NIS2 Directive explained: scope, compliance, and requirements for 2026

Learn what the NIS2 Directive is, which EU companies must comply, and the 10 concrete cybersecurity measures required under Article 21.

The NIS2 Directive has become a defining piece of legislation for cybersecurity in the EU, fundamentally changing how organisations approach network and information security. If you're a Compliance Officer or CISO at a SaaS or tech company operating in Europe, you can't ignore it. This directive affects thousands of businesses and sets strict cybersecurity obligations.

But what exactly is NIS2? Who needs to comply, and what concrete steps should your organisation take to meet its requirements? Let's break down what you need to know.

The Network and Information Security Directive 2 (NIS2) is an updated EU cybersecurity law that came into force in January 2023. Member States were required to transpose it into national law by 17 October 2024, with enforcement starting from 18 October 2024.

NIS2 replaced the original NIS Directive (NIS1), which was adopted in 2016 but struggled with uneven implementation across member states. The updated directive aims to harmonise cybersecurity standards across the EU, broaden the scope to cover more sectors, and introduce tougher penalties for non-compliance.

According to the European Commission, NIS2 establishes a unified legal framework to uphold cybersecurity in 18 critical sectors across the EU. It's not just about protecting individual companies, it's about securing the digital infrastructure that European society and the economy rely on.

NIS2 applies to medium and large entities operating in specific sectors. The directive distinguishes between two categories:

Size thresholds

Generally, an organisation is in scope if it qualifies as at least a medium-sized enterprise, meaning it has:

• 50 or more employees, or
• Annual turnover or balance sheet of €10 million or more

Essential entities typically have 250+ employees or exceed €50 million in annual turnover.

However, certain entities (such as trust service providers, DNS service providers, TLD registries, and critical infrastructure operators) are captured regardless of size.

Essential vs. important entities

NIS2 divides in-scope organisations into two groups:

Essential entities (Annex I - sectors of high criticality):

• Energy (electricity, oil, gas, hydrogen, district heating)
• Transport (air, rail, water, road)
• Banking and financial market infrastructures
• Health (hospitals, medical device manufacturers, pharmaceutical producers)
• Drinking water and wastewater
• Digital infrastructure (cloud providers, data centres, DNS, IXPs)
• ICT service management (managed service providers, MSSPs)
• Public administration
• Space

Important entities (Annex II - other critical sectors):

• Postal and courier services
• Waste management
• Chemicals
• Food production and distribution
• Manufacturing (medical devices, electronics, machinery, vehicles)
• Digital providers (online marketplaces, search engines, social networks)
• Research organisations

Essential entities face stricter supervision and higher penalties than important entities, reflecting their greater impact on the economy and society.

NIS2 introduces significant fines to drive compliance:

• Essential entities: Up to €10 million or 2% of global annual turnover, whichever is higher
• Important entities: Up to €7 million or 1.4% of global annual turnover, whichever is higher

These penalties are comparable to GDPR fines and apply to violations such as failing to implement required cybersecurity measures or missing incident reporting deadlines. At least eight EU countries have faced action over NIS2 deadline failings, highlighting the seriousness with which the EU is treating compliance.

Article 21 of the NIS2 Directive lays out the heart of the compliance obligation: entities must implement at least 10 minimum cybersecurity risk-management measures. These measures must be appropriate, proportionate, and based on an all-hazards approach.

Here's what you need to cover:

1. Policies on risk analysis and information system security: Establish procedures for assessing and managing security risks across your IT and operational technology systems.
2. Incident handling: Put processes in place to detect, report, and manage security incidents. This ties directly to the reporting obligations under Article 23.
3. Business continuity and crisis management: Develop strategies for backup management, disaster recovery, and crisis response to ensure you can recover from disruptive incidents.
4. Supply chain security: Implement security measures for supplier relationships and third-party service providers. Supply chain risk assessments are critical, especially for SaaS companies relying on cloud infrastructure.
5. Security in network and information system acquisition, development, and maintenance: Cover the full lifecycle, including vulnerability handling and secure disclosure practices.
6. Policies to assess the effectiveness of cybersecurity risk-management measures: Regularly evaluate whether your security controls are working.
7. Basic cyber hygiene practices and cybersecurity training: Staff awareness and foundational security practices (password policies, phishing awareness, etc.) remain essential.
8. Policies on cryptography and encryption: Use encryption appropriately to protect data in transit and at rest.
9. Human resources security, access control policies, and asset management: Manage user access, protect assets, and ensure proper onboarding/offboarding processes.
10. Multi-factor authentication (MFA) or continuous authentication solutions: Secure communications and privileged access with MFA or equivalent strong authentication.

These controls should look familiar if you've worked with frameworks like ISO 27001 or SOC 2. NIS2 doesn't reinvent the wheel, it aligns with internationally recognised best practices but makes them legally mandatory for in-scope EU entities.

One of NIS2's most demanding requirements is incident reporting. Under Article 23, entities must report significant incidents to their national CSIRT or competent authority within strict timelines:

• 24 hours: Submit an early warning indicating awareness of a significant incident, whether it's suspected to be malicious, and if it has cross-border impact.
• 72 hours: Provide a detailed notification with an initial assessment of severity, indicators of compromise, and impact.
• One month: Submit a final report with a complete description of the incident, root causes, mitigation measures, and lessons learned.

The clock starts when you become aware of the incident. Failure to meet these deadlines can trigger fines. Organisations in the some sectors are already grappling with these reporting duties, underscoring the practical challenges of the 24-hour rule.

If your organisation falls within scope, here's where to start:

1. Determine your classification: Check if you're an essential or important entity based on your sector and size.
2. Conduct a gap analysis: Compare your current controls against the 10 minimum measures in Article 21 and identify gaps.
3. Strengthen your incident response plan: Build or refine your incident detection, escalation, and reporting workflows to meet the 24-72-30 timeline.
4. Review third-party and supply chain risks: Assess the security posture of your suppliers and service providers, and ensure contracts include cybersecurity clauses.
5. Train your team: Ensure your staff, management, and board understand their responsibilities under NIS2. Top management is directly accountable for cybersecurity under the directive.
6. Document everything: Maintain evidence of your cybersecurity measures, risk assessments, incident logs, and training records. This documentation is critical for audits and regulatory inquiries.
7. Leverage existing frameworks: If you're already certified to ISO 27001 or have undergone a SOC 2 audit, you've got a head start. These frameworks overlap significantly with NIS2 requirements. Combining assurance and cybersecurity programmes can streamline compliance and reduce audit fatigue.

NIS2 doesn't exist in a vacuum. For SaaS and tech companies, it sits alongside other regulations like GDPR, the Cyber Resilience Act, and DORA (Digital Operational Resilience Act). Managing these overlapping requirements can feel overwhelming, but the good news is that many controls serve multiple frameworks.

At Securance, we help organisations streamline compliance through a Single Audit, Multiple Standards approach. Whether you're pursuing ISO 27001, SOC 2, or preparing for NIS2, our integrated advisory and assurance services ensure you meet rigorous standards efficiently—turning compliance into a competitive advantage rather than a burden.

The NIS2 Directive represents a step-change in how the EU approaches cybersecurity. It broadens the scope, tightens requirements, and enforces accountability at the board level. For SaaS and tech teams, compliance isn't optional—it's a legal obligation with serious financial and reputational consequences.

The 10 minimum measures under Article 21, the strict incident reporting timelines, and the potential for hefty fines mean that organisations need to treat NIS2 as a strategic priority. Start by understanding your obligations, conducting a thorough gap analysis, and building a roadmap that aligns your cybersecurity posture with the directive's requirements.

If you're navigating NIS2 alongside other compliance frameworks, you're not alone. Securance works with over 800 professional firms and SMEs across Europe, helping them simplify governance, strengthen security, and meet multiple standards in one streamlined process. Reach out to learn how we can support your compliance journey.