NIS2 Directive — EU Cybersecurity Rules for Essential and Important Entities
The NIS2 Directive (Directive (EU) 2022/2555 on measures for a high common level of cybersecurity across the Union) is the European Union’s most comprehensive and far-reaching cybersecurity law to date. Adopted in December 2022 and transposed into national law by 17 October 2024, NIS2 replaced the 2016 NIS Directive with dramatically expanded scope, significantly stricter obligations, and — for the first time in EU history — personal liability for C-level executives who fail to ensure their organization’s cybersecurity posture.
NIS2 operates on the organisation side of the EU cybersecurity framework: it mandates how companies must manage their own cybersecurity. Its counterpart, the EU Cyber Resilience Act (CRA), operates on the product side — mandating how products must be built. Together, they form the backbone of the EU’s 2030 cybersecurity strategy.
Key Facts
| Detail | Information |
|---|---|
| Full citation | Directive (EU) 2022/2555 (NIS2) |
| Published | 27 December 2022 in the Official Journal of the EU |
| Transposition deadline | 17 October 2024 |
| Replaces | NIS Directive (Directive (EU) 2016/1148) |
| Entities in scope | ~160,000 entities across 18 sectors in the EU |
| Essential entity fine | Up to €10 million or 2% of global annual turnover (whichever is higher) |
| Important entity fine | Up to €7 million or 1.4% of global annual turnover (whichever is higher) |
| Management liability | Personal liability for C-level executives; temporary prohibition from management functions |
| Coordinating body | ENISA (EU Agency for Cybersecurity) + national CERTs/CSIRTs |
What Changed from NIS to NIS2?
NIS2 is not a minor update — it fundamentally restructured the EU’s approach to organizational cybersecurity:
| Aspect | NIS (2016) | NIS2 (2022) |
|---|---|---|
| Sectors covered | 7 sectors | 18 sectors |
| Entity classification | Operators of Essential Services (OES) | Essential entities + Important entities |
| Scope trigger | Designated by member states | Size-based + sector (most medium/large companies) |
| Supply chain security | Not addressed | Mandatory supply chain risk assessment |
| Incident reporting timeline | 72 hours | 24-hour early warning + 72-hour incident notification |
| Penalties | Variable by member state | Harmonised: up to €10M / 2% global turnover |
| Management accountability | None | Personal C-level liability |
| Enforcement | Reactive | Proactive audits and on-site inspections |
| Harmonisation level | Low (member state discretion) | High (EU-wide minimum requirements) |
Who Must Comply? The Entity Classification
NIS2 uses a size-based approach combined with sector classification, moving away from the designation model of the original NIS Directive. This means the vast majority of medium and large organisations in covered sectors must comply — without waiting to be individually designated by national authorities.
Essential Entities — Stricter Supervision Regime
Essential entities face ex ante (proactive) supervision — authorities can audit and inspect without waiting for an incident:
Eleven sectors:
- Energy (electricity generation, distribution, transmission; oil; gas; hydrogen; district heating/cooling)
- Transport (air, rail, water, road — including operators, infrastructure managers)
- Banking (credit institutions)
- Financial market infrastructures (trading venues, central counterparties)
- Health (hospitals, healthcare providers, reference labs, pharmaceutical manufacturers, medical device manufacturers covered by critical device categories)
- Drinking water (suppliers and distributors)
- Wastewater (collection, disposal, treatment)
- Digital infrastructure (IXPs, DNS providers, TLD registries, cloud computing, data centres, CDN providers, trust service providers, electronic communication networks)
- ICT service management (B2B managed service providers, managed security service providers)
- Public administration (central government bodies)
- Space (operators of ground-based infrastructure supporting space-based services)
Important Entities — Reactive Supervision Regime
Important entities face ex post supervision — authorities investigate following incidents or complaints:
Seven sectors:
- Postal and courier services
- Waste management
- Chemical manufacturing, production, and distribution
- Food production, processing, and distribution
- Manufacturing of medical devices, electronic/electrical equipment, machinery, motor vehicles, other transport equipment
- Digital providers (online marketplaces, online search engines, social networking platforms)
- Research organizations (public and private)
Critical for hardware manufacturers: Electronics manufacturers and medical device manufacturers fall into the Important Entities category. A medium or large electronics or IoT hardware manufacturer supplying to sectors covered by NIS2 must assess whether they are directly in scope — and if they supply to Essential Entities, they face significant supply chain security requirements imposed by their customers.
Core Requirements: What NIS2 Demands
1. Risk Management Measures (Article 21)
NIS2 mandates a minimum baseline of cybersecurity risk management measures that all covered entities must implement. These are not optional — they are legal minimums:
Technical and organisational measures:
| Measure | Description |
|---|---|
| Risk analysis and IS security policies | Systematic risk assessment framework and documented security policies |
| Incident handling | Detection capabilities, incident response procedures, forensic readiness |
| Business continuity | Backup systems, disaster recovery, crisis management plans |
| Supply chain security | Risk assessment of direct suppliers and service providers; contractual security obligations |
| Security in acquisition | Secure development practices, vulnerability handling and disclosure in procured systems |
| Cybersecurity training | Regular training including for management and board level |
| Cryptography and encryption | Policies on use of encryption and cryptographic protocols |
| Human resources security | Access control principles, asset management, employee security screening |
| Multi-factor authentication | MFA for access to networks and information systems |
| Secured communications | Encrypted voice, video, and text communications and encrypted emergency systems |
The measures must be proportionate to the entity’s size, risk exposure, and the cost of implementation relative to the risk — but proportionality does not excuse non-compliance with the listed minimum measures.
2. Incident Reporting (Article 23)
NIS2 tightens incident reporting with a two-stage cascading obligation:
| Stage | Deadline | What to Report |
|---|---|---|
| Early warning | 24 hours from becoming aware of a significant incident | Whether the incident is suspected to be malicious; whether it has cross-border impact |
| Incident notification | 72 hours from becoming aware | Assessment of severity and impact; indicators of compromise; initial root cause if known |
| Final report | 1 month after incident notification | Detailed root cause; mitigation measures taken; cross-border impact analysis |
A significant incident is one that:
- Has caused or could cause severe operational disruption or financial loss to the entity, or
- Has affected or could affect other natural or legal persons by causing considerable material or non-material damage.
Special provisions for ICT service providers and trust service providers may shorten reporting windows further.
3. Supply Chain Security (Article 21(2)(d))
NIS2 makes supply chain security a first-class legal obligation for covered entities:
- Entities must assess the cybersecurity practices of direct suppliers and service providers.
- Contracts with suppliers must include cybersecurity clauses specifying required security standards.
- Entities must conduct periodic supplier security risk assessments.
- ENISA and national authorities may issue guidance or requirements on specific supplier categories.
For hardware manufacturers: If your customers include Essential or Important entities under NIS2, they are now legally required to assess your cybersecurity posture as part of their supply chain security obligations. This creates strong market demand for hardware manufacturers to demonstrate auditable security practices — SBOM documentation, vulnerability management programs, and secure development lifecycle evidence. Companies that can provide this evidence as a standard deliverable will have a significant competitive advantage.
4. Management Accountability (Article 20)
NIS2 introduces the most significant governance requirement in EU cybersecurity law history: personal liability for management bodies:
- Management bodies (boards of directors, executive officers) must approve the cybersecurity risk management measures.
- Management bodies must oversee implementation.
- Management body members must undergo cybersecurity training to gain sufficient knowledge to assess cybersecurity risks.
- In the event of a significant incident caused by negligence in cybersecurity oversight, national authorities can:
- Impose personal fines on responsible management members
- Issue a temporary prohibition on the individual from holding management roles
This is a fundamental shift: cybersecurity is no longer purely an IT department responsibility. It is now a board-level legal obligation with personal consequences for failure.
NIS2 and Hardware Manufacturers: The Supply Chain Effect
Even if a hardware manufacturer is not directly in scope of NIS2 (e.g., a small company below the size thresholds), NIS2 creates significant market-driven requirements through the supply chain:
Customer-Driven Security Requirements
NIS2-regulated customers are legally required to assess supplier cybersecurity. This means hardware manufacturers will increasingly face:
- Security questionnaires and audits from major customers
- Contractual cybersecurity requirements in supply agreements
- Requirements to provide SBOMs, vulnerability disclosure policies, and security certifications
- Potential loss of contracts if they cannot demonstrate adequate security posture
Harmonised Demand Signal
As NIS2 is harmonised across all 27 EU member states, these requirements apply uniformly — a hardware manufacturer supplying across the EU faces consistent requirements regardless of which country their customer is in.
Medical Device and Electronics Manufacturers
Large manufacturers of medical devices and electronics are directly classified as Important Entities under NIS2. For these companies, compliance is not optional — they are directly regulated.
NIS2 vs. CRA — Different but Complementary
The two most important EU cybersecurity regulations address different dimensions of the same problem:
| Aspect | NIS2 Directive | CRA (EU 2024/2847) |
|---|---|---|
| Primary target | Organisations (how they operate) | Products (how they are built) |
| Key obligation | Cybersecurity risk management + incident reporting | Security by design + vulnerability management |
| Who must comply | Essential and important entities | Manufacturers, importers, distributors of digital products |
| Management liability | Yes — personal C-level liability | No direct management liability |
| Incident reporting | 24h early warning to national CSIRT | 24h report to ENISA for actively exploited vulnerabilities |
| Harmonised standards | No product-specific standards; ISO 27001 commonly referenced | EN 18031, IEC 62443 (sector-specific routes) |
| Timeline | In force — transposition deadline October 2024 | Full compliance December 2027 |
NIS2 secures organisations. CRA secures the products those organisations build and sell. A company that manufactures connected hardware is simultaneously subject to NIS2 (how it runs its own security) and the CRA (how it designs its products).
Enforcement and Penalties
NIS2 establishes a harmonised enforcement framework across all member states for the first time:
Essential Entities
- Maximum fine: €10,000,000 or 2% of global annual turnover — whichever is higher
- Proactive supervision: authorities can audit without an incident trigger
Important Entities
- Maximum fine: €7,000,000 or 1.4% of global annual turnover — whichever is higher
- Reactive supervision: authorities investigate following incidents
Management Measures
- Personal fines on responsible management members
- Public statement identifying the responsible person and the violation
- Temporary prohibition from holding management functions
Timeline and Current Status
| Date | Event |
|---|---|
| December 2022 | NIS2 Directive published in Official Journal |
| 16 January 2023 | NIS2 entered into force |
| 17 October 2024 | Transposition deadline — all member states must have enacted national law |
| 28 February 2025 | Entity registration deadline in most member states |
| Ongoing | Enforcement active; supply chain security requirements flow through to hardware suppliers |
Related Terms
- CRA — The product-focused counterpart to NIS2; hardware manufacturers must comply with both.
- NIS2 — Short-form glossary overview of NIS2.
- ENISA — EU Agency for Cybersecurity, coordinating NIS2 enforcement across member states.
- SBOM — Software Bill of Materials; increasingly required as evidence of supply chain security under NIS2.
- Post-Market Surveillance — Overlaps with NIS2 Article 21 continuous monitoring obligations.
- IoT — Connected IoT devices in supply chains of NIS2-regulated entities face growing security scrutiny.
Hardware manufacturers supplying to NIS2-regulated entities face growing pressure to demonstrate auditable cybersecurity practices. Inovasense helps manufacturers establish the security program evidence that NIS2-regulated customers require: vulnerability management processes, SBOM generation, secure development lifecycle documentation, and embedded security implementations that provide technically verifiable evidence of security measures. Our EU compliance consulting covers the full picture — NIS2 supply chain obligations alongside CRA product requirements.
Official References
- Directive (EU) 2022/2555 (NIS2) — Full text — EUR-Lex, Official Journal of the European Union