NIS2 (Directive EU 2022/2555) covers 18 sectors and up to 160,000 entities across the EU. Use this guide to determine whether your organisation is in scope, understand the ten Article 21 obligations, and build a defensible compliance programme.
NIS2 (Directive EU 2022/2555) is the revised EU cybersecurity Directive that replaces the original NIS Directive from 2016. Unlike DORA, which is an EU Regulation directly applicable in all Member States, NIS2 is a Directive that must be transposed into national law by each Member State — meaning implementation details and enforcement timelines can vary by country.
NIS2 entered into force on 16 January 2023 and required transposition by 17 October 2024. It significantly expands the scope of EU cybersecurity law: from 7 to 18 sectors, and from operators of essential services to any medium-sized or larger entity in a covered sector. It also introduces management body liability, a standardised incident reporting timeline, and supply chain security as an explicit obligation.
Quick scope indicators
Key distinction: NIS2 is a Directive (transposed nationally). DORA is a Regulation (directly applicable EU-wide).
NIS2 applies to medium-sized and larger organisations in covered sectors (generally: at least 50 employees or annual turnover and balance sheet above EUR 10M). Annex I entities are classified as essential; Annex II as important. Certain critical infrastructure types are in scope regardless of size. National competent authorities may also designate smaller entities.
The distinction matters: essential entities face proactive supervision and higher fines. Important entities operate under an ex-post regime. Use the checker below to identify your classification.
Is your organisation in scope?
Answer three questions to find out your NIS2 classification.
Step 1 of 3 — Your sector
NIS2 covers 18 sectors across two annexes. Every organisation in these sectors that meets the size threshold (or is designated as critical infrastructure) must comply. Annex I sectors face higher obligations and stricter supervision.
Annex I — Essential entity sectors
Energy
Electricity, oil, gas, hydrogen, district heating/cooling
Transport
Air, rail, water, road (including road authorities)
Banking
Credit institutions (as defined in Regulation EU 575/2013)
Financial market infrastructures
Trading venues, central counterparties (CCPs)
Health
Healthcare providers, EU reference labs, pharma R&D, medical devices
Drinking water
Suppliers and distributors of water for human consumption
Waste water
Undertakings collecting, disposing of or treating urban and industrial waste water
Digital infrastructure
IXPs, DNS providers, TLD name registries, cloud, data centres, CDNs, MSPs, MSSPs, online marketplaces, online search engines, social networks
ICT service management (B2B)
Managed service providers and managed security service providers
Public administration
Central and regional government authorities (Member State decision on local level)
Space
Ground-based infrastructure supporting space-based services
Annex II — Important entity sectors
Postal and courier services
Universal service providers and other postal operators
Waste management
Undertakings carrying out waste management activities
Chemicals
Manufacturers, producers and distributors of chemical substances
Food
Food business operators engaged in wholesale distribution or industrial production/processing
Manufacturing
Medical devices, computers/electronics, machinery, motor vehicles, other transport equipment
Digital providers
Online marketplaces, online search engines, social network platforms (medium+)
Research
Research organisations with primarily research activities
Article 21 requires essential and important entities to implement proportionate cybersecurity risk-management measures across ten areas. The standard is proportionate to the risk: measures must reflect the entity's exposure, not a one-size-fits-all checklist. The supply chain security measure (Article 21(2)(d)) is the direct bridge between NIS2 and third-party risk management.
Risk analysis and information system security policies
Document and maintain a cybersecurity risk management framework approved by the management body.
Incident handling
Establish procedures for detecting, responding to, and recovering from incidents. Maintain an incident log.
Business continuity and crisis management
Backup management, disaster recovery, and crisis management procedures for restoring systems and services.
Supply chain security (Art. 21(2)(d))TPRM
Assess and manage security risks relating to direct suppliers and service providers. This is the entry point for TPRM obligations under NIS2.
See vendor risk management →Security in network and information systems acquisition, development and maintenance
Policies on vulnerability handling and disclosure in software and hardware used in operations.
Policies and procedures to assess cybersecurity risk-management measures
Ensure that cybersecurity measures actually work and are reviewed periodically.
Cyber hygiene practices and cybersecurity training
Basic cyber hygiene and regular training for staff and management.
Policies and procedures regarding the use of cryptography and encryption
Appropriate use of cryptographic controls to protect sensitive data.
Human resources security, access control policies and asset management
Control access to systems and data; manage the security of personnel with privileged access.
Use of multi-factor authentication or continuous authentication solutions
MFA or equivalent required for remote access and privileged accounts.
Significant incidents must be reported in three phases. An incident is significant if it causes severe operational disruption, financial loss, or affects other persons through considerable material or non-material damage. The reporting chain runs to your national CSIRT and competent authority.
24 hours
Early warning
Submit an early warning to your competent national authority (and CSIRT) within 24 hours of becoming aware of a significant incident. State whether the incident is suspected to be malicious or cross-border.
72 hours
Incident notification
Submit a full incident notification within 72 hours. Include an initial assessment of the incident: severity, impact, indicators of compromise, and whether it has been remediated.
1 month
Final report
Submit a final (or intermediate) report within one month. Include a detailed description, type of threat or root cause, mitigation measures applied, and cross-border impact if any.
NIS2 sets EU-minimum fine ceilings that are substantially higher than the original NIS Directive. Member States may impose higher fines in national transposition. The fine regime distinguishes between essential and important entities.
Essential entities
Up to EUR 10,000,000 or 2% of global annual turnover (whichever is higher)
Important entities
Up to EUR 7,000,000 or 1.4% of global annual turnover (whichever is higher)
Source: Article 34, Directive (EU) 2022/2555
Management body liability
Article 20 places direct accountability on the management body. Boards must approve cybersecurity policies, monitor their implementation, and undergo cybersecurity training. For persistent non-compliance, competent authorities can temporarily ban natural persons from management positions — a significant escalation from the original NIS Directive.
DORA (Regulation EU 2022/2554) acts as lex specialis for financial entities: where DORA's ICT risk provisions are at least equivalent to NIS2's requirements, the DORA rules take precedence (NIS2 Article 4(2)). Banks, insurers, investment firms, and other DORA-subject financial entities do not face dual compliance for ICT risk — DORA governs.
That said, a financial entity's non-financial subsidiaries or holding companies may not be DORA-subject. And NIS2's supply chain obligations can reach financial entities indirectly, through customers in other sectors. The two frameworks work together rather than in opposition.
Read the DORA guide →NIS2 is EU law and does not bind Switzerland directly. However, Swiss-incorporated companies face two indirect paths to NIS2 obligations.
Path 1: EU establishment
If a Swiss company has a legal establishment (branch, subsidiary, or registered office) in an EU Member State and offers services there in a covered sector, it is likely subject to NIS2 in that Member State. The relevant national authority is the one of the Member State where the establishment is located.
Path 2: Supply chain obligations of EU customers
Swiss companies supplying EU entities that are themselves subject to NIS2 must satisfy the supply chain security requirements those customers impose under Article 21(2)(d). Even without a direct NIS2 obligation, expect contractual security requirements, questionnaires, and audit rights from in-scope EU customers.
Franco-Swiss organisations
Organisations operating across the Swiss-French border should monitor the ANSSI (Agence nationale de la sécurité des systèmes d'information) for the current status of the French transposition. The competent authority in France for NIS2 is ANSSI.
See ANSSI for French transposition status →These five steps move you from scope determination to a defensible compliance posture. They feed the structured-data readiness schema on this page.
Determine whether you are in scope
Use the scope checker above to identify if your organisation falls under NIS2 Annex I or II. Check whether your Member State has expanded scope or applied exceptions (national transposition may vary).
National competent authorities publish lists of designated entities in their jurisdiction.
Conduct a gap assessment against Article 21
Map your current security controls against the ten NIS2 risk-management measures. Identify controls that are absent, partially implemented, or not documented for audit.
Build or update your vendor risk programme
Article 21(2)(d) requires supply chain security. Inventory your critical and important suppliers, conduct security assessments, and establish contractual security requirements.
Establish incident detection and reporting procedures
Set up the 24h/72h/1-month reporting pipeline to your national CSIRT. Assign roles, test the process, and document it before an incident occurs.
Brief the management body and set governance
Management bodies are personally liable under Article 20. Ensure the board has approved the cybersecurity policy, receives regular reports, and has completed cybersecurity training.
The supply chain security requirement is the most operationally demanding part of NIS2 for most organisations. Supplier Shield maps your supplier inventory to NIS2 obligations, runs proportionate assessments, collects contractual evidence, and generates audit-ready reports aligned to your national competent authority.
Selected guides relevant to NIS2 compliance and third-party risk management.
DORA Compliance Guide
DORA is the companion regulation for financial entities. Understand how it overlaps with NIS2 and where each one governs.
Read →Third-Party Compliance Reference
Six frameworks explained side by side: NIS2, DORA, GDPR, ISO 27001, SOC 2, and Swiss FADP.
Read →NIS2 Vendor Risk for Healthcare
Healthcare essential entities under NIS2 must assess supplier security and manage GDPR Article 28 obligations together.
Read →Vendor Risk Management for IT and Procurement
Replace spreadsheet-driven vendor governance with structured TPRM workflows aligned to NIS2 Article 21.
Read →Compare TPRM Tools
See how Supplier Shield compares to Excel, Vanta, OneTrust, ProcessUnity, UpGuard, and Prevalent for NIS2 readiness.
Read →Talk to a NIS2 Advisor
Senior practitioners available for NIS2 gap assessments, readiness reviews, and programme design. Fixed-fee or subscription.
Read →Book a free 30-minute assessment with a senior NIS2 advisor. We cover scope, gaps, and the fastest path to a defensible posture.