture of the European economy was structurally limited.

Inconsistent Enforcement

NIS1 left penalty levels entirely to Member State discretion. Some countries imposed fines of a few thousand euros; others set thresholds in the millions. In several Member States, enforcement actions were exceptionally rare. The result was an inconsistent deterrent: organisations in some jurisdictions faced genuine compliance pressure, whilst others could effectively ignore the Directive with minimal consequence.

No Harmonised Penalties

Without EU-level minimum penalty thresholds, the NIS1 enforcement landscape was uneven and unpredictable. Organisations operating across multiple Member States faced different penalty exposures depending on where they were assessed, which made enterprise-wide compliance prioritisation difficult.

The European Commission's own impact assessment for NIS2 concluded that NIS1 resulted in "insufficient levels of cyber resilience of businesses operating in the EU" and "inconsistent resilience across Member States and sectors." The Commission determined that targeted amendments were insufficient — the Directive needed to be replaced entirely.

Master Comparison Table

The following table provides a comprehensive side-by-side comparison of NIS1 and NIS2 across every major regulatory dimension. This is the reference table for understanding what changed.

Scope Expansion

The scope expansion from NIS1 to NIS2 is the single most impactful change. It is not a marginal widening — it is a structural transformation that brings an entirely different scale of entities under regulatory obligation.

From OES/DSP to Essential/Important

NIS1 categorised in-scope entities as either Operators of Essential Services (OES) or Digital Service Providers (DSPs). OES were individually identified by each Member State through a process that assessed criticality, dependency, and potential impact. DSPs — limited to online marketplaces, search engines, and cloud computing services — faced a lighter-touch regime.

NIS2 eliminates this distinction entirely. All in-scope entities are classified as either Essential or Important based on two factors: the sector in which they operate and their size. The obligations are substantively the same for both categories; the key differences relate to the supervision model (proactive for Essential, reactive for Important) and penalty ceilings.

From Member State Discretion to EU-Wide Size-Cap Rule

Under NIS1, each Member State decided which entities qualified as OES. This led to wildly inconsistent outcomes — the same type of entity could be in scope in France but out of scope in Belgium. NIS2 replaces this with a uniform, EU-wide size-cap rule:

• Medium enterprises: 50+ employees or EUR 10M+ annual turnover — generally classified as Important Entities
• Large enterprises: 250+ employees or EUR 50M+ annual turnover — generally classified as Essential Entities

Certain entity types qualify regardless of size, including qualified trust service providers, top-level domain (TLD) name registries, DNS service providers, providers of public electronic communications networks, and central government public administration entities.

From 7 Sectors to 18 Sectors

NIS1 covered seven sectors. NIS2 covers eighteen — eleven classified as "sectors of high criticality" (Annex I) and seven as "other critical sectors" (Annex II). This near-tripling of sectoral coverage means that entire industries that previously had no EU-level cybersecurity obligations now face comprehensive requirements.

Sectors: What Was Added

Understanding which sectors are new in NIS2 is essential for organisations assessing their applicability.

The practical consequence is that tens of thousands of organisations — particularly in manufacturing, food production, chemicals, and public administration — face EU-level cybersecurity obligations for the first time. Many of these organisations have limited cybersecurity maturity, making the readiness challenge particularly acute in newly covered sectors.

Incident Reporting: Harmonised and Stricter

Incident reporting is one of the areas where the difference between NIS1 and NIS2 is most stark. NIS1's approach was intentionally flexible; NIS2's is intentionally precise.

NIS1: "Without Undue Delay"

NIS1 required operators of essential services to notify the competent authority of incidents having a "significant impact" on the continuity of services — but the notification had to occur only "without undue delay." This deliberately vague formulation was interpreted inconsistently across Member States. Some entities reported within hours; others took days or weeks. The absence of a multi-stage structure meant that authorities received either a premature report with little useful information or a delayed report when the window for effective coordination had passed.

NIS2: Specific 24h / 72h / 1-Month Timeline

NIS2's Article 23 replaces the vague standard with a structured, multi-stage process:

• Early warning — within 24 hours: The entity must submit an early warning to the CSIRT or competent authority within 24 hours of becoming aware of a significant incident. The early warning must indicate whether the incident is suspected of being caused by unlawful or malicious acts and whether it could have a cross-border impact.
• Incident notification — within 72 hours: A more detailed notification updating the early warning with an initial assessment of the incident, including its severity and impact, and where available, the indicators of compromise.
• Intermediate report — on request: The CSIRT or competent authority may request an intermediate report with relevant status updates at any point between the notification and the final report.
• Final report — within one month: A comprehensive report submitted no later than one month after the incident notification. This must include a detailed description of the incident (including severity and impact), the type of threat or root cause likely to have triggered it, applied and ongoing mitigation measures, and the cross-border impact where applicable.

This structured approach serves two purposes: it provides authorities with early intelligence for situational awareness and cross-border coordination, and it ensures that organisations conduct thorough post-incident analysis within a defined timeframe. The 24-hour early warning requirement, in particular, demands that organisations maintain detection and triage capabilities that can operate around the clock — a capability that many NIS1-era programmes did not possess.

Penalties: From Minimal to Meaningful

The penalty regime is where the shift from NIS1 to NIS2 is most visible in financial terms.

NIS1: Member State Discretion, Often Minimal

NIS1 left penalty levels entirely to Member States. The Directive required only that penalties be "effective, proportionate and dissuasive" — without specifying any minimum or maximum thresholds. In practice, this meant enormous variation. Some Member States set maximum fines in the low thousands of euros. Others provided for larger penalties but rarely imposed them. The result was that non-compliance with NIS1 carried minimal financial risk in many jurisdictions.

NIS2: Harmonised Maximums with Personal Liability

NIS2 establishes minimum penalty floors that all Member States must provide for:

• Essential Entities: Administrative fines of at least EUR 10,000,000 or 2% of total annual worldwide turnover in the preceding financial year, whichever is higher
• Important Entities: Administrative fines of at least EUR 7,000,000 or 1.4% of total annual worldwide turnover in the preceding financial year, whichever is higher

Critically, NIS2 also introduces personal liability for management bodies. Under Article 20, management bodies must approve and oversee cybersecurity risk-management measures — and can be held personally liable for infringements. For Essential entities, competent authorities may even request temporary bans on individuals exercising managerial functions. This personal dimension changes the risk calculus for executives and board members in a way that NIS1 never did.

In addition to financial penalties, NIS2 provides for non-monetary sanctions that can be more operationally disruptive than fines: binding instructions, public disclosure of violations, compliance orders, mandatory security audits at the entity's expense, and temporary suspension of certifications or authorisations.

Supply Chain: New Obligation

NIS1 contained no explicit provisions addressing supply chain security. Given the threat landscape of 2016, this was perhaps understandable — but the intervening years brought SolarWinds, Kaseya, Log4j, and numerous other supply chain compromises that demonstrated the scale of the gap.

NIS2: Article 21(2)(d) — Mandatory

NIS2's Article 21(2)(d) makes supply chain security an explicit, mandatory element of cybersecurity risk management. Entities must address "supply chain security, including security-related aspects concerning the relationships between each entity and its direct suppliers or service providers." In practice, this requires organisations to:

• Conduct security assessments of direct suppliers and service providers
• Incorporate security requirements into contractual arrangements
• Monitor and periodically review the security practices of critical suppliers
• Account for the overall quality of products and cybersecurity practices of suppliers, including their secure development procedures
• Consider the results of coordinated security risk assessments of critical supply chains carried out under Article 22

For organisations with no existing third-party risk management programme, building these capabilities is a multi-month effort that requires coordination across procurement, legal, IT security, and business stakeholder teams. This is one of the areas where the gap between NIS1 and NIS2 compliance is widest.

Management Accountability: New Obligation

NIS1 was silent on the role of management bodies in cybersecurity. There were no provisions requiring board engagement, no accountability mechanisms, and no training obligations. In many NIS1-regulated organisations, cybersecurity remained siloed within the IT department with limited visibility or involvement at the executive and board level.

NIS2: Article 20 — Personal Liability

NIS2's Article 20 introduces a governance obligation that has no NIS1 precedent. Member States must ensure that management bodies of Essential and Important entities:

• Approve the cybersecurity risk-management measures adopted pursuant to Article 21
• Oversee the implementation of those measures
• Can be held liable for infringements of the entity's obligations under the Directive
• Undergo training to gain sufficient knowledge and skills to identify risks, assess cybersecurity risk-management practices, and evaluate their impact on the services provided by the entity
• Encourage similar training for employees on a regular basis

The personal liability provision means that management body members cannot delegate away responsibility by appointing a CISO or establishing a security committee. The obligation to approve and oversee is non-delegable. Boards must demonstrate active, documented engagement — not merely passive receipt of periodic reports.

For Essential entities, the consequences are particularly severe: competent authorities may request that a court temporarily ban a natural person from exercising managerial functions. This is an extraordinary enforcement measure with no equivalent in NIS1, GDPR, or most other EU regulatory frameworks.

Supervision: Proactive for the First Time

The supervision model is another area of fundamental change. NIS1 was largely reactive — competent authorities typically became involved only after an incident was reported or a complaint was received. This meant that organisations with poor security practices but no reported incidents could avoid scrutiny indefinitely.

NIS2: Two-Tier Supervision

NIS2 introduces a two-tier supervision model that distinguishes between Essential and Important entities:

• Essential Entities — Proactive (Ex-Ante) Supervision: Competent authorities may conduct on-site inspections, regular and targeted security audits, ad hoc audits, security scans, and evidence requests at any time, without requiring a triggering incident. This proactive model means Essential entities must maintain continuous compliance readiness — not just prepare when something goes wrong.
• Important Entities — Reactive (Ex-Post) Supervision: Competent authorities take supervisory action only when provided with evidence or indications of non-compliance — such as incident notifications, third-party complaints, or intelligence from other authorities. The available measures are broadly similar once triggered, but the overall supervisory intensity is expected to be lower.

The shift to proactive supervision for Essential entities is one of the most operationally significant changes in NIS2. It transforms the compliance posture from "be ready when something goes wrong" to "be ready at all times." Organisations must ensure that their documented policies are operationally implemented, that evidence is readily available, and that key personnel can articulate and demonstrate compliance during an unannounced inspection.

Why Treating NIS2 as a Minor Update Fails

The most common and consequential mistake organisations make is approaching NIS2 as an incremental update to an existing NIS1 programme. This assumption leads to specific, predictable failure modes:

Scope Assumption Error

Organisations assume they are still out of scope because they were not identified as an OES under NIS1. NIS2's size-cap rule means that any medium or large enterprise in one of the 18 covered sectors is automatically in scope — no individual identification is required. The scope question must be re-assessed from first principles.

Gap Analysis Reuse

Organisations attempt to reuse their NIS1 gap analysis as the baseline for NIS2 readiness. Because NIS2 introduces entirely new requirement categories — management accountability, supply chain security, ten enumerated risk-management measures — a NIS1 baseline systematically understates the gap. The result is a readiness programme that is undersized, under-resourced, and under-estimated in duration.

Incident Reporting Unpreparedness

NIS1's "without undue delay" allowed organisations to report incidents in their own time, often days after detection. NIS2's 24-hour early warning requirement demands detection, triage, and reporting capabilities that operate around the clock. Organisations that have not built or validated 24/7 incident response capabilities discover this gap only during a real incident — when it is too late to address.

Supply Chain Blind Spot

Because NIS1 did not require supply chain security, most NIS1 programmes contain no third-party risk assessment methodology, no contractual security clauses, and no supplier monitoring processes. Building a mature supply chain security programme requires months of effort across procurement, legal, and security functions. Organisations that discover this gap late in their NIS2 programme invariably miss their readiness targets.

Board Engagement Gap

NIS1 had no governance obligations. Many organisations have never presented cybersecurity risk-management measures to their board for formal approval, have no documented management oversight cadence, and have not provided cybersecurity training to management body members. Establishing genuine board engagement — not just a briefing slide — requires cultural change that cannot be achieved in weeks.

How to Transition from NIS1 to NIS2

For organisations with existing NIS1 programmes, the following structured approach ensures that NIS2 readiness is achieved systematically rather than reactively.

Step 1: Re-Assess Applicability and Scope

• Determine whether the organisation meets the NIS2 size-cap thresholds (50+ employees or EUR 10M+ turnover)
• Map all business units, subsidiaries, and services against the 18 NIS2 sectors
• Determine whether the organisation qualifies as Essential or Important
• Identify the applicable competent authority and CSIRT in each jurisdiction of operation

Step 2: Conduct a NIS2-Specific Gap Assessment

• Assess compliance against all ten Article 21(2) risk-management measures — not just the general "appropriate and proportionate" standard from NIS1
• Evaluate governance readiness against Article 20 requirements (management approval, oversight, training, liability)
• Test incident reporting capability against the 24h/72h/1-month timelines
• Assess supply chain security maturity against Article 21(2)(d) requirements
• Document the gap between current state and NIS2 requirements, with estimated effort and priority

Step 3: Design and Execute a NIS2 Readiness Programme

• Establish a dedicated NIS2 readiness workstream with executive sponsorship
• Prioritise governance and incident reporting capability — these are typically the highest-effort, longest-lead-time workstreams
• Develop or enhance supply chain security processes in coordination with procurement and legal
• Build the evidence base that will be required during supervisory inspections
• Register with the relevant competent authority as required

Step 4: Validate and Test

• Conduct a pre-assessment or internal audit against NIS2 requirements
• Test incident reporting procedures through tabletop exercises that simulate the 24h/72h timeline
• Verify that management body members can demonstrate their knowledge and oversight role
• Ensure that evidence is organised, current, and retrievable for a potential supervisory inspection

Frequently Asked Questions