Who needs to comply with NIS 2? Scope, requirements, and penalties explained

NIS 2 is a new EU directive that establishes a unified cybersecurity framework for specific organizations within Member States. Compared to the original NIS directive, the scope has been expanded, and compliance is mandatory for in-scope organizations. 

‍

The broader scope means that while NIS 2 is EU-specific, some organizations outside the Union may also be subject to its requirements.

‍

In this guide, we’ll clarify which entities must comply with NIS 2 and explore other critical compliance criteria, such as essential security requirements, regulatory differences, and non-compliance penalties.

‍

NIS 2 applicability explained

NIS 2 applies to all in-scope organizations without exceptions, but determining whether an organization falls under NIS 2 can be complex, especially for medium and small organizations. As of January 2025, the NIS 2 directive documentation lists 15 sectors, while the official legal text classifies them into 18, as outlined below:

1. Energy
2. Transport
3. Banking
4. Financial market infrastructures
5. Health
6. Drinking water
7. Waste water
8. Digital infrastructure
9. ICT service management 
10. Public administration
11. Space
12. Postal and courier services
13. Waste management
14. Manufacture, production, and distribution of chemicals
15. Production, processing, and distribution of food
16. Manufacturing
17. Digital providers
18. Research

‍

These sectors are categorized into two types—essential and important entities. Organizations in sectors 12–18 are classified as important, while those in sectors 1–11 may be classified as either essential or important, depending on their size and critical role.

‍

Organizations are split into three categories based on their employee count and annual turnover:

‍

‍

In most of the first eight sectors, only large organizations are considered essential entities. However, this rule has exceptions—medium-sized entities, such as DNS service providers within the digital infrastructure sector, are also classified as essential due to their critical role in maintaining internet functionality and security.

‍

Although NIS 2 primarily applies to medium and large organizations, the framework may also apply to small and micro organizations if they meet certain criteria. A small organization is considered essential if:

• It is the sole service provider of a critical service within a Member State
• Its disruption could have a cross-border impact
• Its failure would affect public safety, security, or health

‍

For example, a small cybersecurity provider offering services to critical infrastructure in multiple EU Member States could be classified as essential due to its cross-border impact.

‍

If your organization is in the finance sector, you may have to prioritize compliance with DORA (Digital Operational Resilience Act) over NIS 2. While both DORA and NIS 2 focus on cybersecurity and resilience, DORA is considered a Lex Specialis in this case, meaning that complying with it takes precedence over NIS 2 for financial entities.

‍

{{cta_withimage22="/cta-blocks"}}

‍

Essential vs. important entities: Regulatory differences to consider

Understanding whether your organization is classified as an essential or important entity under NIS 2 is crucial, as each category is required to abide by different supervisory and enforcement measures.

‍

Essential entities are subject to proactive supervision and regular audits to ensure compliance, meaning authorities can conduct random inspections even if no known security concerns exist. The enforcement measures for essential entities are also stricter, as regulatory bodies can issue binding orders with specific time limits and assign monitoring officers to ensure compliance.

‍

In contrast, important entities are primarily subject to retroactive supervision, meaning audits and data requests are typically conducted after an issue arises. Enforcement measures are also less stringent, with no prescribed time limits on binding orders or assigned monitoring officers.

‍

Financial penalties for non-compliance vary between the two types of entities, as shown in the table below:

‍

Does NIS 2 apply to the UK and the US?

NIS 2 does not directly impact UK or US entities unless they provide services to EU-based organizations. However, recent updates to the directive have expanded its scope.

‍

In October 2024, managed service providers were added to the list of entities covered by NIS 2, meaning that any entity providing services to EU organizations must comply with the directive regardless of its size or location. For example, IT support companies, cloud services providers, and cybersecurity firms working with EU clients must now adhere to the directive’s security requirements.

‍

NIS 2 defines managed service providers as entities responsible for the installation, management, and operations of ICT networks, applications, products, infrastructure, or any other network or information system. These services may be carried out on-site or remotely through assistance or active administration.

‍

NIS 2 security requirements covered entities must meet

Although essential and important entities face slightly different regulatory measures, they must implement the same security measures under NIS 2. The NIS 2 directive requires the following 10 key security measures all in-scope entities should adopt:

1. Risk analysis and cybersecurity policies
2. Incident handling ,including detection and response tools and procedures, incident management, roles and responsibilities, etc.
3. Business continuity management (BCM), including backup management, crisis measures, and disaster recovery to ensure business continuity
4. Supply chain security, including security-related aspects of relationships between each entity and vendors, suppliers, or service providers
5. Security in acquiring, developing, and maintaining information systems, including disclosing and handling vulnerabilities
6. Policies and procedures for assessing the effectiveness of cybersecurity risk-management measures
7. Basic cybersecurity and cyber hygiene training
8. Policies and procedures for cryptography and encryption, where applicable
9. Human resource security, asset management, and access control policies
10. The use of multi-factor or continuous authentication, secure voice, video, and text communication, and emergency communication within the entity

‍

In-scope organizations also have to follow a three-step incident-reporting process, which includes issuing an initial early warning to the relevant authority, sending a formal incident notification, and submitting a final incident report. 

‍

Ensuring compliance with these security measures is crucial for providing comprehensive protection. They help safeguard both network and information systems, as well as their physical environment, from potential incidents. 

‍

{{cta_webinar9="/cta-blocks"}}  

‍

NIS 2 non-compliance penalties

In addition to standardizing monetary fines, NIS 2 introduces two additional enforcement mechanisms to penalize non-compliant entities—non-monetary penalties and criminal sanctions.

‍

Non-monetary penalties include: 

• Binding instructions
• Compliance orders
• Ordering the implementation of security audits
• Ordering entities to notify customers of any threats

‍

Criminal sanctions, designed to hold C-level executives accountable for non-compliance, include:

• Ordering organizations to make compliance violations public
• Requiring public statements that identify responsible individuals and outline the nature of the violations
• Temporarily banning individuals from management positions in essential entities for repeated violations

‍

NIS 2 is officially in effect as of October 17, 2024, so achieving compliance as quickly as possible is crucial to avoid these penalties and prevent operational disruptions.

‍

Achieving and maintaining NIS 2 compliance effectively can be challenging for organizations of all sizes, especially for smaller service providers entering regulated EU sectors. Compliance with NIS 2 can also be costly and time-consuming, and scoping and implementing the requirements across scattered systems can create a significant barrier to entry into the EU market.

‍

However, organizations can streamline compliance efforts by leveraging automated trust platforms. These platforms allow you to organize, automate, and track your teams’ workflows, streamlining the compliance process and avoiding duplicative work.

‍

Vanta: Your NIS 2 compliance partner

Vanta is a comprehensive trust management platform that automates up to 65% of the work required to achieve NIS 2 compliance. With a dedicated NIS 2 solution, Vanta streamlines compliance efforts with 700+ built-in resources, including:

• 50+ technical controls
• 100+ document templates
• 600+ relevant tests
• 10+ policies

‍

The platform also comes with 375 integrations to further simplify the compliance process and reduce unnecessary manual work, ensuring seamless and efficient NIS 2 compliance.

‍

Vanta’s technical controls for NIS 2 are designed to overlap with other major security frameworks, such as ISO 27001, SOC 2, and NIST CSF, minimizing redundant work for organizations pursuing multiple certifications by reducing duplications.

‍

Schedule a custom demo to experience firsthand how Vanta simplifies NIS 2 compliance.

‍

{{cta_simple30="/cta-blocks"}} 

‍

A note from Vanta: Vanta is not a law firm, and this article does not constitute or contain legal advice or create an attorney-client relationship. When determining your obligations and compliance with respect to relevant laws and regulations, you should consult a licensed attorney.