NIS2

Network and Information Security Directive (EU 2022/2555)

RegulationEU

The NIS2 Directive significantly expands the scope of EU cybersecurity requirements, covering essential and important entities across 18 sectors. Member States must transpose it into national law, establishing risk management obligations, incident reporting duties, and enforcement mechanisms.

Sectors Covered

Risk Measures

€10M / 2%

Max Penalty

Oct 2024

Transposition Deadline

Who Needs to Comply

Essential Entities (11 sectors)

Energy (electricity, oil, gas, hydrogen, district heating)
Transport (air, rail, water, road)
Banking and financial market infrastructure
Health sector, drinking water, waste water
Digital infrastructure, ICT service management (B2B)
Public administration, space

Important Entities (7 sectors)

Postal and courier services
Waste management
Chemical manufacturing, production, distribution
Food production, processing, distribution
Manufacturing (medical devices, electronics, machinery, motor vehicles)
Digital providers (online marketplaces, search engines, social platforms)
Research organisations

Key Compliance Areas

Art. 21

Risk Management Measures

10 minimum measures: risk analysis and policies, incident handling, business continuity, supply chain security, network security, vulnerability management, assessment practices, cryptography, HR security, and access control with MFA.

Art. 23

Incident Reporting

Three-stage reporting: early warning within 24 hours, incident notification within 72 hours, and final report within 1 month of the incident notification.

Art. 20

Management Body Accountability

Management bodies must approve cybersecurity measures, oversee implementation, and undergo cybersecurity training. Personal liability for non-compliance.

Art. 32-33

Supervision & Enforcement

Essential entities: proactive supervision (audits, inspections). Important entities: reactive supervision (post-incident). Penalties up to EUR 10M or 2% of global turnover.

How Orizon Helps

Entity Classification

Determine whether your organisation qualifies as essential or important under NIS2, based on sector, size, and criticality criteria.

Risk Assessment

Evaluate your cybersecurity posture against NIS2’s 10 minimum risk management measures (Art. 21).

Supply Chain Security

Assess and manage cybersecurity risks in your supply chain, including contractual requirements for ICT suppliers.

Incident Response

Establish a three-stage incident reporting process meeting the 24-hour, 72-hour, and 1-month deadlines.

Governance & Training

Ensure management body accountability, cybersecurity training for leadership, and documented policies for all 10 measures.

Regulatory Deep-Dive

For enforcement timelines, penalties, and detailed regulatory analysis, see our NIS2 Netherlands (Cbw) Intelligence page.

View regulatory intelligence

Official Sources

Assess Your Compliance

Expert guidance for your NIS2 compliance journey.

Get Started