Esta página aún no está traducida por completo. Se muestra la versión en inglés.
Regulatory guide · Supplier Shield

NIS2 Compliance: Scope, Obligations and How to Prepare

NIS2 (Directive EU 2022/2555) covers 18 sectors and up to 160,000 entities across the EU. Use this guide to determine whether your organisation is in scope, understand the ten Article 21 obligations, and build a defensible compliance programme.

Book a free demoTalk to an advisor
Oct 2024
Transposition deadline
18
Sectors covered
Art. 21(2)(d)
Supply chain security
§ 01 · What is NIS2

What is NIS2?

NIS2 (Directive EU 2022/2555) is the revised EU cybersecurity Directive that replaces the original NIS Directive from 2016. Unlike DORA, which is an EU Regulation directly applicable in all Member States, NIS2 is a Directive that must be transposed into national law by each Member State — meaning implementation details and enforcement timelines can vary by country.

NIS2 entered into force on 16 January 2023 and required transposition by 17 October 2024. It significantly expands the scope of EU cybersecurity law: from 7 to 18 sectors, and from operators of essential services to any medium-sized or larger entity in a covered sector. It also introduces management body liability, a standardised incident reporting timeline, and supply chain security as an explicit obligation.

Quick scope indicators

  • Medium or large entity in a covered sector
  • Annex I sectors: automatically essential if criteria met
  • Annex II sectors: automatically important if criteria met
  • Certain critical infrastructure: in scope regardless of size
  • Swiss / non-EU companies with EU establishments or EU customers

Key distinction: NIS2 is a Directive (transposed nationally). DORA is a Regulation (directly applicable EU-wide).

§ 02 · Scope

Who is in scope? Essential vs important entities

NIS2 applies to medium-sized and larger organisations in covered sectors (generally: at least 50 employees or annual turnover and balance sheet above EUR 10M). Annex I entities are classified as essential; Annex II as important. Certain critical infrastructure types are in scope regardless of size. National competent authorities may also designate smaller entities.

The distinction matters: essential entities face proactive supervision and higher fines. Important entities operate under an ex-post regime. Use the checker below to identify your classification.

Is your organisation in scope?

Answer three questions to find out your NIS2 classification.

Step 1 of 3 — Your sector

§ 03 · Sectors

Which sectors does NIS2 cover?

NIS2 covers 18 sectors across two annexes. Every organisation in these sectors that meets the size threshold (or is designated as critical infrastructure) must comply. Annex I sectors face higher obligations and stricter supervision.

Annex I — Essential entity sectors

Energy

Electricity, oil, gas, hydrogen, district heating/cooling

Transport

Air, rail, water, road (including road authorities)

Banking

Credit institutions (as defined in Regulation EU 575/2013)

Financial market infrastructures

Trading venues, central counterparties (CCPs)

Health

Healthcare providers, EU reference labs, pharma R&D, medical devices

Drinking water

Suppliers and distributors of water for human consumption

Waste water

Undertakings collecting, disposing of or treating urban and industrial waste water

Digital infrastructure

IXPs, DNS providers, TLD name registries, cloud, data centres, CDNs, MSPs, MSSPs, online marketplaces, online search engines, social networks

ICT service management (B2B)

Managed service providers and managed security service providers

Public administration

Central and regional government authorities (Member State decision on local level)

Space

Ground-based infrastructure supporting space-based services

Annex II — Important entity sectors

Postal and courier services

Universal service providers and other postal operators

Waste management

Undertakings carrying out waste management activities

Chemicals

Manufacturers, producers and distributors of chemical substances

Food

Food business operators engaged in wholesale distribution or industrial production/processing

Manufacturing

Medical devices, computers/electronics, machinery, motor vehicles, other transport equipment

Digital providers

Online marketplaces, online search engines, social network platforms (medium+)

Research

Research organisations with primarily research activities

§ 04 · Obligations

Key obligations under NIS2 (Article 21)

Article 21 requires essential and important entities to implement proportionate cybersecurity risk-management measures across ten areas. The standard is proportionate to the risk: measures must reflect the entity's exposure, not a one-size-fits-all checklist. The supply chain security measure (Article 21(2)(d)) is the direct bridge between NIS2 and third-party risk management.

01

Risk analysis and information system security policies

Document and maintain a cybersecurity risk management framework approved by the management body.

02

Incident handling

Establish procedures for detecting, responding to, and recovering from incidents. Maintain an incident log.

03

Business continuity and crisis management

Backup management, disaster recovery, and crisis management procedures for restoring systems and services.

04

Supply chain security (Art. 21(2)(d))TPRM

Assess and manage security risks relating to direct suppliers and service providers. This is the entry point for TPRM obligations under NIS2.

See vendor risk management
05

Security in network and information systems acquisition, development and maintenance

Policies on vulnerability handling and disclosure in software and hardware used in operations.

06

Policies and procedures to assess cybersecurity risk-management measures

Ensure that cybersecurity measures actually work and are reviewed periodically.

07

Cyber hygiene practices and cybersecurity training

Basic cyber hygiene and regular training for staff and management.

08

Policies and procedures regarding the use of cryptography and encryption

Appropriate use of cryptographic controls to protect sensitive data.

09

Human resources security, access control policies and asset management

Control access to systems and data; manage the security of personnel with privileged access.

10

Use of multi-factor authentication or continuous authentication solutions

MFA or equivalent required for remote access and privileged accounts.

§ 05 · Incident reporting

Incident reporting timeline (Article 23)

Significant incidents must be reported in three phases. An incident is significant if it causes severe operational disruption, financial loss, or affects other persons through considerable material or non-material damage. The reporting chain runs to your national CSIRT and competent authority.

24 hours

Early warning

Submit an early warning to your competent national authority (and CSIRT) within 24 hours of becoming aware of a significant incident. State whether the incident is suspected to be malicious or cross-border.

72 hours

Incident notification

Submit a full incident notification within 72 hours. Include an initial assessment of the incident: severity, impact, indicators of compromise, and whether it has been remediated.

1 month

Final report

Submit a final (or intermediate) report within one month. Include a detailed description, type of threat or root cause, mitigation measures applied, and cross-border impact if any.

§ 06 · Penalties

Penalties and management liability

NIS2 sets EU-minimum fine ceilings that are substantially higher than the original NIS Directive. Member States may impose higher fines in national transposition. The fine regime distinguishes between essential and important entities.

Essential entities

Up to EUR 10,000,000 or 2% of global annual turnover (whichever is higher)

Important entities

Up to EUR 7,000,000 or 1.4% of global annual turnover (whichever is higher)

Source: Article 34, Directive (EU) 2022/2555

Management body liability

Article 20 places direct accountability on the management body. Boards must approve cybersecurity policies, monitor their implementation, and undergo cybersecurity training. For persistent non-compliance, competent authorities can temporarily ban natural persons from management positions — a significant escalation from the original NIS Directive.

§ 07 · NIS2 vs DORA

NIS2 vs DORA: which applies to financial entities?

DORA (Regulation EU 2022/2554) acts as lex specialis for financial entities: where DORA's ICT risk provisions are at least equivalent to NIS2's requirements, the DORA rules take precedence (NIS2 Article 4(2)). Banks, insurers, investment firms, and other DORA-subject financial entities do not face dual compliance for ICT risk — DORA governs.

That said, a financial entity's non-financial subsidiaries or holding companies may not be DORA-subject. And NIS2's supply chain obligations can reach financial entities indirectly, through customers in other sectors. The two frameworks work together rather than in opposition.

Read the DORA guide
§ 08 · Swiss angle

Does NIS2 apply to Swiss companies?

NIS2 is EU law and does not bind Switzerland directly. However, Swiss-incorporated companies face two indirect paths to NIS2 obligations.

Path 1: EU establishment

If a Swiss company has a legal establishment (branch, subsidiary, or registered office) in an EU Member State and offers services there in a covered sector, it is likely subject to NIS2 in that Member State. The relevant national authority is the one of the Member State where the establishment is located.

Path 2: Supply chain obligations of EU customers

Swiss companies supplying EU entities that are themselves subject to NIS2 must satisfy the supply chain security requirements those customers impose under Article 21(2)(d). Even without a direct NIS2 obligation, expect contractual security requirements, questionnaires, and audit rights from in-scope EU customers.

Franco-Swiss organisations

Organisations operating across the Swiss-French border should monitor the ANSSI (Agence nationale de la sécurité des systèmes d'information) for the current status of the French transposition. The competent authority in France for NIS2 is ANSSI.

See ANSSI for French transposition status
§ 09 · Readiness

How to prepare for NIS2: a readiness path

These five steps move you from scope determination to a defensible compliance posture. They feed the structured-data readiness schema on this page.

01

Determine whether you are in scope

Use the scope checker above to identify if your organisation falls under NIS2 Annex I or II. Check whether your Member State has expanded scope or applied exceptions (national transposition may vary).

National competent authorities publish lists of designated entities in their jurisdiction.

02

Conduct a gap assessment against Article 21

Map your current security controls against the ten NIS2 risk-management measures. Identify controls that are absent, partially implemented, or not documented for audit.

03

Build or update your vendor risk programme

Article 21(2)(d) requires supply chain security. Inventory your critical and important suppliers, conduct security assessments, and establish contractual security requirements.

04

Establish incident detection and reporting procedures

Set up the 24h/72h/1-month reporting pipeline to your national CSIRT. Assign roles, test the process, and document it before an incident occurs.

05

Brief the management body and set governance

Management bodies are personally liable under Article 20. Ensure the board has approved the cybersecurity policy, receives regular reports, and has completed cybersecurity training.

§ 10 · Platform

Supplier Shield automates NIS2 Article 21(2)(d)

The supply chain security requirement is the most operationally demanding part of NIS2 for most organisations. Supplier Shield maps your supplier inventory to NIS2 obligations, runs proportionate assessments, collects contractual evidence, and generates audit-ready reports aligned to your national competent authority.

See how it worksTalk to a NIS2 advisor
§ 11 · Related guides

Continue reading

Selected guides relevant to NIS2 compliance and third-party risk management.

DORA Compliance Guide

DORA is the companion regulation for financial entities. Understand how it overlaps with NIS2 and where each one governs.

Read

Third-Party Compliance Reference

Six frameworks explained side by side: NIS2, DORA, GDPR, ISO 27001, SOC 2, and Swiss FADP.

Read

NIS2 Vendor Risk for Healthcare

Healthcare essential entities under NIS2 must assess supplier security and manage GDPR Article 28 obligations together.

Read

Vendor Risk Management for IT and Procurement

Replace spreadsheet-driven vendor governance with structured TPRM workflows aligned to NIS2 Article 21.

Read

Compare TPRM Tools

See how Supplier Shield compares to Excel, Vanta, OneTrust, ProcessUnity, UpGuard, and Prevalent for NIS2 readiness.

Read

Talk to a NIS2 Advisor

Senior practitioners available for NIS2 gap assessments, readiness reviews, and programme design. Fixed-fee or subscription.

Read
§ 12 · FAQ

NIS2 frequently asked questions

What is NIS2?
NIS2 (Directive EU 2022/2555) is the revised EU cybersecurity Directive replacing the original NIS Directive. It entered into force on 16 January 2023 and required transposition into national law by 17 October 2024. It covers a wider range of sectors and introduces stricter obligations, higher fines, and personal management liability.
When did NIS2 come into effect?
NIS2 entered into force on 16 January 2023. Member States were required to transpose it into national law by 17 October 2024. Transposition progress varies by country; consult your national competent authority for the current status.
What is the difference between NIS and NIS2?
The original NIS Directive (2016) covered operators of essential services and digital service providers in seven sectors. NIS2 expands coverage to 18 sectors, lowers the minimum size threshold to medium-sized entities, standardises obligations across the EU, raises maximum fines significantly, and adds personal liability for management bodies.
Is NIS2 mandatory?
Yes, for organisations that meet the sector and size criteria (generally medium-sized and above in covered sectors). Member States may also designate specific smaller entities as critical regardless of size. Non-compliance can result in fines and management liability.
What are the NIS2 fines?
For essential entities: up to EUR 10 million or 2% of total worldwide annual turnover (whichever is higher). For important entities: up to EUR 7 million or 1.4% of total worldwide annual turnover. Source: NIS2 Directive, Article 34.
What is the NIS2 deadline in France?
The NIS2 transposition deadline for all EU Member States was 17 October 2024. For the current status of the French transposition, consult the ANSSI website at anssi.gouv.fr.
Can management be personally liable under NIS2?
Yes. Article 20 requires that management bodies of essential and important entities approve cybersecurity risk-management measures, oversee their implementation, and undergo cybersecurity training. National competent authorities can temporarily prohibit a natural person from holding management positions for persistent non-compliance.
What does NIS2 require for supply chain security?
Article 21(2)(d) explicitly requires essential and important entities to address cybersecurity risks in the supply chain, including security aspects concerning the relationships between each entity and its direct suppliers or service providers. This creates a risk management obligation toward all critical and important vendors.
Does NIS2 apply to Swiss companies?
NIS2 is EU law and does not directly apply to Switzerland. However, Swiss companies are indirectly affected in two ways: (1) a Swiss entity with an EU establishment offering services in an in-scope sector may fall under the Directive; (2) Swiss companies supplying EU entities must meet the supply-chain security requirements those entities impose under Article 21(2)(d).
If we are already subject to DORA, do we need to comply with NIS2 as well?
DORA acts as lex specialis for financial entities covered by the Digital Operational Resilience Act. Article 4(2) of NIS2 states that where other EU sectoral legal acts require financial entities to take cybersecurity risk-management measures equivalent to NIS2, those sectoral provisions take precedence. In practice, DORA compliance should largely satisfy the NIS2 ICT risk requirements for financial entities, but you should verify this with your legal counsel.
Who enforces NIS2?
Each EU Member State designates one or more national competent authorities (NCAs) responsible for supervising NIS2 compliance. Essential entities are subject to proactive (ex-ante) supervision; important entities face reactive (ex-post) supervision. France: ANSSI. Germany: BSI. Netherlands: NCSC-NL. Contact your national authority for jurisdiction-specific guidance.
How do I start preparing for NIS2?
Start with a scope determination (use the checker on this page), then run a gap assessment against the ten Article 21 measures. Prioritise supply chain security and incident reporting procedures, which require the most lead time. Brief your management body early — they carry personal liability.

Ready to start your NIS2 programme?

Book a free 30-minute assessment with a senior NIS2 advisor. We cover scope, gaps, and the fastest path to a defensible posture.

Book a free assessmentContact us

Compliance referenceDORA guidePricing