What is NIS2? A plain-English guide for 2026
NIS2 is the EU's biggest cybersecurity law to date: wider scope, harder requirements, real penalties. Here's what it actually means for your organisation.
NIS2 in one sentence
NIS2 (the Network and Information Security Directive 2, formally Directive (EU) 2022/2555) is the European Union's updated law on cybersecurity. It replaces the original 2016 NIS Directive with far wider scope, stricter risk-management duties, faster incident reporting and meaningful penalties.
It entered into force in January 2023, with an EU transposition deadline of 17 October 2024. Member States have since been writing it into national law, so the precise obligations you face come from your country's implementation.
Why it was introduced
The original NIS Directive was inconsistent across the EU and covered too few organisations for a threat landscape that had moved on. NIS2 widens the net, harmonises the rules, and pushes accountability up to the management level, so cybersecurity is treated as a board responsibility, not just an IT task.
Who does NIS2 cover?
NIS2 splits in-scope organisations into essential entities (Annex I, e.g. energy, transport, banking, financial market infrastructure, health, water, digital infrastructure, public administration) and important entities (Annex II, e.g. postal, waste, chemicals, food, manufacturing, digital providers, research).
As a rule of thumb, medium-sized and larger organisations (50+ staff or more than €10m turnover) in those sectors are caught, though some entities are in scope regardless of size. Both categories face the same core obligations; essential entities just get stricter, proactive supervision.
What NIS2 requires
- Governance (Article 20): management bodies must approve and oversee cyber-risk measures, and can be held personally liable.
- Risk-management measures (Article 21): ten minimum measures, from risk analysis and incident handling to supply-chain security and encryption.
- Incident reporting (Article 23): an early warning within 24 hours, a fuller notification within 72 hours, and a final report within one month.
- Supply-chain security: assess and manage the risk your suppliers and service providers introduce.
Penalties for getting it wrong
NIS2 gives regulators real teeth. Essential entities can face fines up to €10 million or 2% of global annual turnover, whichever is higher; important entities up to €7 million or 1.4%. Beyond fines, management can be held accountable, and persistent non-compliance can even lead to temporary management bans for essential entities.
How Alexus helps
Most of NIS2 comes down to one hard question: can you prove what you do? Alexus turns the IT operations you already run into continuous Article 21 readiness scoring, ready-to-file Article 23 reports, and a hash-chained audit trail, so evidence is a query, not a quarter-long project.
This article is general guidance, not legal advice. Always confirm your obligations against your national transposition of NIS2.