Loading
July 1, 2026
Subscribe
July 1, 2026

Navigating NIS2: Essential Entities and Compliance Steps

Introduction

NIS2 — the EU’s Network and Information Security Directive 2 — is no longer an upcoming regulation. It’s here. And for the organisations caught in its scope, the compliance clock has been running for over a year.

But here’s the problem: most security teams know NIS2 exists. Very few can clearly articulate what it actually requires them to do — beyond “report incidents within 24 hours” and “get your board accountable.” The directive is 88 pages long, and the gap between awareness and actionable implementation is enormous.

This post is for security teams who need to move from “we’ve read about NIS2” to “we have a defensible compliance programme.” We’ll cover: who NIS2 applies to, what it actually requires, the consequences of getting it wrong, and a practical implementation checklist that maps to the directive’s core obligations.

In this post, you’ll learn:

  • Which organisations are in scope for NIS2 and what the thresholds are
  • The 10 core security requirements NIS2 mandates
  • What the 24-hour incident reporting window actually means in practice
  • The penalties for non-compliance — and why cyber insurance is getting harder to obtain without it
  • A practical NIS2 compliance checklist for security teams

NIS2: Who’s Actually in Scope?

NIS2 expands significantly from the original NIS directive (2016). It introduces two categories: Essential Entities and Important Entities. Both have mandatory compliance requirements, but penalties differ.

Essential Entities (highest risk, strictest requirements)

  • Energy (electricity, oil, gas)
  • Transport (air, rail, water, road)
  • Banking and financial market infrastructure
  • Healthcare (hospitals, clinics, laboratories)
  • Drinking water and wastewater
  • Digital infrastructure (cloud providers, data centres, DNS)
  • Public electronic communications networks and services
  • Public administration entities

Important Entities

  • Postal and courier services
  • Waste management
  • Manufacturing, production, and distribution of chemicals
  • Food production, processing, and distribution
  • Digital providers (online marketplaces, search engines, social networks)
  • Research organisations

The key threshold most organisations miss: NIS2 applies based on sector AND size. Organisations with 50+ employees and €10M+ annual revenue are automatically in scope. But even smaller organisations can be pulled in if they’re the sole provider of a critical service in a specific region. The directive also allows Member States to add additional entities at national level.

For your security team: the first step is determining whether your organisation falls under Essential or Important classification — the obligations are similar but the penalties differ. ENISA’s official NIS2 directive page provides the authoritative reference for scope definitions, entity classifications, and regulatory timelines.

For UK organisations post-Brexit: the original NIS directive was incorporated into UK law as part of the 2018 regulations. NIS2 doesn’t directly apply in the UK — but the UK’s National Cyber Security Centre (NCSC) has published guidance aligned with the directive’s intent, and organisations operating in the EU may face dual compliance requirements. If you operate across both UK and EU, you may also find my API security guide relevant for the technical controls NIS2 mandates.


The 10 Core NIS2 Security Requirements

NIS2 doesn’t just ask you to “have good security.” It specifies 10 concrete areas your security programme must address:

  • Risk analysis and information system security — Documented security risk assessments covering network and information system vulnerabilities, supply chain risk, and asset classification
  • Incident handling — Established procedures for detecting, responding to, and recovering from incidents. Includes forensic capabilities and escalation paths
  • Business continuity and crisis management — Business continuity plans that cover IT infrastructure failures, including disaster recovery and communication plans for stakeholders
  • Security policies — Documented security policies covering access control, network security, asset management, and supply chain security
  • Use of cryptography and encryption — Appropriate encryption for sensitive data in transit and at rest, including policies for cryptographic key management
  • Human resources security — Background checks for employees with access to sensitive systems, security awareness training, and documented procedures for personnel termination
  • Physical security and environmental security — Physical access controls to facilities housing critical infrastructure, environmental controls (fire, flood, power)
  • Supply chain security — Assessment of security risks in the supply chain, including vendors, service providers, and third-party software dependencies
  • Vulnerability handling and disclosure — Processes for identifying, tracking, and remediating vulnerabilities. Coordinated disclosure to affected parties
  • Cybersecurity hygiene and training — Regular security awareness training for all employees, specific training for personnel with security responsibilities

ENISA’s NIS2 directive guidance documents are the authoritative reference standards for implementing each requirement. Their technical guidelines cover risk management frameworks, incident handling procedures, and supply chain security assessments in detail. For organisations in the financial sector specifically, DORA (Digital Operational Resilience Act) overlaps with NIS2 obligations and should be reviewed in parallel.


The 24-Hour Incident Reporting Window: What It Actually Means

The most cited — and most misunderstood — NIS2 requirement is the 24-hour reporting window. Here’s the practical breakdown:

  • Within 24 hours of becoming aware of a significant incident: submit an early warning notification to your national Computer Security Incident Response Team (CSIRT)
  • Within 72 hours: submit an incident notification with an initial assessment of severity, type, and observed impact
  • Within one month: submit a final report with a full incident timeline, description of the incident, affected systems, mitigating measures, and cross-border impact if applicable

The 24-hour clock starts when you become “aware” — not when the incident occurred. This distinction matters. It means your incident detection and escalation processes need to get an alert to your security team fast enough that they can assess, determine significance, and initiate reporting within that window. If you don’t have a documented incident response plan yet, this is your starting point.

“Significant incident” is defined as one that causes: severe operational disruption or financial loss to the entity; or harm to other individuals or legal entities. For Essential Entities, even a minor incident affecting a single employee laptop may qualify — the threshold is broader than many organisations assume.

ENISA’s Incident Handling guide provides step-by-step procedures for meeting these reporting obligations, including templates for early warning, incident notification, and final reporting stages.


Penalties: What Happens When You Get It Wrong

NIS2 has real teeth — and the penalties reflect the directive’s ambition to raise cybersecurity standards across the EU:

  • Essential Entities — Fines up to €10 million or 2% of worldwide annual turnover, whichever is higher. Sanctions also include temporary bans from exercising managerial functions
  • Important Entities — Fines up to €7 million or 1.4% of worldwide annual turnover, whichever is higher

Beyond financial penalties, national regulators can require entities to:

  • Cease operations temporarily until compliance is demonstrated
  • Publicly disclose the non-compliance, damaging reputation and customer trust
  • Allow on-site inspections and audits by national authorities

The European Commission’s official NIS2 policy page provides additional context on how the directive is being implemented across Member States and what organisations should expect from national regulatory enforcement. Given the penalties, compliance isn’t optional — and Zero Trust Architecture implementation is increasingly seen as a baseline expectation by regulators.


The NIS2 Compliance Checklist

  • ☑️ Confirm your entity classification (Essential vs. Important) and register with your national authority
  • ☑️ Conduct a documented security risk assessment covering your network and information systems, supply chain, and assets
  • ☑️ Establish incident detection and response procedures with clear escalation paths and a 24-hour reporting workflow
  • ☑️ Develop and test business continuity and disaster recovery plans for IT infrastructure failures
  • ☑️ Document security policies covering access control, network security, asset management, and supply chain risk
  • ☑️ Implement encryption for sensitive data in transit and at rest with key management policies
  • ☑️ Conduct background checks for personnel with access to critical systems
  • ☑️ Perform supply chain security assessments for all vendors and third-party providers
  • ☑️ Establish vulnerability handling and coordinated disclosure procedures
  • ☑️ Deliver security awareness training to all employees and specific training for security personnel
  • ☑️ Implement physical security controls at facilities housing critical infrastructure
  • ☑️ Ensure board-level accountability for NIS2 compliance — assign a named responsible person

Conclusion: Compliance as a Baseline, Not a Destination

NIS2 is designed to raise the floor — not set a ceiling — for cybersecurity across Europe. The directive’s requirements are the minimum expected of organisations in scope. The organisations that treat NIS2 compliance as a checkbox exercise will find themselves underprepared when the next sophisticated attack hits.

The real value of NIS2 compliance isn’t avoiding penalties — it’s building the security maturity to withstand the threats the directive was designed to address. Incident response plans that actually work. Supply chain visibility you didn’t have before. Board accountability that means something.

Start with the risk assessment. That’s where every defensible NIS2 programme begins — and it’s the foundation for everything that follows.


Read also: Zero Trust Architecture Implementation Guide, API Security Strategies for 2026, OT Security Threats in 2026, Incident Response Plan Guide

About the Author: Syed Adil Hussain is a cybersecurity professional helping organisations secure their digital infrastructure. Connect with him on LinkedIn or reach out directly at thecyberguy90@gmail.com.

Leave a Reply

Your email address will not be published. Required fields are marked *