What is the NIS2 Directive: A practical overview for organisations

The NIS2 Directive is the European Union’s updated cybersecurity framework, designed to improve cyber resilience across critical sectors. Building on its predecessor, the Network and Information Systems (NIS) Directive, NIS2 significantly expands its scope to include industries such as healthcare, manufacturing, energy, transport and managed services. NIS2 also introduces stricter cybersecurity requirements, direct accountability for senior management and defined incident reporting timelines. Organisations operating within the EU must not only understand these obligations but also implement concrete security measures to meet compliance requirements.

Key takeaways

• NIS2 is the EU’s updated cybersecurity framework, introducing stricter requirements, broader sector coverage and increased executive accountability for organisations operating in the EU.
• NIS2 superseded the original NIS because the original framework could not keep pace with modern ransomware, supply chain attacks and advanced cyber threats targeting critical infrastructure.
• NIS2 applies mainly to medium and large organisations operating in covered sectors; however, some entities must comply regardless of their size due to the critical nature of their services.
• Article 21 outlines the seven core security measures organisations must implement, ranging from risk management to incident response and supply chain security.
• Common NIS2 compliance gaps include inconsistent MFA enforcement, poor supplier visibility and weak Privileged Access Management (PAM).
• The consequences of non-compliance can include fines of up to €10,000,000 or 2% of global annual turnover (whichever is higher) for essential entities, alongside mandatory reporting obligations within 24 hours, 72 hours and one month of a significant incident.

Why NIS2 replaced the original NIS Directive

The original NIS Directive primarily covered traditional critical infrastructures and focused on perimeter security. It lacked clear reporting obligations and was inconsistently implemented across EU member states, limiting its effectiveness. NIS2 expands coverage across sectors defined in Annexes I and II, introduces stricter incident reporting timelines and places greater accountability on executive management, including personal liability in some member states’ national implementations. This shift represents a move from minimum security requirements to a more proactive approach to cyber resilience.

Who is required to comply with NIS2?

NIS2 categorises organisations into two main groups: essential entities and important entities. Both must comply with NIS2’s cybersecurity and reporting obligations, though essential entities face more demanding supervision and potentially harsher penalties.

In general, NIS2 applies to medium and large organisations operating in covered sectors. Under the EU’s definition, medium-sized enterprises are those with 50 or more employees and an annual turnover exceeding €10,000,000 – both criteria are considered together, not as alternatives. The sectors covered by NIS2 span diverse industries, including healthcare, manufacturing, financial services, energy, transport, water, digital infrastructure, space and waste management.

An organisation’s size does not determine NIS2’s scope. Some entities fall within scope if their services are considered critical to societal or economic stability. For organisations operating across multiple EU member states, NIS2 applies at the national level, so compliance requirements may vary depending on how each country has transposed NIS2 into national law.

7 security measures organisations need for NIS2 compliance

Article 21 of NIS2 lays out the cybersecurity measures organisations are expected to implement. The security measures broadly reflect what a well-run security programme should look like, but many organisations struggle with implementation due to the directive’s extensive legal jargon. Here are the seven main areas the framework addresses.

1. Risk management

Under NIS2, organisations must establish an ongoing risk management process instead of relying on one-off assessments. Organisations must continuously identify where their security vulnerabilities lie, assess the potential damage those risks could cause and address them regularly. This means conducting frequent risk assessments, maintaining documented mitigation plans and continuously monitoring activity to catch new threats. Ultimately, someone in an organisation must be held accountable for each identified risk and responsible for mitigating it.

2. Incident response capability

NIS2 requires organisations to maintain formal incident response procedures before a security incident occurs to prevent chaos from ensuing during one. This means having a documented incident response plan with defined responsibilities and eliminating ambiguity about who should do certain tasks. Equally important as creating clear plans is testing them. For example, if ransomware is detected across part of an organisation’s network in the middle of the night, the difference between containing the incident and experiencing a major outage may come down to whether a team has rehearsed the process.

3. Business continuity

NIS2 expects organisations to maintain resilience during and after cyber incidents, covering backup and recovery processes, accessible data storage in the event of a system compromise and the ability to restore systems within defined timeframes. Disaster recovery planning should define clear recovery time objectives, addressing how long an organisation can realistically afford to suffer operational disruption. Regular resilience testing ensures those plans work in practice, and, where operationally appropriate, redundancy across critical systems and infrastructure adds another layer of protection. At the centre of business continuity is the need to secure credentials and access connected to critical systems because recovery becomes much more challenging when the keys to infrastructure are among the assets that have been compromised.

4. Supply chain security

NIS2 places significant emphasis on third-party risk management. NIS2 makes clear that organisations are responsible for managing risks introduced by vendors, service providers and suppliers. With visibility at the forefront, organisations need to know which third parties have access to systems, what level of access they hold and whether suppliers maintain appropriate security controls. Vendor risk assessments, access reviews and ongoing monitoring should become standard operational processes. Modern supply chain attacks have demonstrated that third-party exposure can quickly become a severe organisational risk.

5. Access control and identity management

Organisations must be able to control who has access to their systems and what they can do with that access to reduce the attack surface. As part of NIS2’s core requirements, the Principle of Least Privilege (PoLP) should guide how access is granted, with users and systems gaining access only to what’s needed. Role-Based Access Controls (RBAC) provide the structure to enforce this consistently at scale, and user lifecycle management helps address dormant or orphaned accounts that can become exploitable security vulnerabilities in the future. This is especially important for privileged accounts, specifically since administrators and service accounts with privileged access are valuable targets. PAM, combined with strong credential security across an organisation, helps ensure these accounts are secured, monitored and audited.

6. Encryption and cryptography

Even the most well-prepared organisations can experience a data breach, and encryption plays a role in determining how much damage a breach actually causes. NIS2 expects organisations to encrypt data both at rest and in transit, protect credentials and sensitive information and use secure cryptographic standards. While NIS2 does not prescribe a specific encryption architecture, zero-knowledge encryption goes beyond the baseline requirements and can provide meaningful additional protection for organisations handling sensitive credentials and data. In a zero-knowledge environment, data is encrypted and decrypted at the device level, meaning not even the service provider can access it.

7. MFA and secure authentication

Since compromised credentials are one of the most common entry points for cybercriminals, NIS2 requires organisations to implement strong authentication controls across systems and users. This includes enforcing Multi-Factor Authentication (MFA), adding an additional layer of verification that limits the impact of stolen credentials. Wherever possible, organisations should enable phishing-resistant passwordless authentication methods to eliminate the risk of users being manipulated into sharing credentials or approving prompts. These controls make it much more difficult for cybercriminals to gain unauthorised access and significantly reduce the impact of compromised credentials.

Organisations looking for practical next steps can explore our guide on how organisations can prepare for NIS2 effectively.

Common NIS2 compliance gaps organisations face

Most organisations already have some security controls in place, but operational weaknesses often prevent full compliance, especially with the NIS2 Directive. Both failing to understand the directive and failing to implement its requirements can cause organisations to face consequences.

Incomplete MFA enforcement

Many organisations deploy MFA inconsistently. While user accounts may be protected, gaps could remain in legacy systems or VPN access that still rely solely on traditional passwords. Partial MFA coverage creates exploitable entry points for cybercriminals and undermines broader security efforts via unsecured privileged or remote access.

Poor supplier visibility

NIS2’s supply chain requirements reveal an unfortunate truth for many organisations: They don’t have a clear understanding of who has access to their environments or what risks third parties introduce. Vendor access is frequently overprovisioned yet rarely reviewed. Without full visibility, organisations cannot effectively manage third-party risks under NIS2.

Weak privileged access controls

Privileged accounts are some of the highest-risk assets in any organisation, but the controls around them are often very weak. Shared administrative credentials and standing privileges remain common, but they increase the attack surface and the risk of credential misuse. NIS2 expects stronger governance around privileged access, session monitoring and auditing.

NIS2 incident reporting timelines

NIS2 introduces structured reporting obligations following significant cybersecurity incidents. Organisations are expected to follow a set, multi-stage process from the moment they become aware of a significant incident:

1. Within 24 hours: Submit an early warning to the relevant national authorities confirming a significant incident is underway.
2. Within 72 hours: Provide a fuller picture of the incident, covering what is known about its nature and impact.
3. Within one month: Submit a final report, providing a complete account of what happened, how it was handled and what measures will be taken to prevent recurrence. 

To meet these deadlines, organisations need to monitor and log security incidents as they happen rather than struggle to develop an accurate timeline of events after the fact. Ultimately, NIS2 compliance requires organisations to establish mature cybersecurity practices, enhance operational resilience and maintain full visibility across users and systems to reduce security risks.

How Keeper can help support NIS2 compliance

Meeting NIS2 compliance standards requires a reliable security infrastructure that can enforce granular access controls, protect credentials and provide full visibility to manage risk at scale. Keeper’s zero-knowledge identity security platform supports organisations by consolidating multiple security solutions, including PAM, password management, secrets management, endpoint privilege management and secure remote access. To address several of NIS2’s most demanding requirements, Keeper provides advanced features such as RBAC, MFA enforcement, credential auditing, session monitoring and zero-trust security. Whether you are just starting to address NIS2 measures or are looking to enhance your existing security posture, Keeper gives your organisation the ability to confidently meet NIS2 requirements.

Start your free Keeper trial today and strengthen your organisation’s readiness to meet NIS2 requirements

Frequently asked questions

Does NIS2 apply to non-EU companies?

NIS2 can apply to organisations headquartered outside the EU if they provide services to customers or entities within the EU. This mainly affects cloud providers, SaaS companies and service operators that fall within NIS2’s scope of covered sectors. If your organisation supports EU customers or infrastructure, you should determine whether NIS2 obligations apply.

What happens if a company fails to comply with NIS2?

Non-compliance with NIS2 has significant financial, legal and reputational consequences. Under NIS2, essential entities can face fines of up to €10,000,000 or 2% of global annual turnover (whichever is higher), and important entities can face fines of up to €7,000,000 or 1.4% of global annual turnover (whichever is higher). Authorities may also impose audits and even temporarily suspend operations.

Is ISO 27001 enough for NIS2 compliance?

While ISO 27001 demonstrates a strong commitment to information security, it does not cover all requirements necessary for NIS2 compliance. NIS2 introduces specific obligations around incident reporting timelines, supply chain security and management accountability. ISO 27001 can support NIS2 readiness, but organisations generally require additional governance measures to achieve true NIS2 compliance.