In short
NIS2 (Directive (EU) 2022/2555) is the EU-wide cybersecurity regulation. It obliges “essential” and “important” entities across 18 sectors to manage security risk systematically, to report significant incidents within 24 hours (early warning) and 72 hours (notification), and makes management personally accountable — with fines of up to €10 million or 2% of global annual turnover.
What is NIS2?
NIS2 is Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union. It replaces the first NIS directive of 2016, significantly broadens the scope, and harmonizes obligations and supervision across member states. The directive has been in force since January 2023; member states transpose it into national law — in Germany via the NIS2 implementation act (an amendment of the BSI Act). What applies to a company in practice is the national law of its member state.
Who is affected by NIS2?
NIS2 distinguishes essential entities and important entities across 18 sectors — including energy, transport, health, digital infrastructure, managed service providers, public administration, postal services, waste, chemicals, food, and manufacturing.
As a rule of thumb, the size threshold applies: companies with 50 or more employees or more than €10 million annual turnover operating in a covered sector generally fall under the directive. Some entities are covered regardless of size (e.g. DNS service providers, TLD registries, qualified trust service providers). Affected entities must register with the competent authority.
What obligations does NIS2 impose?
The core of the directive is Article 21: affected entities must take appropriate and proportionate technical, operational, and organizational measures to manage their cybersecurity risks. At a minimum, these include:
- Policies on risk analysis and information system security
- Incident handling
- Business continuity: backup management, disaster recovery, crisis management
- Supply chain security, including relationships with service providers
- Security in acquisition, development, and maintenance, including vulnerability handling
- Policies and procedures to assess the effectiveness of the measures
- Basic cyber hygiene practices and security training
- Cryptography and, where appropriate, encryption
- Human resources security, access control, and asset management
- Multi-factor authentication and secured communications
This largely mirrors what an ISO 27001 ISMS already delivers — NIS2 turns it into a legal obligation.
What are the incident reporting deadlines?
For a significant incident, a three-stage reporting process to the competent authority or CSIRT applies:
- Early warning within 24 hours of becoming aware of the incident
- Full notification within 72 hours, including an initial assessment of severity and impact
- Final report no later than one month after the notification, including root cause and measures taken
These deadlines are nearly impossible to meet without prepared processes, clear responsibilities, and a maintained asset and contact base — incident response has to exist before the incident.
What are the penalties for non-compliance?
For essential entities, NIS2 provides for fines of up to €10 million or 2% of global annual turnover (whichever is higher); for important entities, up to €7 million or 1.4%.
What is new is the explicit accountability of management bodies: executives must approve the risk management measures, oversee their implementation, and undergo training themselves — and can be held personally responsible for violations.
How do you prepare for NIS2?
A pragmatic roadmap looks like this:
- Determine applicability: assess sector, company size, and role in the supply chain
- Run a gap analysis against the Article 21 measures
- Build or update the asset inventory and risk register
- Establish and test an incident response process aligned to the 24h/72h deadlines
- Assess suppliers and add contractual security requirements
- Involve management: anchor accountability, reporting, and training
Organizations already running an ISO 27001 ISMS cover most NIS2 requirements and mainly need to sharpen reporting paths and governance. Flux Platform supports both sides: risks, controls, and evidence for the ISMS — and incident workflows built with the NIS2 deadlines in mind.