Question 1

What is the NIS2 Directive?

Accepted Answer

The NIS2 Directive (Directive 2022/2555) is the EU's updated cybersecurity legislation that replaces the original NIS Directive. It establishes a high common level of cybersecurity across the European Union by imposing risk-management and incident-reporting obligations on Essential and Important entities across 18 critical sectors.

Question 2

Who must comply with NIS2?

Accepted Answer

NIS2 applies to medium and large organisations operating in 18 sectors classified as Essential (energy, transport, banking, health, digital infrastructure, public administration, space) or Important (postal, waste, chemicals, food, manufacturing, digital providers, research). Member States may also designate smaller entities deemed critical.

Question 3

What are the NIS2 Article 21 cybersecurity measures?

Accepted Answer

Article 21 requires entities to implement 10 minimum cybersecurity risk-management measures: risk analysis and policies, incident handling, business continuity, supply chain security, network security, vulnerability handling, cyber hygiene and training, cryptography, HR security, and multi-factor authentication.

Question 4

What are the penalties for NIS2 non-compliance?

Accepted Answer

Essential entities face fines of up to €10 million or 2% of global annual turnover, whichever is higher. Important entities face fines up to €7 million or 1.4% of global turnover. Member States may also impose personal liability on senior management.

Question 5

When did NIS2 take effect?

Accepted Answer

NIS2 entered into force on 16 January 2023. EU Member States were required to transpose it into national law by 17 October 2024. Enforcement timelines vary by country, but compliance obligations are now active in most jurisdictions.

NIS2 Directive Resources

Quick Navigation

What is the NIS2 Directive?

NIS2 Resources

NIS2 Directive Resources

Quick Navigation

What is the NIS2 Directive?

NIS2 Resources

Need Help with NIS2 Compliance?