NIS2: The Rules For Cybersecurity Have Just Changed, And How

With cyber threats on the rise in vital sectors like energy, healthcare, finance, and transportation, the European Union (EU) recognized the urgency of addressing these risks. In 2016, they introduced the NIS Directive to lay the groundwork for enhancing cybersecurity across member states. 

However, as time went on, it became clear that the directive had its limitations. Many organizations struggled with inconsistent enforcement, and the focus was primarily on large operators of essential services, leaving gaps in protection.

To tackle these challenges, the EU introduced NIS2, which builds upon the original directive. This updated framework broadens the scope significantly, now including medium-sized organizations and additional critical sectors. One of the key aspects of NIS2 is its emphasis on holding management accountable for cybersecurity governance. 

As you read this, there’s a chance that the deadline for EU member states to transpose NIS2 into their national laws may have already passed. But there’s much more context and nuance to understanding the NIS2 Directive than simply implementing it. 

What is Nis 2?

NIS2 is the EU’s updated cybersecurity directive, expanding scope to more sectors and holding leadership legally accountable. It mandates 24-hour breach reporting, risk management, and supply chain security to protect essential digital services.

What’s new in NIS2?

NIS2 marks a profound shift in how cybersecurity must be handled. It raises the bar —on leadership accountability, vendor security, and operational readiness. But before we dive deep into what each change entails, here’s a quick snapshot of what’s new:

24-hour Incident Reporting: Must notify authorities of significant cyber incidents within 24 hours of detection.

Risk Management & Governance: Senior leadership is now legally accountable for cybersecurity failures.

Supply Chain Security: Mandates cybersecurity measures across your entire vendor and partner network.

Business Continuity: Enforces robust continuity and disaster recovery plans—not just on paper, but operationally.

Secure System Lifecycle: Security must be embedded throughout the entire system lifecycle, from acquisition to maintenance.

Ongoing Security Reviews: Conduct regular audits to ensure that controls remain effective and up-to-date.

Cyber Hygiene Culture: Mandatory employee training, drills, and enforcement of best practices.

Encryption & Cryptography: Requires strong encryption policies for data in transit and at rest.

Access & Asset Management: Controls must support least-privilege principles and timely deprovisioning.

Multi-Factor Authentication: Mandatory for enhanced identity verification and account protection.

Here’s a closer look at what each change means for your organization—and how to prepare for it:

Incident reporting 

One of the most significant changes under NIS2 is the mandatory 24-hour reporting rule for incidents. Organizations must notify relevant authorities of substantial cyber incidents within a 24-hour detection window. 

This control represents a substantial shift from the original NIS directive, which allowed for more lenient and varied reporting timelines across EU member states. Now, organizations have clear obligations, with significant penalties for failure to comply. This shift necessitates companies to have strong incident detection systems in place and well-defined incident response protocols. 

Risk management and governance 

The directive mandates that organizations establish comprehensive risk management frameworks that identify and mitigate cybersecurity risks both internally and within the broader sector. Significantly, senior management is now legally accountable for ensuring compliance with NIS2. This means that leadership teams could face financial and legal repercussions for shortcomings in cybersecurity governance.

This heightened level of accountability ensures that risk management is integrated into the fabric of corporate governance frameworks, guaranteeing it receives the attention and resources it deserves.

Supply chain 

Perhaps one of NIS2’s most transformative elements is its emphasis on supply chain security. Cybersecurity can no longer be confined to an organization’s internal systems. Instead, businesses must now ensure that their entire supply chain is protected against cyber risks. This includes not only direct suppliers but also any third-party vendors that interact with critical data or services.

NIS2 requires organizations to conduct thorough risk assessments of their supply chains, ensuring that all partners and vendors adhere to established cybersecurity standards. This proactive approach acknowledges that cyberattacks often exploit vulnerabilities in less secure suppliers as a gateway to infiltrate larger, more fortified organizations.

Business continuity 

One of the critical mandates of NIS2 is its strong focus on business continuity. The directive encourages organizations not only to develop but also to rigorously maintain plans that ensure their essential services remain operational in the face of disruptions.

 It’s not just about having a plan on paper—it’s about implementing strategies for data protection, disaster recovery, and maintaining key functions during crises.

Acquisition and system maintenance 

NIS2 goes beyond the basics of securing internal systems by stressing the need for security integration across the entire lifecycle of network and information systems. From acquisition and development to ongoing maintenance, security measures must be woven into every phase. This involves adopting secure development practices, regularly patching vulnerabilities, and keeping systems up to date.

Security measures 

NIS2 requires organizations to regularly assess the effectiveness of their cybersecurity measures, ensuring that security policies and procedures remain relevant in the face of evolving threats. This involves periodic evaluations to detect any gaps or outdated practices that could leave the organization vulnerable. 

Cyber hygiene 

NIS2 places a strong emphasis on fostering a culture of cybersecurity awareness. This involves not only periodic training to help employees recognize threats, such as phishing, but also reinforcing the importance of promptly reporting suspicious activities. Practical steps, such as enforcing strong password policies and organizing regular cybersecurity drills, are also a part of the directive that drives security. 

Cryptography and encryption policies 

NIS2 mandates the use of strong cryptographic practices to protect sensitive information, both in transit and at rest. Organizations should implement end-to-end encryption and secure remote access solutions to safeguard data from unauthorized access. Policies must be established regarding the use of cryptography, ensuring that sensitive data is adequately protected against cyber threats. 

This includes using virtual private networks (VPNs) and zero-trust network access (ZTNA) to secure communications.

Access control and asset management

Organizations must establish clear procedures for onboarding and offboarding employees, ensuring that access rights are promptly adjusted when personnel changes occur. Implementing least-privilege access principles helps limit exposure to sensitive information and reduces the potential impact of credential compromise​. 

Multi-factor Authentication 

Multi-factor Authentication (MFA) is a vital measure for enhancing the security of user accounts. By requiring multiple forms of verification, organizations significantly reduce the likelihood of unauthorized access. This could involve a combination of passwords, security tokens, or biometric verification.

There are apparent similarities between ISO and NIS2. The controls you implement for ISO 27001 can significantly help with NIS2 compliance. It’s also important to note that ISO 27001 isn’t the only framework that shares overlapping controls with NIS2.

What is the difference between NIS1 and NIS2?

The key differences between NIS1 and NIS2 lie in their scope, enforcement, and clarity. While NIS1 focused primarily on large operators of essential services and a limited number of digital service providers, NIS2 broadens its reach to include medium-sized organizations and several previously uncovered sectors such as telecom, public administration, and critical manufacturing. 

Whereas NIS1 allowed EU member states to interpret and implement the directive independently, resulting in fragmented protection, NIS2 introduces more harmonized definitions and stricter enforcement across the EU. Whether it’s more apparent incident reporting timelines or increased accountability for leadership, NIS2 is designed to address the regulatory gaps that weakened the original directive.

When the first NIS Directive was introduced in 2016, it was a significant step forward for the EU’s cybersecurity landscape. The aim was precise—to improve the protection of networks and information systems in critical sectors. However, it didn’t quite keep pace with the changing nature of cyber threats. One of the most significant shortcomings was its narrow focus and inconsistent enforcement, resulting in varied interpretations and a lack of cohesion across borders. In response to these gaps, NIS2 brings a more inclusive, consistent, and enforceable approach to cybersecurity governance in the EU.

NIS2’s Annex I and II

NIS2 not only broadens the sectors covered by the NIS Directive but also introduces a critical classification system for entities, categorizing them as either essential or important. 

Annex I focuses on essential entities that are subject to proactive supervision. These larger organizations, operating in critical sectors such as energy, healthcare, and digital infrastructure, are recognized for their vital roles in maintaining societal security and stability. Because of their importance, they face stringent scrutiny and are required to adhere to stronger cybersecurity measures, than entities mentioned under Annex II. 

Essential sectors under Annex I

1. Energy
   • Includes electricity, oil, gas, district heating, and hydrogen.
2. Transport
   • Covers air, rail, water, and road transport.
3. Banking
   • Encompasses credit institutions and financial market infrastructures.
4. Health
   • Involves healthcare providers, including hospitals and laboratories.
5. Drinking Water
   • Addresses the supply and distribution of drinking water.
6. Wastewater
   • Focuses on the treatment and management of wastewater.
7. Digital Infrastructure
   • Involves data centers, cloud computing services, and internet exchange points.
8. Public Administration
   • Covers government services that rely on digital systems.
9. Space
   • Encompasses satellite communications and other space-related services.

In contrast, Annex II covers important entities that are subject to reactive supervision. These medium-sized enterprises, operating in sectors such as postal services and waste management, play vital roles in maintaining operational integrity but do not face the same level of scrutiny unless a security incident occurs. 

Important sectors under Annex II

1. Digital Providers
   • Includes social media platforms and search engines.
2. Postal Services
   • Encompasses courier and mail delivery services.
3. Waste Management
   • Involves the management of solid waste and recycling services.
4. Manufacturing
   • Covers industries that produce goods, particularly those with critical components.
5. Food Production
   • Encompasses sectors involved in food safety and supply chains.
6. Chemicals
   • Includes the manufacturing and distribution of chemicals essential for various industries.

ISO 27001 and NIS2: Understanding the technical overlap

Many professionals have recognized significant overlaps between NIS2 and ISO 27001, highlighting how these frameworks can complement each other in bolstering cybersecurity practices. For instance, both frameworks emphasize the need for robust incident management. NIS2’s mandatory 24-hour incident reporting aligns closely with the structured processes outlined in Annex A.16 of ISO 27001, which focuses on effectively addressing security events.

Moreover, NIS2 holds management directly accountable for cybersecurity failures, contrasting with ISO 27001, which encourages leadership involvement without imposing the same level of legal obligation. 

Supply chain security is another area where these frameworks intersect. NIS2 requires organizations to conduct comprehensive assessments of their suppliers’ cybersecurity practices, reflecting the principles in Annex A.15 of ISO 27001. 

Additionally, NIS2’s focus on business continuity closely aligns with Annex A.17 of ISO 27001, which underscores the importance of maintaining essential functions during disruptions. NIS2 specifically addresses the resilience of essential services within a regulatory framework, ensuring that organizations are prepared for various types of incidents that could impact critical operations.

So does NIS2 render ISO 27001 obsolete? 

No, NIS2 does not render ISO 27001 obsolete. In fact, the two frameworks can work hand-in-hand. While NIS2 provides a regulatory baseline for cybersecurity in critical sectors, ISO 27001 offers a more comprehensive and internationally recognized framework that extends beyond the specific mandates of NIS2. 

ISO 27001 is particularly beneficial for organizations operating across multiple countries and industries, where NIS2 might not apply directly. While NIS2 focuses on legal requirements within the EU, ISO 27001 supports wider business goals such as trust, international reputation, and business resilience.

The fundamental distinction between NIS2 and ISO 27001 lies in their enforceability. NIS2 is a legally binding directive issued by the European Union, mandating compliance for organizations operating in essential and important sectors, such as energy, healthcare, and digital infrastructure. Failure to comply can result in substantial fines and legal consequences for senior management. 

ISO 27001, on the other hand, is an internationally recognized voluntary framework that provides a structured approach for managing information security risks.

ISO 27001 serves as an enabler for NIS2. 

GDPR and NIS2: The overlapping geography 

Since both the General Data Protection Regulation (GDPR) and the NIS2 Directive come from the European Union, it’s understandable that there might be some confusion about their respective scopes and overlaps. At a high level, while GDPR’s focus is on protecting personal data, NIS2 is designed to secure essential services. 

We see an intersection in their approaches to supply chain security. GDPR mandates that organizations ensure their third-party processors are compliant with data protection standards, while NIS2 goes a step further by requiring detailed assessments of cybersecurity practices throughout the entire supply chain. 

GDPR’s breach notification requirement mandates a response within 72-hours, while NIS2 defines a more stringent 24-hour incident reporting mandate. 

GDPR and NIS2 both stress the importance of accountability. While GDPR emphasizes the need for data controllers and processors to be responsible for compliance, NIS2 imposes legal obligations on top management, holding them directly accountable for failures in cybersecurity.

Why do you need both?

For companies operating in the EU, adhering to both NIS2 and GDPR are both regulatory mandates enforced by the EU. In this sense, they complement one another.

GDPR emphasizes the management of data, focusing on how organizations handle personal information, while NIS2 prioritizes the protection of the systems that manage that data, ensuring the integrity and security of the infrastructure supporting these processes.

A data breach can trigger violations of both GDPR and NIS2, necessitating reporting under each framework. By establishing a strong cybersecurity framework—anchored in GDPR —organizations can significantly reduce the risk of data breaches and, consequently, violations of both.  

While GDPR is the more stringent of the two, NIS2 complements these efforts by providing a solid foundation for implementing necessary controls and measures to safeguard the systems managing that data.

NIS2 is still relatively new, and it’s understandable that organizations might have reservations or concerns as they work to comply with its requirements. There are indeed potential blockers—whether it’s confusion over how to interpret specific aspects of the regulation or concerns about balancing regulatory obligations with day-to-day operations. 

It often just takes a nudge about the personal liabilities tied to non-compliance for leadership to fully grasp the urgency. 

Another challenge stems from the lack of detailed technical requirements in the directive itself. While NIS2 outlines necessary governance structures and reporting obligations, it falls short of providing explicit instructions on implementing technical cybersecurity measures. This vagueness leaves organizations struggling to interpret the requirements effectively.

This ambiguity could also lead to disruptions during an audit as they would have varying standards to evaluate compliance, namely because NIS2 can be adopted differently across EU member states. 

That being said, the NIS2 directive understands the nuance that one-size-fits-all security measures are no longer sufficient. Companies must tailor their security strategies based on their own risks, incorporating best practices from established frameworks like ISO 27001 or GDPR

NIS 2 compliance with Sprinto: Your fast track to always-on readiness

NIS 2 introduces a seismic shift in how organizations across the EU must approach cybersecurity — from 24-hour breach notifications to accountability at the board level. It’s no longer about preparing for audits once a year. It’s about maintaining operational resilience every single day. The challenge? Most companies are still using static tools for a dynamic problem. That’s where Sprinto comes in.

Sprinto’s agentic AI engine delivers self-healing, hyper-contextual, and embedded compliance that adapts to real-time changes in your systems and regulatory landscape. Whether it’s automated evidence gathering, risk-agent triggered remediation workflows, or AI copilots that guide your team across Slack, Jira, or Notion, Sprinto ensures you’re not just NIS 2 compliant, but audit-ready every day. Trusted by high-growth tech teams globally, Sprinto is built to meet your now and scale for your next.

What Sprinto Delivers for NIS 2 Readiness:

• 24×7 Compliance monitoring
  Monitor controls continuously with automated drift alerts and escalation workflows.
  
• AI-powered risk mapping
  Automatically link risks to controls and frameworks for faster implementation.
  
• Vendor risk management
  Run AI-powered assessments on third parties and highlight critical gaps instantly.
  
• Audit-ready dashboards
  Centralize compliance data and generate audit-ready evidence in real time.
  
• Multi-framework coverage
  Reuse ISO 27001, SOC 2, and GDPR controls for accelerated NIS 2 alignment.
  
• Real-time guidance copilots
  Get instant, context-aware help inside Slack, Docs, and collaboration tools.
  
• Self-healing compliance engine
  Automatically update policies and checks when risks or systems change.
  
• Embedded execution across teams
  Enable action inside existing workflows without switching tools or context.

Frequently asked questions about NIS2