Does NIS2 apply to your organization — exactly?
NIS2 applies based on two criteria: your sector and your size. Both must be satisfied for the directive to apply. Understanding precisely where you fall determines your compliance obligations, your registration requirements, and your penalty exposure.
The directive divides organizations into two tiers — Essential Entities and Important Entities — each with different supervisory approaches and different maximum penalties. Essential entities face ex-ante supervision (proactive regulatory oversight), while important entities face ex-post supervision (reactive, following an incident or complaint).
A key practical point: even if your organization does not meet the size thresholds, you may still be subject to NIS2 if you are identified as critical infrastructure by your national authority, if you are the sole provider of an essential service in a member state, or if a disruption to your services would have a significant cross-border impact.
If you are uncertain whether NIS2 applies to your organization, Cyber-Management can provide a definitive scoping assessment in a single consultation — including your registration obligations with the relevant national authority.
Essential entities
Higher obligation tier
Sectors: energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space.
250+ employees OR €50M+ turnover AND €43M+ balance sheet
Important entities
Standard obligation tier
Sectors: postal & courier, waste management, chemicals, food, manufacturing (medical devices, electronics, vehicles, machinery), digital providers, research.
50–249 employees OR €10M–€50M turnover AND €10M–€43M balance sheet
Note: Some sectors — digital infrastructure providers (DNS, TLD registries, cloud, datacentres, CDNs, managed security services, electronic communications) — are subject to NIS2 regardless of size. All organizations in these categories must comply, even if under the employee/turnover thresholds.
NIS2 Directive Areas of Focus
Risk Management Framework
Mechanisms to identify relevant assets, assess the level of risks and create risk mitigation strategies.
Cybersecurity Governance Framework
Governance framework providing a clear set of rules, processes and principles, ensuring accountability, transparency, and alignment with organizational goals.
Incidents Response Planning
Preparing for, detecting, responding to, and recovering from cybersecurity incidents.
ICT Supply Chains Risk Management
Identify, assess, and mitigate risks associated with the supply chains of Information and Communication Technology (ICT) products and services.
Cybersecurity Education & Training
Create programs and initiatives designed to enhance employees' awareness and skills regarding cybersecurity practices, policies, and threats.
Business Continuity & Disaster Recovery
Guarantee that your operations are resilient and capable of rapid recovery from cyber incidents through business continuity and disaster recovery plannings.
Article 21 — the 10 security measures NIS2 mandates
NIS2 does not leave security requirements to interpretation. Article 21 of the directive specifies 10 categories of security measures that every covered entity must implement, document, and maintain.
These are not suggestions — they are minimum requirements. National authorities assess compliance against all 10. Cyber-Management's NIS2 gap analysis evaluates your current controls against every Article 21 measure and produces a prioritized implementation plan that closes the gaps in the right order.
Risk analysis & security policies
Documented policies on information systems security, including risk analysis and treatment processes.
Incident handling
Documented procedures for detecting, classifying, responding to, and reporting security incidents — including the NIS2 notification timelines.
Business continuity & crisis management
Business continuity plans, backup management, disaster recovery, and crisis management procedures to maintain operations during and after incidents.
Supply chain security
Security requirements for relationships with direct suppliers and service providers, including assessment of each supplier's security practices.
Security in system acquisition & development
Security requirements across the procurement, development, and maintenance of network and information systems, including vulnerability handling.
Effectiveness assessment policies
Policies and procedures for assessing the effectiveness of cybersecurity risk management measures — including regular audits and testing.
Cyber hygiene & training
Basic cyber hygiene practices and cybersecurity training for all staff, with specific governance training for management bodies under Article 20.
Cryptography & encryption
Policies on the use of cryptography and, where appropriate, encryption of data at rest and in transit.
Human resources security & access control
Policies covering access control, asset management, and the security of human resources — including joiners, movers, and leavers processes.
Multi-factor authentication & secure communications
Use of multi-factor authentication (MFA), continuous authentication solutions, and encrypted voice, video, and text communications where appropriate.
Article 20 — Management body personal liability
NIS2 introduces a significant shift: under Article 20, the management bodies of essential and important entities are personally accountable for approving and overseeing the implementation of security measures. If an organization fails to comply, senior executives and board members can face personal liability — including temporary bans from management roles. This is not theoretical. It is a direct signal from the EU that cybersecurity is a board-level governance issue, not an IT department responsibility.
NIS2 incident reporting — the three-stage timeline
NIS2 introduces one of the most demanding incident notification frameworks in EU law. Missing any of the three deadlines is itself a compliance failure — independent of the incident that triggered it.
A "significant incident" under NIS2 is one that has caused or is capable of causing severe operational disruption, financial loss, or reputational damage — or that has affected other organizations or public safety. The notification obligation activates from the moment you become aware of the incident, not from when it was first detected.
24h
Early warning
An initial early warning to your national CSIRT or competent authority. Must indicate whether the incident is suspected to be malicious and whether it may have cross-border impact. No full analysis required — just awareness notification.
72h
Incident notification
A full incident notification including initial assessment of severity and impact, indicators of compromise where available, and any measures taken or planned. This is the substantive notification that most organizations struggle with due to the 72-hour window.
1 mo
Final report
A detailed final report within one month covering the full description of the incident, root cause analysis, implemented mitigations, cross-border impact assessment, and lessons learned — structured to inform the national authority's threat intelligence.
Cyber-Management builds NIS2-compliant incident response procedures — including pre-written notification templates for all three stages — so your team can meet every deadline under pressure, without starting from a blank page.
NIS2 vs NIS1 — what changed and why it matters for your business
If your organization was assessed against the original NIS Directive and declared compliant, that assessment is no longer sufficient. NIS2 is not an incremental update — it is a material expansion of scope, obligations, and enforcement.
| Area | NIS1 (2016) | NIS2 (2024) |
|---|---|---|
| Scope | 7 sectors, operators of essential services only | 18 sectors, both essential and important entities including medium-sized enterprises |
| Size threshold | Determined by member states — inconsistent across the EU | Harmonized EU-wide: 50+ employees or €10M+ turnover as the minimum threshold |
| Security requirements | General principles — significant national variation in implementation | 10 specific Article 21 measures, harmonized across all member states |
| Incident reporting | Notification to national authority — timeline set nationally | Three-stage mandatory timeline: 24h early warning, 72h notification, 1 month final report |
| Management liability | No personal liability for management | Article 20 — management bodies personally accountable, including potential bans from leadership roles |
| Supply chain | Not explicitly addressed | Mandatory supply chain security assessment as part of Article 21(2)(d) |
| Penalties | Determined by member states — inconsistent across EU | Harmonized: up to €10M or 2% of global turnover for essential entities; €7M or 1.4% for important entities |
| Supervision | Reactive — following an incident | Essential entities: proactive (ex-ante); Important entities: reactive (ex-post) |
NIS2 fines and enforcement — what non-compliance costs
NIS2 harmonizes penalties across the EU for the first time — ending the patchwork of nationally-set fines that made enforcement inconsistent under NIS1. The financial exposure is substantial, but the reputational and operational consequences can exceed the financial penalties.
Essential entities — maximum fine
€10M
Or 2% of total worldwide annual turnover, whichever is higher. National authorities may also impose temporary bans on senior management from performing management functions.
Important entities — maximum fine
€7M
Or 1.4% of total worldwide annual turnover, whichever is higher. Subject to the same management liability provisions as essential entities under Article 20.
Beyond financial penalties, national authorities can issue binding instructions to implement specific security measures, require organizations to inform customers about threats or incidents, and publicly name non-compliant organizations. For any SMB operating in B2B markets or regulated sectors, the reputational consequences of a public enforcement action — or a notified breach — typically far outweigh the fine itself.
Cyber-Management's NIS2 program is specifically designed to bring SMBs to a defensible compliance position — one that demonstrates good-faith implementation of all Article 21 measures and can withstand regulatory scrutiny if an incident does occur. Our vCISO service → provides the ongoing governance and documentation oversight needed to maintain that position year-round.
Already subject to NIS2 — or not sure if you are?
Benefits of Partnering with Us
Peace of Mind
Focus on your core business while we handle your data protection needs, ensuring compliance and reducing risk.
Regulatory Compliance
Stay ahead of the ever-changing landscape of data privacy regulations, minimizing the risk of penalties and reputational damage.
Enhanced Customer Trust
Demonstrating a commitment to data protection can strengthen your relationship with clients and stakeholders, enhancing your brand’s reputation.
