The NIS2 Directive: a practical guide for your organisation

Blog
12.03.2026
Understanding the EU’s Cybersecurity efforts

With the adoption of NIS2, the European Union has significantly expanded its cybersecurity obligations for organisations operating across its internal market. This guide provides an overview of the key obligations under NIS2 and sets out practical steps for organisations to assess their compliance position, manage risks, and meet their reporting obligations.

What is NIS2?

NIS2 (Directive (EU) 2022/2555), adopted on 14 December 2022 and in force since 16 January 2023, is the EU’s updated legislative framework on cybersecurity across Member States. It aims to achieve a high, common level of cybersecurity to support the smooth functioning of the internal market. The Directive imposes cybersecurity risk-management measures and reporting obligations on entities falling within its scope and establishes frameworks for cooperation and information sharing at both national and Union level.

Who must comply with NIS2?

NIS2 applies to public and private entities of a type referred to in Annex I or Annex II. It covers ‘essential’ and ‘important’ entities in sectors of high criticality (Annex I includes energy, transport, banking, health, digital infrastructure, public administration) and other critical sectors (Annex II includes postal, waste management, chemicals, food, research). Classification depends on the sector, the services the entity provides, and its size. Certain entities – including providers of public electronic communications networks, trust service providers, TLD name registries, DNS service providers, and entities identified as critical under Directive (EU) 2022/2557 – fall within scope regardless of their size.

How and when will NIS2 apply?

As a Directive, NIS2 requires transposition into national law by each Member State. The deadline for national adoption was 17 October 2024, with application from 18 October 2024. However, the obligations under the Directive become applicable through the national measures adopted by each Member State. In the Benelux, the status is as follows:

  • Netherlands: Transposition pending, with applicability expected in Q2 2026.
  • Belgium: Fully transposed, obligations are in force.
  • Luxembourg: Transposition still pending.

Entities operating in multiple Member States should monitor the status of transposition in each relevant jurisdiction and prepare for differences in timing and implementation.

Key obligations for in-scope entities

  • Governance and accountability
    • Management bodies must approve and oversee cybersecurity risk management measures and can be held liable for non-compliance.
    • Regular cybersecurity training is required for management and, where appropriate, for staff, to build internal expertise and awareness.
  • Risk management measures
    • Implement technical, operational, and organisational measures proportionate to the risks faced and the potential impact of incidents.
    • Areas covered include risk analysis, incident response, business continuity (backups, disaster recovery, crisis management), supply chain security, vulnerability management, cyber hygiene, encryption, access controls, and asset management.
  • Multi-stage incident reporting
    • Notify significant incidents to Computer Security Incident Response Team (CSIRT) or, where applicable, the competent authority, without undue delay.
    • Early warning: within 24 hours of awareness.
    • Incident notification: within 72 hours, including initial assessment.
    • Final report: within one month, providing full incident details, impact, and remedial actions.
  • Registration
    • Entities must submit to the competent authorities at least their name, address, up-to-date contact details, relevant sector and subsector, and a list of Member States where they provide services falling within the scope of the Directive.
    • Any changes to this information must be notified without delay and in any event within two weeks.

Supervision and enforcement

Essential entities are subject to comprehensive ex ante and ex post supervision, including on-site inspections and security audits. Important entities are subject to ex post supervision, which may be triggered by evidence or indications of non-compliance.

Infringements of the cybersecurity risk-management and reporting obligations may result in administrative fines of up to EUR 10 000 000 or 2% of total worldwide annual turnover for essential entities, and up to EUR 7 000 000 or 1.4% of total worldwide annual turnover for important entities, whichever is higher.

Interplay with other EU legislation

NIS2 operates alongside other sector-specific Union legal acts. Where such acts impose cybersecurity risk-management measures or reporting obligations that are at least equivalent in effect to those under NIS2, as is the case with Regulation (EU) 2022/2554 (DORA) for financial entities, those sector-specific provisions apply instead. However, certain NIS2 requirements, such as registration, may still apply. Entities designated as critical under the CER Directive are automatically considered essential under NIS2, ensuring that both cybersecurity and physical resilience obligations apply to such entities.

Digital Omnibus and Cybersecurity simplification

On 19 November 2025, the European Commission introduced the Digital Omnibus package, which will create a single-entry point for incident reporting managed by ENISA, with the aim to streamline compliance for organisations subject to NIS2, DORA, and the CER Directive. Further proposals in January 2026 aim to clarify jurisdictional rules and boost ENISA’s coordinating role in that regard.

Why compliance matters

Compliance with NIS2 is not only a legal obligation but also contributes to the overall cyber resilience of an organisation. Entities that implement the required risk-management measures and reporting procedures in a timely manner will be better positioned to prevent and respond to incidents, and to meet the expectations of supervisory authorities. Non-compliance may result in significant administrative fines, enforcement measures, and potential liability for management bodies.

Getting ready for NIS2

  • Determine applicability: Assess whether your organisation falls within NIS2’s scope by reviewing your sector, size, and services.
  • Update risk management: Conduct a thorough risk assessment and implement all required technical and organisational security measures.
  • Review supplier relationships: Examine ICT supply chain contracts to ensure they include adequate security, notification, and audit provisions.
  • Establish governance protocols: Secure board-level approval for cybersecurity measures, assign oversight responsibilities, and provide training for directors and key staff.
  • Set up incident reporting: Implement round-the-clock detection and escalation processes to meet reporting deadlines (24 hours for early warning, 72 hours for notification, one month for final report).
  • Clarify your regulatory landscape: For organisations covered by multiple frameworks (NIS2, DORA, CER), map out specific obligations to avoid gaps or overlap.
  • Monitor legal developments: Track the status of NIS2 transposition in every jurisdiction where you operate, and prepare for future changes, including the Digital Omnibus and simplification initiatives.

For further guidance on how NIS2 applies to your organisation or what steps should be taken, please contact our team.

Related articles

Cookie notification

This functionality uses third-party cookies. Change your cookie preferences to view this content or view more information.
These cookies ensure that the website works properly. These cookies cannot be disabled.
These cookies can be placed by third parties, such as YouTube or Vimeo.
By deactivating categories, it is possible that related functionalities within the website may no longer work properly. It is always possible to change your preferences at a later time. View more information.