What is NIS 2? A guide to navigating compliance requirements

The Network and Information Security (NIS) directive was introduced in 2016 to outline cybersecurity obligations across the EU and enable operational resilience for in-scope organizations. In 2020, the European Commission proposed the directive’s revision, which led to the formal adoption of NIS 2 in 2022.

‍

In this guide, we answer the common question of organizations impacted by the directive—What is NIS 2? You’ll learn everything you need to know about the directive’s latest version, including:

• NIS 2’s purpose, scope, benefits, and non-compliance penalties
• Key security requirements
• An overview of the compliance process
• Common compliance challenges you may encounter

‍

NIS 2 at a glance

NIS 2 is an EU directive that aims to fortify the cybersecurity posture of organizations within the Member States through various controls. It effectively replaced the original NIS directive (Directive 2016/1148), which lacked prescriptive guidance and effective enforcement measures.

‍

The updated directive aims to harmonize the security frameworks among entities in the Member States and ensure consistent enforcement of the applicable rules. It came into effect in October 2024, so timely compliance is critical.

‍

This is because NIS 2 is mandatory and imposes various penalties on non-compliant entities. In addition to the increased financial penalties, the directive requires more accountability from top management to ensure compliance.

‍

{{cta_withimage22="/cta-blocks"}}

‍

NIS 2 non-compliance penalties

Entities that fail to comply with NIS 2 are subject to considerable administrative penalties, which depend on the entity’s classification. Specifically, NIS 2 differentiates between two types of entities:

• Essential: Mid-sized and large entities in high-criticality sectors
• Important: Mid-sized and large entities in sectors where disruptions wouldn’t have severe consequences

‍

The non-compliance fines applicable to both categories are outlined in the following table:

‍

‍

Besides fines, NIS 2 introduces non-monetary penalties enforceable by Member States’ national supervisory authorities, such as:

• Binding instructions
• Compliance orders
• Threat notification to non-compliant entities’ customers

‍

Finally, NIS 2 aims to relieve the pressure from in-scope organizations’ IT teams, who often carry the most responsibility for the organization’s security. The directive does this by emphasizing top management’s individual liability for security incidents. This means executives must actively engage in cybersecurity decision-making and ensure that their organization has adequate resources and policies to meet NIS 2 requirements.

‍

If proven gross negligence results in a realized threat event, top management might face sanctions like:

• An order to make compliance violations public
• A demand for a public statement highlighting the personal responsibility of natural and legal person(s)
• Temporary removal from management positions (in case of essential entities and repeat violations)

‍

Why does NIS 2 matter?

Compared to the initial NIS directive, NIS 2 comes with several notable advantages:

• Clearer security requirements: While NIS 2 still doesn’t introduce specific controls organizations should implement, it outlines the necessary security requirements much less broadly than its predecessor, making implementation easier for both Member States and their entities
• Broader scope: NIS 2 encompasses more critical infrastructure entities than the original NIS (waste management, public administration, etc.), which helps strengthen the cybersecurity posture of organizations across the key sectors
• Clarified governance and oversight: NIS 2 standardizes the roles of governance authorities like National Competent Authorities (NCAs) and National Computer Security Incident Response Teams (CSIRTs), which helps ensure effective oversight without considerable implementation differences
• Well-defined incident reporting guidelines: NIS 2 precisely outlines the criteria that constitute significant incidents and introduces a strict, 24-hour time frame for their reporting to the relevant authorities
• Harmonization of best practices across Member States: NIS 2 unifies the key security requirements and best practices all Member States should follow to ensure more cohesive and uniform implementation

‍

What is the scope of NIS 2?

NIS 2 encompasses 15 sectors, eight of which are considered essential:

1. Energy
2. Transport
3. Finance
4. Public administration
5. Health
6. Space
7. Water supply (drinking and wastewater)
8. Digital infrastructure

‍

The remaining seven sectors are classified as important:

1. Postal services
2. Waste management
3. Chemicals
4. Research
5. Foods
6. Manufacturing
7. Digital providers

‍

Besides their sector, organizations can be classified as essential or important based on their size and critical role. Generally speaking, large entities are essential by default, while mid-sized ones can either be essential or important.

‍

For example, organizations like TLD name registries and DNS providers are considered essential regardless of size. Note that this also includes micro and small organizations, which are typically outside NIS 2's scope.

‍

Still, the directive might apply to such organizations if they meet the criteria outlined in Article 2 of the directive. For example, if a disruption of an entity’s services could significantly impact public safety, security, and health, that entity is considered essential and must comply with NIS 2 regardless of its size.

‍

Key security requirements of NIS 2

NIS 2 was built on three principles:

1. Business continuity
2. Corporate accountability
3. Effective incident reporting

‍

The directive’s security requirements support these foundational obligations that in-scope entities must meet. To make doing so easier, NIS 2 outlines 10 minimum security requirements:

1. Documented policies on information system security and risk analysis
2. Incident handling
3. Business continuity strategies, including backup management, crisis management, and disaster recovery
4. Supply chain security, which encompasses the relationships between entities, as well as those between entities and their service providers or direct suppliers
5. Security in the acquisition, development, and maintenance of network systems
6. Policies and procedures for evaluating the measures of cybersecurity risk management
7. Basic cybersecurity training and cyber hygiene practices
8. Policies and procedures related to the use of cryptography and encryption
9. Asset management, access point policies, and human resource security
10. The use of adequate technical security measures (multi-factor or continuous authentication solutions, secure voice, video, and text communications, and emergency communication systems)

‍

Many organizations already have at least some controls that meet NIS 2 requirements, which means they only need to upgrade their security posture to ensure compliance. The only problem here is that NIS 2 doesn’t specify which controls should be implemented, which is why it’s recommended to pair the directive with a more prescriptive framework like ISO 27001.

‍

{{cta_withimage22="/cta-blocks"}}

‍

NIS 2 compliance process at a glance

The specifics of your NIS 2 compliance process will largely depend on your entity’s classification and current cybersecurity measures. Still, the high-level activities you can take are universal and include the following:

1. Set compliance goals: You should decide whether to pursue NIS 2 compliance directly or start with a complementary framework like ISO 27001 to get clearer guidance on meeting some of the directive’s requirements.
2. Analyze the current state of cybersecurity: To achieve NIS 2 compliance, you must understand your current security posture. After familiarizing yourself with the necessary requirements, perform a comprehensive security review.
3. Identify gaps and outline the next steps: Once you have a firm grasp of your existing security controls, compare them to NIS 2 to see how far you are from compliance. Outline a precise gap remediation plan based on your security review to map out the path forward.
4. Implement missing controls: Depending on your existing controls and security standing, you might need to make more or less significant changes to your overall security infrastructure. This includes technical security measures and related policies and processes.
5. Self-attest framework completion: After bridging all the necessary compliance gaps, perform a comprehensive self-assessment against the NIS 2 requirements. Document everything to demonstrate adherence to all the mandated standards.

‍

While self-attestation should be enough to ensure NIS 2 compliance, some EU countries might also require a third-party audit. This means organizations must stay up-to-date with country-specific requirements to avoid unexpected compliance violations. 

‍

As of this writing, Member States like Hungary and Belgium have already adopted this additional layer of assurance. Belgium will also likely accept other security certifications like ISO 27001 as proof of NIS 2 compliance.

‍

Before starting your NIS 2 compliance process, make sure to get adequate resources and guidance from your national governing body.

‍

{{cta_webinar9="/cta-blocks"}} 

‍

Common NIS 2 compliance challenges

As NIS 2 lacks the prescriptive guidance of many other security regulations and frameworks, its adoption might be challenging without sufficient support. Your country's supervisory authority might provide more specific controls and steps, though it’s uncertain whether they’ll be enough to enable streamlined compliance.

‍

This issue is particularly concerning for organizations with maturing security programs still lacking comprehensive controls. Such organizations might run into several issues, including:

• Limited clarity over controls: If your team doesn’t have extensive experience with security regulations, NIS 2 might not be precise enough to help you outline a definitive compliance roadmap. This can lead to haphazard implementation and potentially expose you to violations.
• Lengthy security reviews: NIS 2 requires a thorough examination and upgrades to your security posture, which means you’ll need to understand the related controls completely. Without a well-developed review process, you might spend considerable time collecting all the necessary information.
• Extensive gap remediation: NIS 2 compliance gaps will likely be more prevalent and extensive in organizations with low-maturity security programs, so you might need to implement various controls to ensure adherence to the necessary requirements.
• Considerable evidence collection: Even if NIS 2 compliance doesn’t require a third-party audit in your jurisdiction, you might still be audited by a supervisory authority. To demonstrate compliance and facilitate the audit process, you’ll need to gather a significant amount of evidence.

‍

The good news is that most of these challenges are avoidable. Once you’ve familiarized yourself with the NIS 2 requirements, you can support your compliance process with a dedicated automation solution to meet them more effortlessly.

‍

Support end-to-end NIS 2 compliance with Vanta

Vanta is a comprehensive compliance and trust management platform that automates up to 65% of NIS 2 compliance workflows. By doing so, it lets you achieve compliance much faster and without wasting resources.

‍

The platform does this through a dedicated NIS 2 product with 50+ pre-built technical cybersecurity controls that remove uncertainty during control implementation. It offers additional valuable resources and features, such as:

• 100+ document and policy templates
• 600+ relevant tests
• Cross-referencing with existing frameworks to avoid duplicate work

‍

To enable a cohesive compliance process and efficient ongoing control monitoring, Vanta seamlessly integrates with over 375 popular software solutions. It also offers continuous expert support throughout the compliance process, eliminating guesswork and inefficient workflows.

‍

If you wish to see precisely how Vanta and its NIS 2 product make this happen, schedule a custom demo for a hands-on experience.

‍

{{cta_simple30="/cta-blocks"}} 

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.