LatestBest Practices for Identifying and Securing Non-Human Identities
Resource / Online Journal
What is NIS2? Understanding the New Cybersecurity Directive for Europe
Quick guide to the NIS2 Directive, its cybersecurity requirements, critical sectors, and compliance duties for essential and important entities across the EU.
Published on Feb 27, 2026
What Is NIS2?
Europe has been hit by a surge of disruptive cybersecurity risks, especially Germany’s notable 2025–2026 incidents, which exposed how uneven and outdated the continent’s security standards had become. To close these gaps, the EU introduced the NIS2 Directive, formally Directive (EU) 2022/2555. It replaces the original NIS Directive, which entered into force in January 2023 and required national transposition by October 2024 (though several countries missed the deadline).
NIS2 sets a unified cybersecurity baseline across 18 critical sectors, ranging from energy and healthcare to cloud services, manufacturing, and digital infrastructure. Its goal is straightforward: strengthen Europe’s cyber resilience by enforcing consistent, risk‑driven security practices.
We’ll break down cybersecurity obligations, penalties, and entity categories in detail later in this blog.
NIS2 Directive Background and Evolution
The European Union’s original cybersecurity rulebook, NIS1 (Directive 2016/1148), came into force in 2016 and covered only 7 sectors, including energy, transport, and banking. Its scope was narrow, and implementation varied widely across member states, creating uneven protection levels and fragmented obligations.
As cybersecurity risks escalated, driven by sophisticated ransomware campaigns and state‑sponsored intrusions, the limitations of NIS1 became evident. To address these gaps, the EU introduced NIS2 (Directive EU 2022/2555), significantly broadening its coverage to 18 sectors across “essential” and “important” entities. This expansion includes areas like digital infrastructure, healthcare, manufacturing, and waste management, aiming to strengthen resilience across interconnected supply chains.
NIS2 was published in December 2022, with a mandatory transposition deadline of October 2024 for member states. Yet progress has been uneven: as of August 2025, only 14 out of 27 countries had fully incorporated the directive into national law, prompting infringement actions against the lagging states. The shift from NIS1 to NIS2 ultimately seeks to harmonize cybersecurity expectations across Europe and modernize defenses for the current cyber threat landscape.
Scope and Affected Entities
| Entity Category | Applicable Sectors | Supervision Type | Maximum Administrative Fine | Risk Management Obligations | Incident Reporting Timeline | Governance & Personal Liability |
|---|---|---|---|---|---|---|
| Essential Entities | Energy, Transport, Banking, Financial Market Infrastructures, Health, Drinking Water, Waste Water, Digital Infrastructure, ICT Service Management (B2B), Public Administration, and Space. | Proactive supervision (comprehensive ex ante and ex post regime), including regular and targeted audits. | At least €10,000,000 or 2% of total worldwide annual turnover, whichever is higher. | Mandatory implementation of 10 measures: 1) Risk analysis & information security policies, 2) Incident handling, 3) Business continuity (backup/crisis management), 4) Supply chain security, 5) Secure development & vulnerability handling, 6) Effectiveness assessment, 7) Cybersecurity training/hygiene, 8) Cryptography/encryption, 9) Access control/asset management, 10) MFA/secure communications. | 3-stage approach: Early warning (24h), incident notification (72h), and final report (1 month). | Management bodies must approve and oversee measures. Senior management can be held personally liable for breaches and may face temporary bans from managerial functions. |
| Important Entities | Postal and courier services, waste management, manufacture/production/distribution of chemicals, Food production/processing/distribution, manufacturing (e.g. medical devices, electronics), Digital providers (online marketplaces, search engines, social networks), and Research. | Reactive supervision (light ex post regime); compliance checks are only performed after an incident or evidence of non-compliance. | At least €7,000,000 or 1.4% of total worldwide annual turnover, whichever is higher. | Mandatory implementation of 10 measures: 1) Risk analysis & information security policies, 2) Incident handling, 3) Business continuity (backup/crisis management), 4) Supply chain security, 5) Secure development & vulnerability handling, 6) Effectiveness assessment, 7) Cybersecurity training/hygiene, 8) Cryptography/encryption, 9) Access control/asset management, 10) MFA/secure communications. | 3-stage approach: Early warning (24h), Incident notification (72h), and Final report (1 month). | Management bodies must approve and oversee measures. Senior management can be held personally liable for breaches; accountability includes duty to participate in training. |
Implementation and Compliance Digital Infrastructure
EU Member States are required to build a coordinated security ecosystem under NIS2, starting with updated national cybersecurity strategies, designated Computer Security Incident Response Teams (CSIRTs), and active participation in EU‑CyCLONe, the EU‑level mechanism for managing large‑scale, cross‑border cyber crises. These structures are intended to harmonize readiness and ensure faster cooperation during major incidents.
Compliance Framework
NIS2 enforces strong regulatory pressure through tiered administrative fines.
Essential entities: up to €10 million, or 2% of global annual turnover.
Important entities: up to €7 million, or 1.4% of global annual turnover.
These penalty levels set a minimum standard across the EU.
Implementation progress varies across member states. Several have aligned their national frameworks with recognized standards such as ISO 27001, and many have launched digital registration portals, with Germany and the Netherlands among the earlier adopters as of early 2026.
Related Regulations
NIS2 does not exist in isolation. It dovetails with other European Union regulations such as DORA, which governs operational resilience in the financial sector, and the Cyber Resilience Act (CRA), which adds requirements for secure product development and incident reporting.
Amendments adopted in January 2026 introduce risk‑tiering to ease compliance for SMEs, reducing administrative pressure while retaining essential safeguards. Non‑EU firms offering services in the EU must appoint an EU representative and may face mandatory audits, especially when providing high‑risk services in critical supply chains.
Conclusion
The NIS2 Directive raises the bar for cybersecurity across Europe, demanding stronger controls, clearer reporting, and accountable governance. As organizations adapt, cybersecurity service provider TechDemocracy helps turn compliance into resilience, strengthening security programs and future‑proofing digital operations in an increasingly cyber-threatened landscape.
Take Your Identity Strategy
Strengthen your organization's digital identity for a secure and worry-free tomorrow. Kickstart the journey with a complimentary consultation to explore personalized solutions.