What is the NIS2 Directive?

NIS2 (Directive EU 2022/2555) is the European Union's primary cybersecurity legislation. It replaces the original NIS Directive and expands the scope to 18 sectors, imposes management accountability, and introduces a tiered incident reporting regime starting at 24 hours.

What is the 24-hour reporting requirement under NIS2?

Within 24 hours of becoming aware of a significant incident, essential and important entities must submit an early warning to their CSIRT or competent authority, indicating whether the incident is suspected of malicious action and any cross-border impact.

When did NIS2 become enforceable?

NIS2 took effect 16 January 2023, with a transposition deadline of 17 October 2024 for EU member states. National laws implementing NIS2 began entering force in late 2024.

What are the penalties for NIS2 non-compliance?

For essential entities, up to EUR 10 million or 2% of global annual turnover, whichever is higher. For important entities, up to EUR 7 million or 1.4%. Senior management can also be held personally liable for governance failures.

How is NIS2 different from GDPR?

GDPR focuses on personal data protection with a 72-hour breach notification clock. NIS2 focuses on cybersecurity of essential and important entities with a 24-hour early warning, 72-hour notification, and one-month final report. Many incidents trigger both regimes simultaneously.

NIS2 Directive - EU Cybersecurity Directive 2022/2555

The NIS2 Directive (EU 2022/2555) is the European Union's primary cybersecurity legislation, replacing the original NIS Directive (2016/1148). NIS2 took effect 16 January 2023 with a transposition deadline of 17 October 2024 for EU member states. The directive expands the scope to "essential" and "important" entities across 18 sectors, imposes management accountability, and introduces a tiered incident reporting regime starting at 24 hours.

Source: Directive (EU) 2022/2555 of 14 December 2022.

The NIS2 Reporting Timeline

Article 23 of NIS2 establishes a tiered reporting timeline for significant incidents:

24 hours: Early warning to the CSIRT or competent authority, indicating whether the incident is suspected of malicious action and any cross-border impact
72 hours: Incident notification with an initial assessment of severity, impact, and indicators of compromise where available
1 month: Final report including a detailed description of the incident, severity and impact, type of threat, mitigation measures applied, and any cross-border or supply-chain implications

Who Is in Scope

NIS2 applies to essential entities (energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure, ICT service management, public administration, space) and important entities (postal services, waste management, manufacturing of chemicals, food, manufacturing, digital providers, research). The size threshold is medium-sized enterprises and above (50+ employees or EUR 10M+ turnover), with sector-specific exceptions.

Penalties and Management Accountability

Penalties for essential entities can reach EUR 10 million or 2% of global annual turnover, whichever is higher. For important entities the cap is EUR 7 million or 1.4%. Article 20 makes management bodies directly responsible for compliance: senior leadership can be held personally liable for cybersecurity governance failures.

Track NIS2 reporting clocks automatically

IR-OS tracks NIS2 24-hour, 72-hour, and one-month deadlines, with role-based notifications and audit-ready records for EU regulators.

Start free

NIS2 Directive - EU Cybersecurity Directive 2022/2555

The NIS2 Reporting Timeline

Who Is in Scope

Penalties and Management Accountability

Related Terms

Track NIS2 reporting clocks automatically