Logo probo
Get compliant
About The people and vision powering Probo Blog The latest news from Probo Stories Hear from our customers Docs Documentation for Probo GitHub Explore our open-source compliance tools

NIS2 Compliance

NIS2
The Complete Guide for 2026

The European Union just redrew the cybersecurity map, and your organization might be standing on new territory.

NIS2 Compliance Guide 2026

When GDPR landed in 2018, it sent shockwaves through every company handling EU citizen data. Now, the NIS2 Directive is doing the same for cybersecurity, but this time, the scope is broader, the penalties are steeper, and the technical requirements are far more prescriptive. If you're a CTO, CISO, or compliance officer at a company operating in or serving the EU market, this isn't optional reading. It's your compliance roadmap.

Here's the uncomfortable truth: according to recent ITPro research, a significant number of firms are already struggling to comply with NIS2 requirements. The directive's October 2024 transposition deadline has passed, member states are actively implementing their national frameworks, and enforcement is ramping up throughout 2026. Whether you're just discovering NIS2 applies to you or you're deep in implementation, this guide breaks down exactly what you need to know, and more importantly, what you need to do.

What Is NIS2? Understanding the Directive's Core Purpose

The Network and Information Security Directive 2 (NIS2) represents the EU's most ambitious cybersecurity legislation to date. Published in the Official Journal of the European Union in December 2022, it replaces the original NIS Directive from 2016 with a dramatically expanded framework designed to address the evolving threat landscape.

At its core, NIS2 aims to achieve a "high common level of cybersecurity" across all EU member states. The European Commission recognized that the original directive's voluntary approach and limited scope left critical gaps in Europe's cyber resilience. As noted in the EU Digital Strategy documentation, the directive responds to "the increased digitisation of the internal market" and the "evolving cybersecurity threat landscape" accelerated by the COVID-19 pandemic.

But NIS2 isn't just about raising the bar—it's about standardizing it. The original directive allowed too much variation between member states, creating a patchwork of requirements that made compliance a nightmare for organizations operating across borders.

From NIS to NIS2 — What Actually Changed

The jump from NIS to NIS2 isn't incremental—it's transformational. Understanding these changes is critical for scoping your compliance efforts.

Expanded scope and coverage

The original NIS Directive covered approximately 7 sectors. NIS2 expands this to 18 sectors, bringing an estimated 160,000+ entities under its umbrella. The directive now distinguishes between "essential" and "important" entities, with different supervisory regimes for each.

Harmonized requirements

Where NIS allowed member states significant flexibility, NIS2 prescribes specific security measures and incident reporting timelines. This means organizations can no longer rely on "light touch" national implementations.

Stricter penalties

Administrative fines can now reach €10 million or 2% of global annual turnover for essential entities, whichever is higher. For important entities, it's €7 million or 1.4% of turnover.

Personal accountability

Perhaps the most significant shift—NIS2 introduces personal liability for management bodies. Senior executives can now be held personally responsible for compliance failures.

Supply chain focus

The directive explicitly requires organizations to address cybersecurity risks in their supply chains, including direct suppliers and service providers.

The 18 Sectors Now Covered Under NIS2

NIS2 categorizes covered entities into two groups, each with distinct compliance obligations:

Essential Entities (11 sectors)

  • Energy (electricity, oil, gas, hydrogen, district heating)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructures
  • Health (healthcare providers, EU reference laboratories, R&D, pharmaceuticals, medical devices)
  • Drinking water supply and distribution
  • Wastewater management
  • Digital infrastructure (IXPs, DNS providers, TLD registries, cloud computing, data centers, CDNs, trust service providers, electronic communications)
  • ICT service management (B2B)
  • Public administration (central and regional)
  • Space

Important Entities (7 sectors)

  • Postal and courier services
  • Waste management
  • Chemical manufacturing, production, and distribution
  • Food production, processing, and distribution
  • Manufacturing (medical devices, computers, electronics, machinery, motor vehicles)
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organizations

The size thresholds matter too. Generally, medium-sized enterprises (50+ employees or €10M+ turnover) and large enterprises in these sectors fall within scope. However, some entities are covered regardless of size, including DNS service providers, TLD registries, and qualified trust service providers.

NIS2 Compliance Requirements: What Your Organization Must Do

Understanding NIS2's requirements means diving into the technical details. The directive's Article 21 outlines specific cybersecurity risk-management measures that covered entities must implement. This isn't a checkbox exercise—it requires genuine security maturity.

Risk Management Measures (Article 21 Breakdown)

Article 21 mandates an "all-hazards approach" to cybersecurity. According to ENISA's implementation guidance, organizations must implement measures that are "appropriate and proportionate" to their risk exposure. Here's what that means in practice:

1. Risk analysis and information system security policies

You need documented policies covering your entire information security program. This includes risk assessment methodologies, asset inventories, and security governance frameworks.

2. Incident handling

Beyond just having an incident response plan, NIS2 requires tested procedures for detecting, analyzing, containing, and recovering from security incidents. Regular tabletop exercises aren't optional—they're expected.

3. Business continuity and crisis management

This encompasses backup management, disaster recovery, and crisis management procedures. Your organization must demonstrate it can maintain essential functions during and after a cyber incident.

4. Supply chain security

You must assess and manage cybersecurity risks from direct suppliers and service providers. This means security requirements in contracts, vendor assessments, and ongoing monitoring.

5. Security in network and information systems acquisition, development, and maintenance

Secure development practices, vulnerability handling, and security testing must be embedded in your SDLC.

6. Policies and procedures for assessing cybersecurity risk-management effectiveness

Regular audits, penetration testing, and security assessments are required to validate your controls actually work.

7. Basic cyber hygiene practices and cybersecurity training

All staff need security awareness training. Technical teams need role-specific training. This must be ongoing, not a one-time exercise.

8. Cryptography and encryption policies

Where appropriate, you must implement encryption for data at rest and in transit, with documented key management procedures.

9. Human resources security and access control

This covers background checks, access management, privileged access controls, and procedures for joiners, movers, and leavers.

10. Multi-factor authentication and secured communications

MFA is explicitly required "where appropriate," along with secured voice, video, and text communications within the organization.

Incident Reporting Obligations — The 24/72 Hour Rule

NIS2's incident reporting requirements are among its most operationally demanding elements. The directive establishes a multi-stage reporting framework that requires significant organizational readiness.

Early warning (24 hours)

Within 24 hours of becoming aware of a significant incident, you must submit an early warning to your national Computer Security Incident Response Team (CSIRT) or competent authority. This must indicate whether the incident is suspected to be caused by unlawful or malicious acts and whether it could have cross-border impact.

Incident notification (72 hours)

Within 72 hours, you must provide an initial assessment including the incident's severity and impact, indicators of compromise where available, and any cross-border implications.

Intermediate report (upon request)

The competent authority may request status updates on your incident handling.

Final report (one month)

Within one month of the incident notification, or upon conclusion of incident handling if later, you must submit a detailed report including root cause analysis, mitigation measures applied, and cross-border impact assessment.

What constitutes a "significant incident"?

The directive defines it as an incident that:

  • Has caused or is capable of causing severe operational disruption or financial loss
  • Has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage

Supply Chain Security Requirements

The supply chain provisions in NIS2 reflect hard lessons learned from incidents like SolarWinds and Kaseya. The directive places unprecedented emphasis on third-party risk management.

Organizations must:

  • Assess supplier security: Evaluate the cybersecurity practices of direct suppliers and service providers
  • Contractual requirements: Include appropriate security clauses in supplier agreements
  • Ongoing monitoring: Continuously monitor supplier security posture, not just at onboarding
  • Coordinated vulnerability disclosure: Participate in and support vulnerability disclosure processes

This creates cascading compliance obligations. Even if your organization isn't directly covered by NIS2, you may face these requirements through your customers' supply chain obligations.

Management Accountability and Personal Liability

Here's where NIS2 gets personal—literally. Article 20 requires that "management bodies of essential and important entities approve the cybersecurity risk-management measures" and "oversee its implementation."

Management bodies must:

  • Approve cybersecurity risk-management measures
  • Oversee implementation of those measures
  • Undergo specific cybersecurity training
  • Ensure staff receive regular training

The consequences for non-compliance are severe. Member states must ensure that competent authorities can hold management personally liable for infringements. This can include temporary bans from exercising managerial functions.

This represents a fundamental shift in how cybersecurity responsibility is allocated within organizations. CTOs and CISOs can no longer treat compliance as a purely technical matter—it's now a board-level governance issue.

NIS2 Compliance Timeline and Deadlines

Understanding the NIS2 timeline is crucial for planning your compliance program. While the directive entered into force in January 2023, the real implementation work happens at the national level.

  • Member states were required to transpose NIS2 into national law by October 2024
  • National measures began applying to covered entities shortly thereafter
  • Throughout 2025-2026, national authorities are conducting registration, supervision, and enforcement activities
  • A European Commission review of the directive's functioning is scheduled for October 2027

NIS2 Compliance Cost: What to Budget For

Let's address the question every CTO and CFO wants answered: what will NIS2 compliance actually cost? The answer depends significantly on your organization's current security maturity, size, and sector.

Cost Breakdown by Company Size

Compliance costs vary dramatically based on several key factors that organizations should carefully evaluate when budgeting:

Small-to-medium enterprises (50-250 employees)

  • Key cost drivers include policy development, technical controls implementation, and training programs
  • Organizations with existing security frameworks will see lower initial investments
  • The availability of in-house expertise versus reliance on external consultants significantly impacts costs
  • Cloud-native companies often face lower infrastructure remediation costs than those with legacy on-premises systems

Mid-market companies (250-1,000 employees)

  • Key cost drivers include security tooling, dedicated compliance personnel, and third-party assessments
  • The complexity of your technology stack and number of business units affects implementation scope
  • Geographic distribution across multiple EU member states increases coordination costs
  • Existing certifications like ISO 27001 or SOC 2 can reduce gap remediation efforts substantially

Large enterprises (1,000+ employees)

  • Key cost drivers include enterprise security platforms, compliance teams, external audits, and supply chain management
  • The number and criticality of suppliers requiring assessment dramatically affects supply chain security costs
  • Regulatory classification as "essential" versus "important" entity determines supervisory intensity and associated costs
  • M&A activity and organizational complexity create additional integration challenges

Factors that influence costs across all organization sizes

  • Current security maturity: Organizations already aligned with frameworks like ISO 27001 or NIST CSF will have significantly lower gap remediation costs
  • Technical debt: Legacy systems lacking modern security capabilities require substantial investment to bring into compliance
  • Industry sector: Highly regulated sectors like healthcare and finance may already have overlapping controls, while less regulated sectors face steeper climbs
  • Internal expertise: Organizations with established security teams can handle more work internally, while others must budget for consultants and managed services
  • Tool consolidation: Companies with fragmented security tooling face higher integration and management costs than those with consolidated platforms

These cost structures align with what we see in comparable frameworks. Organizations familiar with SOC 2 compliance costs or ISO 27001 certification investments will recognize similar patterns, though NIS2's prescriptive requirements often push costs toward the higher end of comparable frameworks.

Hidden Costs Most Organizations Miss

Beyond the obvious line items, several hidden costs catch organizations off guard:

  • Technical debt remediation: Many organizations discover their existing infrastructure can't support NIS2 requirements. Legacy systems lacking MFA capabilities, unpatched software, and inadequate logging create significant remediation costs.
  • Supply chain compliance: Assessing and monitoring supplier security isn't free. Organizations report spending 15-25% of their NIS2 budget on supply chain security activities.
  • Incident response readiness: Building genuine incident response capability—including 24/7 monitoring, forensics capabilities, and tested playbooks—often exceeds initial estimates.
  • Ongoing training: NIS2's training requirements extend beyond one-time awareness programs. Budget for continuous education, specialized training for technical teams, and management-level cybersecurity education.
  • Opportunity cost: Compliance projects consume significant IT and security team bandwidth. Factor in the cost of delayed projects and stretched resources.

Why Firms Are Struggling to Comply (And How to Avoid Their Mistakes)

Recent ITPro research paints a concerning picture: many organizations are struggling to meet NIS2 requirements despite the directive's extended implementation timeline. Understanding why helps you avoid the same pitfalls.

The Technical Debt Problem

Years of underinvestment in security infrastructure are coming due. Organizations facing NIS2 compliance often discover:

  • Insufficient logging and monitoring: NIS2's incident detection requirements demand comprehensive visibility. Many organizations lack adequate SIEM capabilities or centralized log management.
  • Inadequate access controls: The directive's requirements for MFA and privileged access management expose gaps in identity infrastructure.
  • Undocumented systems: You can't protect what you don't know exists. Asset inventory gaps make risk assessment impossible.

The solution isn't just buying new tools—it's systematically addressing technical debt while building compliant processes. This requires executive sponsorship and realistic timelines.

Resource Constraints in SMEs

Small and medium enterprises face particular challenges:

  • Limited security expertise: Many SMEs lack dedicated security personnel, let alone compliance specialists
  • Budget constraints: Competing priorities make it difficult to fund comprehensive compliance programs
  • Vendor overwhelm: The compliance tool market is noisy, making it hard to identify appropriate solutions

For SMEs, the key is finding right-sized solutions. Enterprise GRC platforms designed for Fortune 500 companies aren't appropriate for a 75-person SaaS company.

Cross-Border Complexity Challenges

Organizations operating across multiple EU member states face additional complexity:

  • Varying national requirements: Despite harmonization, member states have discretion in certain areas
  • Multiple competent authorities: Understanding which authority has jurisdiction—and their specific expectations—requires careful analysis
  • Language barriers: Guidance documents and regulatory communications often appear first (or only) in local languages

How Probo Simplifies Your NIS2 Journey

Navigating NIS2 compliance doesn't have to consume your team's time and energy. Probo manages the entire compliance process for you hands-off, combining dedicated expert guidance with powerful automated compliance software to get you compliant faster and with less stress.

Here's what's included when you partner with Probo:

  • Dedicated Compliance Expert: Direct access to compliance experts whenever you need guidance. No more guessing or searching for answers—your expert is just a message away.
  • Onboarding Meeting: An onboarding meeting with your dedicated expert to understand your full context, tech stack, and specific compliance needs from day one.
  • Policies & Risk Assessment: Probo handles all necessary documentation templates and risk analysis for you. No more starting from scratch or wondering if your policies meet the directive's requirements.
  • Implementation Support: We guide you through implementing the technical and organizational controls required by Article 21, ensuring your security measures are appropriate and proportionate to your risk profile.
  • Quarterly Follow-ups: Ongoing support to maintain your compliance posture. NIS2 requires continuous improvement—Probo ensures you stay compliant through regulatory changes and evolving threats.
  • Access to Probo Compliance Platform: A centralized workspace to manage all compliance activities, with automated evidence collection and audit-ready documentation that keeps everything organized and accessible.

Ready to Tackle NIS2?

Book a meeting
Logo probo

Managed frameworks

Not seeing the one you are looking for?
Reach out, we likely do it as well.

FERPA
ISO 42001
CASA
SOC 2
ISO 27701
GDPR
SOC 2 Type 1
SOC 2 Type 2
CCPA
ISO 27001
 Get compliant