Get in touch

NIS2 Compliance Guide for Organisations in Scope (2026)

NIS2 By Ing. Dorin-Emilian Avram, MSc · SephiraSec

The NIS2 Directive (EU) 2022/2555 has been in force since January 2023 and Member States were required to transpose it by October 2024. If your organisation falls in scope — and more organisations do than realise — this guide walks through what you actually need to demonstrate: scope determination, the ten minimum security measures, incident reporting and what supervisors examine.

What is NIS2 and how is it different from NIS1?

NIS2 replaces the original NIS Directive from 2016. The original directive covered a limited set of operators of essential services and digital service providers, and enforcement was widely regarded as inconsistent across Member States. NIS2 is significantly broader in scope, more prescriptive about what security measures are required, and carries much heavier sanctions — up to €10 million or 2% of global annual turnover for essential entities.

Key differences from NIS1:

  • Scope expanded from roughly seven sectors to eighteen, including public administration, postal services, waste management, food production and manufacturing
  • All medium and large entities in covered sectors are automatically in scope (no individual designation needed)
  • Management body is explicitly accountable and can face personal liability
  • Harmonised minimum security measures (Article 21) and incident reporting rules (Article 23) across the EU
  • Supply-chain security is explicitly required, not optional

Are you in scope? Essential vs. important entities

NIS2 introduces two tiers. The difference matters because supervision is stricter for essential entities.

Essential entities (stricter ex-ante supervision): energy, transport, banking, financial market infrastructure, health, drinking water, wastewater, digital infrastructure (IXPs, DNS, TLD, cloud computing, data centres, CDNs, trust services, electronic communications), public administration at central government level, and space. Large entities (250+ employees or €50M+ turnover) in these sectors are essential.

Important entities (ex-post supervision): postal and courier services, waste management, manufacture of chemicals, food production, manufacturing (medical devices, electronics, machinery, motor vehicles), digital providers (online marketplaces, online search engines, social networking), and public administration at regional level. Medium entities (50+ employees or €10M+ turnover) in these sectors are important.

Member States may also designate smaller entities as essential or important if they are the sole provider of a service, or if disruption would have significant cross-border impact.

The ten minimum security measures (Article 21)

Article 21 lists ten categories of security measures that every in-scope entity must implement, proportionate to the risks involved. These are not optional and supervisors will check them.

1. Policies on risk analysis and information system security

  • A documented risk analysis methodology is in place and applied at least annually
  • Security policies cover the organisation's network and information systems and are approved by the management body
  • The risk assessment is linked to the security measures implemented — gaps are documented and tracked

2. Incident handling

  • An incident response process exists with defined roles, escalation paths and communication procedures
  • Staff can identify, classify and escalate security incidents without relying on informal channels
  • Post-incident reviews are conducted for significant incidents and feed back into risk analysis

3. Business continuity, backup management and disaster recovery

  • Business continuity plans and disaster recovery plans are documented and tested at least annually
  • Backup procedures are defined with clear RPO/RTO targets for critical systems
  • Crisis management procedures exist and include communication with authorities and stakeholders

4. Supply chain security

  • The security posture of direct suppliers and service providers is assessed as part of procurement
  • Contractual security requirements are included in supplier agreements for critical services
  • Known vulnerabilities in ICT products and services from suppliers are monitored and addressed

5. Security in network and information systems acquisition, development and maintenance

  • Security requirements are incorporated into development and procurement processes
  • Vulnerability handling and disclosure policies are in place
  • Patch management covers all systems, with prioritisation based on risk

6. Policies and procedures to assess the effectiveness of cybersecurity risk-management measures

  • KPIs or metrics are defined to measure the effectiveness of security measures
  • Independent assessments (internal or external audits, penetration tests) are conducted periodically
  • Management receives regular reporting on the security posture

7. Cybersecurity hygiene practices and cybersecurity training

  • Basic cyber hygiene (patching, MFA, least-privilege, password management, secure configuration) is enforced and documented
  • All staff receive security awareness training at least annually
  • The management body receives training on cybersecurity risks and their governance responsibilities

8. Policies and procedures regarding the use of cryptography

  • A cryptography policy exists covering encryption standards, key management and certificate management
  • Data in transit and at rest is protected according to the policy
  • The policy is reviewed when relevant standards change (e.g. post-quantum transition planning)

9. Human resources security, access control policies and asset management

  • An asset inventory is maintained covering hardware, software, data and critical third-party services
  • Access is granted on a least-privilege basis and reviewed regularly
  • Privileged access is controlled, monitored and time-limited where appropriate
  • Offboarding procedures revoke access promptly

10. Multi-factor authentication (MFA) and secure communications

  • MFA is enforced for all remote access and administrative interfaces
  • Voice, video and text communications used for sensitive information are protected appropriately
  • Emergency communication systems are secured and tested

Incident reporting under NIS2 (Article 23)

Significant incidents — defined by NIS2 as those causing or capable of causing severe operational disruption, financial loss, or significant damage to other entities — must be reported to the national CSIRT or competent authority in three phases.

Reporting timelines:

  • Early warning — within 24 hours of becoming aware of a significant incident (including where a cyber attack is suspected)
  • Incident notification — within 72 hours of awareness, with an updated severity assessment and initial indicators
  • Final report — within one month, including a full description of the incident, root cause, cross-border impact and measures taken
  • Documented criteria exist for classifying an incident as "significant" under NIS2
  • The competent national authority and CSIRT are identified and contact details are current
  • Report templates for each of the three phases are prepared and stored accessibly
  • The notification obligation to affected clients and, where relevant, the public is covered in the incident response plan

Management body accountability

Unlike NIS1, NIS2 explicitly makes management bodies responsible for approving and overseeing the implementation of cybersecurity risk-management measures. Management can face personal liability if the organisation fails to meet its NIS2 obligations. This means:

  • The board or executive management must formally approve the security risk management approach
  • Management members must complete cybersecurity training and maintain sufficient awareness of risks
  • Regular reporting to the management body on the security posture is not optional

The five gaps we see most often

  1. Scope blindness. Many organisations do not know they are in scope until a supervisor tells them. NIS2's automatic size-based threshold means formal designation is no longer a trigger — apply the test yourself.
  2. Supply chain documentation. Article 21(2)(d) explicitly covers supply-chain security. Organisations commonly have contracts with key suppliers but no security assessment and no contractual security requirements.
  3. Management training on paper. Management body awareness is a specific NIS2 requirement. A single briefing slide does not satisfy the expectation — documented training with a record of attendance does.
  4. No classification criteria for significant incidents. Without documented criteria, response teams lose time debating whether to report instead of triggering the 24-hour early warning clock.
  5. Effectiveness assessment. Many organisations have policies and measures but no mechanism to verify they work. NIS2 requires regular effectiveness assessment — this means defined KPIs, audit records and management reporting, not just policies on a shelf.

How SephiraSec can help

SephiraSec offers NIS2 scope assessments, gap analyses mapped to Article 21 and Article 23, incident response planning, supply-chain security reviews and management body briefings. Independent, EU-wide, working in English, German and Romanian.