NIS 2 Directive Compliance

NIS 2 Compliance — Know What's Required and Get There with Expert Support

The NIS 2 Directive is now enforceable law across the EU. If your organisation is in scope, compliance is not optional — and the requirements go beyond technology. Our NIS2 compliance consulting helps essential and important entities across Europe understand their obligations, close the gaps, and build cybersecurity governance that holds up to scrutiny.

NIS 2 Is Enforceable Now — and the Penalties Are Designed to Get Boardroom Attention

The NIS 2 Directive (Directive (EU) 2022/2555) entered into force on 16 January 2023. EU member states were required to transpose it into national law by 17 October 2024, at which point the obligations became applicable. That transposition deadline has now passed. In practice, the intensity of supervision and enforcement is increasing progressively — active audits, inspections, and regulatory scrutiny are expected to intensify throughout 2025 and 2026 as national competent authorities operationalise their oversight programmes. If your organisation is in scope, the time to achieve a defensible compliance position is now, not once enforcement ramps up.

What makes NIS 2 different from earlier cybersecurity guidance is where it places responsibility. Under Article 20, management bodies — boards and senior leadership — must formally approve the organisation's cybersecurity risk-management measures and oversee their implementation. They are also required to complete cybersecurity training. Member states must ensure that these individuals can be held personally liable under national law for failures to discharge these duties. For Essential Entities specifically, Article 32 gives national authorities the power, as a measure of last resort following persistent non-compliance, to seek a temporary ban on a senior manager exercising their executive role. Cybersecurity is now a governance matter, not solely an IT function.

Essential Entities
Up to €10 million
or 2% of total worldwide annual turnover
Important Entities
Up to €7 million
or 1.4% of total worldwide annual turnover

These figures were deliberately modelled on the GDPR enforcement regime — the EU applying the same mechanism that succeeded in making data privacy a boardroom priority.

Beyond the financial consequences, the directive's supply chain provisions create a secondary compliance effect. In-scope organisations are legally required to assess the cybersecurity posture of their direct suppliers. That pressure is already flowing downstream — companies outside the directive's scope are finding that their in-scope customers now require demonstrable security standards as a condition of continuing the relationship.

What NIS 2 Actually Requires (and How It Differs from What Came Before)

The NIS 2 Directive is the European Union's primary legislation for cybersecurity resilience. It replaces the original 2016 NIS Directive, which was widely criticised for producing inconsistent outcomes — a company in one member state might be classified as a critical operator whilst a nearly identical company across the border was not. NIS 2 eliminates that inconsistency by directly specifying which sectors are in scope and setting a clear size threshold.

The directive works through four interconnected obligations:

Risk management

In-scope organisations must adopt a systematic, all-hazards approach to cybersecurity — identifying risks, implementing proportionate controls, and reviewing them continuously. Article 21 sets out ten baseline security measures that form the minimum acceptable standard.

Corporate accountability

Management bodies must approve and oversee cybersecurity risk-management measures. Board members and senior executives are legally required to undergo cybersecurity training. Personal liability applies to individuals responsible for ensuring compliance, where they are found to have failed to discharge their duties. The precise standard is determined by each member state's national law.

Incident reporting

Significant incidents must be reported to the national competent authority on a strict timetable: an early warning within 24 hours, a detailed notification within 72 hours, and a final report within one month.

Business continuity

Organisations must have documented plans for maintaining essential services during and after a cyber incident — including backup management, disaster recovery, and crisis management procedures.

The directive does not prescribe exact technical implementations. What it requires is that organisations can demonstrate a coherent, documented, proportionate approach to each of these areas. That is both the challenge and the opportunity — there is flexibility in how you comply, but no ambiguity about whether you must.

Who Needs to Comply with NIS 2

The first question is whether your organisation falls within the directive's scope. NIS 2 applies to medium-sized and large organisations operating in the sectors listed below. The general size thresholds are:

  • Large entities: 250 or more employees, or annual turnover exceeding €50 million and a balance sheet above €43 million.
  • Medium-sized entities: 50 or more employees, or annual turnover exceeding €10 million or a balance sheet above €10 million.

Certain categories are in scope regardless of size — including providers of public electronic communications networks, trust service providers, and top-level domain name registries.

Essential Entities

Annex I
  • Energy
  • Transport
  • Banking
  • Financial Market Infrastructures
  • Healthcare
  • Drinking Water
  • Wastewater
  • Digital Infrastructure
  • ICT Service Management (B2B)
  • Public Administration
  • Space

Important Entities

Annex II
  • Postal and Courier Services
  • Waste Management
  • Chemicals
  • Food Production
  • Manufacturing (medical devices, computers, electronics, machinery, vehicles)
  • Digital Providers (online marketplaces, search engines, social networks)
  • Research

The Core NIS 2 Requirements Under Article 21

Article 21 of the directive specifies ten baseline security measures that all in-scope organisations must implement. These are not optional — they are the minimum floor of compliance. Your organisation must be able to demonstrate that each area is addressed through documented policies, implemented controls, and evidence of ongoing operation.

Risk analysis and information system security policies.

Formal, documented policies for assessing risks and securing your information systems.

Incident handling.

A documented plan for preventing, detecting, analysing, containing, and responding to cybersecurity incidents.

Business continuity and crisis management.

Concrete plans for backup management, disaster recovery, and crisis management to maintain services during an incident.

Supply chain security.

Assessment of the cybersecurity risks posed by your direct suppliers and service providers, with appropriate contractual requirements.

Security in network and information systems acquisition, development, and maintenance.

Policies for vulnerability handling and embedding security across your systems' lifecycle.

Effectiveness assessment.

A process for regularly testing and evaluating your cybersecurity risk-management measures — through penetration testing, audits, or continuous assessment.

Cyber hygiene and cybersecurity training.

Fundamental security practices and regular, ongoing training for all staff, including management.

Cryptography and encryption policies.

Clear policies governing the use of cryptography to protect data at rest and in transit.

Human resources security, access control, and asset management.

Secure HR processes, least-privilege access control, and a maintained inventory of critical assets.

Multi-factor authentication.

Deployment of MFA or continuous authentication solutions, and secure communications channels, wherever appropriate.

All in-scope entities must be able to demonstrate implementation of each area.

A Structured Path from Current State to Documented, Defensible Compliance

NIS 2 compliance is not a one-time project. It is an ongoing state that your organisation must maintain and demonstrate. Our role is to get you there efficiently, and to leave you with the governance structures to stay there.

Here is how we work:

Phase 1 — Scoping and Applicability Assessment

The starting point is often not obvious. We determine definitively whether your organisation is in scope, which category (Essential or Important) applies, and which national authority you report to. For organisations operating across multiple EU member states, this analysis is particularly important — jurisdiction and reporting obligations are not always straightforward.

What you get:
Applicability determinationEntity classificationCompetent authority identification

Phase 2 — Gap Analysis

This is the diagnostic phase. We assess your current security measures, policies, and processes against every NIS 2 requirement. This involves structured stakeholder interviews, review of existing documentation, and technical assessment where appropriate.

What you get:
NIS 2 gap analysis reportRisk-prioritised findingsEvidence of due diligence

Phase 3 — Risk Assessment and Roadmap

With gaps identified, we translate them into business risks and build a practical plan to close them. The roadmap is specific to your organisation's resources, priorities, and operational context — not a generic checklist. For organisations that need to secure executive buy-in and budget approval, we produce an Executive Briefing suitable for presentation to the board.

What you get:
Formal risk assessmentPrioritised action planExecutive Briefing

Phase 4 — Implementation Support

We provide hands-on support through the implementation phase: drafting and refining policies and governance structures, advising on technical controls including multi-factor authentication and encryption, and building out your supply chain security programme — including contractual requirements and supplier assessment processes. We also develop and deliver cybersecurity training: awareness training for all staff, and dedicated workshops for management bodies to ensure they meet their legal training obligation under the directive.

What you get:
Governance policies and proceduresStaff awareness trainingSupply chain security programme

Phase 5 — Testing, Validation, and Ongoing Support

Compliance is not a state you achieve once — it is one you maintain. We design and run tabletop exercises and crisis simulations to test your incident response and business continuity plans before a real incident does. We prepare your organisation for regulatory oversight, ensure your documentation is current and coherent, and help you implement monitoring processes that flag when something drifts out of compliance. For organisations that also need or already hold ISO 27001 certification, we integrate the two programmes wherever controls overlap — avoiding duplicated effort and maximising the return on your compliance investment.

What you get:
Tabletop exercises and crisis simulationsRegulatory oversight readinessOngoing compliance monitoring

An Expert Team That Understands the Full Regulatory Picture

  • We understand the regulatory context. Our consultants work across ISO 27001, DORA, and NIS 2. Where these frameworks overlap, we avoid duplication and maximise your compliance investment.
  • We speak to management, not just IT. NIS 2 places direct accountability on leadership. We prepare your board and senior team to understand and discharge their legal obligations under Article 20.
  • We stay with you beyond the initial project. Compliance is not a state you achieve once. We build the monitoring and governance structures your organisation needs to maintain it.
★★★★★

"HEIC LTD made the implementation of ISO 27001 easy and understandable. They explained everything clearly, guided us step by step, and we passed the audit with an excellent score. As a result, we now have a stable risk management framework and a stronger information security culture. The certificate itself helps us with our customers, as we work in a very conservative and demanding industry. I have already recommended HEIC LTD to colleagues from other companies."

NIS 2 Compliance FAQ

The NIS 2 Directive (Directive (EU) 2022/2555) is the European Union's primary cybersecurity legislation, replacing the original 2016 NIS Directive. It requires organisations in critical and important sectors across all EU member states to implement robust cybersecurity risk-management measures, maintain incident reporting obligations, and establish governance structures that hold senior management accountable. It entered into force on 16 January 2023, with member states required to transpose it into national law by 17 October 2024.

In general, medium-sized and large organisations operating in one of the 18 sectors listed in the directive must comply. Medium-sized means 50 or more employees or annual turnover above €10 million. Large means 250 or more employees or turnover above €50 million. Some categories — such as trust service providers and public communications network operators — are in scope regardless of size. Organisations outside the directive's scope may still face indirect compliance pressure if their customers are in-scope entities.

Article 21 of the directive sets out ten baseline measures: risk analysis and security policies; incident handling; business continuity and crisis management; supply chain security; security in systems acquisition and maintenance; effectiveness assessment; cyber hygiene and staff training; cryptography and encryption policies; human resources security and access control; and multi-factor authentication. All in-scope entities must be able to demonstrate implementation of each area.

For significant incidents, the directive imposes a three-stage reporting process. An early warning must be submitted within 24 hours of becoming aware of the incident. A more detailed notification, including an initial severity assessment, is required within 72 hours. A comprehensive final report — covering root cause, mitigation measures, and lessons learned — is due within one month.

Both categories must implement the same security measures and reporting obligations. The distinction is in how they are supervised. Essential Entities face proactive supervision — national authorities actively and regularly review their compliance through inspections, audits, and information requests. Important Entities face reactive supervision — oversight is typically triggered only by an incident or evidence of non-compliance. Essential Entities are also subject to higher maximum penalties.

Yes, with important nuance. Under Article 20 of the directive, management bodies must formally approve and oversee cybersecurity risk-management measures and are required to complete cybersecurity training. Member states must ensure personal liability can be applied to individuals responsible for these duties under national law. For Essential Entities, Article 32 gives national authorities the power — as an escalation measure after other enforcement actions have proven ineffective — to seek a temporary ban on a senior executive from exercising their managerial role. For Important Entities, this specific escalation measure does not apply, though personal liability under national law still does. The practical implication is the same: cybersecurity is now a board-level governance responsibility, not something that can be fully delegated.

For Essential Entities, the directive requires member states to provide for fines of up to €10 million or 2% of total worldwide annual turnover, whichever is higher. For Important Entities, the maximum is up to €7 million or 1.4% of global turnover. In addition to financial penalties, authorities can issue binding orders, require mandatory security audits, and hold senior management personally accountable.

The two frameworks complement each other significantly. ISO 27001 certification demonstrates that your organisation has a structured, audited information security management system in place — which addresses many of the risk management, governance, and control requirements that NIS 2 mandates. Organisations that have already implemented ISO 27001 are typically much better positioned for NIS 2 compliance and can often achieve it with considerably less additional effort. The reverse is also true: the work done for NIS 2 compliance creates a strong foundation for pursuing ISO 27001 certification.

It depends on where your organisation is starting from. An organisation with existing security policies, documented risk processes, and some governance structures in place can typically reach a defensible compliance position within three to six months. Organisations with little existing documentation or governance overhead may need six to twelve months. The timeline is heavily influenced by internal resource availability and decision-making speed.

Yes, in principle. The directive applies to any organisation that provides services within the EU in a covered sector and meets the size criteria, regardless of where it is incorporated. If a company based outside the EU provides services to EU customers in a covered sector, it is likely within scope and may need to designate an EU representative.

Ready to Get Your NIS 2 Compliance in Order?

Talk to one of our experts about your organisation's situation. We'll give you an honest picture of your obligations, where you stand, and what it takes to get compliant.

Speak to an Expert

Speak to an Expert

We'll get back to you within one business day.

We respect your privacy. No spam, ever.