Q-Sec Blog

NIS2 Directive in Europe – Key Requirements and Compliance Guidance

Written by V. Garbar | 28 Oct, 2025

Overview of the NIS2 Directive 

The Network and Information Security Directive 2 (NIS2) (Directive (EU) 2022/2555) is the EU’s updated cybersecurity law. It replaces the original NIS Directive and aims to raise the common level of cybersecurity across the EU. The directive became applicable on 18 October 2024 (after a transposition deadline of 17 October 2024) and broadens the scope to many more sectors and entities than its predecessor. Member States must establish national cybersecurity strategies, risk‑management measures and incident reporting processes, while cross‑border cooperation is facilitated through the CSIRTs Network and the European Cyber Crises Liaison Organisation Network (EU‑CyCLONe). 

Who is in scope? 

  • Essential entities (Annex I): energy, transport (air, rail, water, road), banking and financial market infrastructures, healthcare, drinking water and wastewater, digital infrastructure (DNS, cloud providers, data centres, trust services, telecoms), public administration (central government), and space. 
  • Important entities (Annex II): postal and courier services, waste management, manufacture of chemicals, food production and processing, manufacturing of critical products (including medical devices and industrial machinery), digital providers such as online marketplaces/search engines/social networks, and research organisations. 
  • Size‑cap rule: NIS2 generally applies to medium and large organisations (≥ 50 employees or €10 million turnover) but can apply to smaller entities where essential services would be impacted. 

Major changes from NIS 1 

The directive broadens the sectoral scope and removes national discretion over who is covered. It introduces concrete risk‑management requirements, prescriptive incident reporting timelines, stronger enforcement powers and significant fines. Boards and C‑level executives are now personally accountable for cybersecurity compliance. 

Core Compliance Obligations 

Governance and accountability (Article 20) 

NIS2 places cybersecurity firmly in the boardroom. Management bodies must approve and oversee cybersecurity risk‑management measures and ensure that they receive adequate training; executives may be held personally liable for non‑compliance. Many national laws (e.g., Belgium and Hungary) incorporate liability provisions for directors and even allow temporary bans from management positions for serious breaches. 

Risk‑management measures (Article 21) 

Entities must implement appropriate and proportionate technical, operational and organisational measures. Article 21 is operationally significant and includes the following core requirements: 

  1. Risk analysis and security policies – regular assessments of threats affecting IT/OT infrastructure, and formal policies covering access control, patch management and network security. 
  1. Incident handling and response procedures – documented processes for detecting, responding to and recovering from cyber incidents, including crisis‑management and business‑continuity plans. 
  1. Business continuity and crisis management – plans to ensure continuity of essential services during a cyber‑incident, including backup strategies and crisis teams. 
  1. Supply‑chain security – assessment of third‑party providers and contractual obligations to ensure vendors meet security standards. 
  1. Security in acquisition, development and maintenance of systems – ensure security‑by‑design and vulnerability handling in procurement and system development. 
  1. Vulnerability handling and coordinated disclosure – processes for receiving and addressing vulnerability reports; some national laws (e.g., Belgium) make a Coordinated Vulnerability Disclosure policy mandatory. 
  1. Policies for evaluating effectiveness of measures – periodic audits and control assessments; some countries (Poland, Hungary and Belgium) require regular third‑party or biannual audits. 
  1. Authentication and encryption – use of multi‑factor or continuous authentication, cryptography and encrypted internal emergency communication. 
  1. Training and awareness – staff must receive security awareness training; board members should receive specific cybersecurity training. 
  1. Clear governance structures – defined roles and responsibilities (e.g., Cybersecurity Manager and Cyber Legal/Compliance Officer) as recommended by ENISA’s role‑mapping guidelines. 

Reporting and registration obligations (Articles 23 & 27) 

Entities must notify the competent authority or CSIRT about “significant incidents” that cause substantial operational disruption or financial loss, or affect other parties. Reporting must follow a strict timeline: 

  • Early warning (24 hours) – initial notification with a summary of the incident. 
  • Incident notification (72 hours) – a more detailed assessment of the incident’s root cause and potential impacts. 
  • Final report (1 month) – comprehensive report including root‑cause analysis, mitigation measures and cross‑border impacts. 

Articles 3(4) and 27 also require Member States to establish registration mechanisms for identifying essential and important entities. Registered entities must provide contact details, IP ranges, sectors and Member States where they operate; updates must be reported within three months. These registers feed into a central database managed by ENISA. 

Supervisory and enforcement powers 

NIS2 gives national authorities power to conduct audits and inspections, issue binding instructions, order corrective actions and impose fines. Penalties can reach up to €10 million or 2 % of global annual turnover for essential entities and €7 million or 1.4 % for important entities. Authorities may also temporarily suspend non‑compliant operations, and management bodies may face personal liability. 

EU‑level cooperation and monitoring 

The directive strengthens cross‑border collaboration. The Computer Security Incident Response Teams (CSIRTs) Network facilitates information sharing and joint response to incidents, while EU‑CyCLONe coordinates management of large‑scale cyber crises. ENISA maintains a vulnerability database and publishes guidelines on roles, skills and technical implementation. This EU‑level coordination is intended to harmonise supervision and reduce fragmentation across the EU. 

National Transposition: Status and Key Variations 

Member States had to transpose NIS2 by 17 October 2024, but implementation has been uneven. As of mid‑2025, sixteen EU and EEA countries have adopted national laws, while others are still drafting or consulting. The European Commission has launched infringement procedures against states that failed to meet the deadline. 

The table below summarises the status (as of mid‑2025) and highlights notable national specifics. Countries not listed remain in draft stages or have yet to publish legislation. 

Country 

Implementation status & enforcement timeline 

National specifics / deviations 

Austria 

Draft law (Network and Information Security Act) submitted to Parliament; adoption expected Q3–Q4 2025. 

Draft under revision after negative feedback; details unclear. 

Belgium 

Law adopted 18 Oct 2024; Royal Decree issued June 2024; in force since 18 Oct 2024. 

Scope mirrors NIS2 but can be expanded by royal decree; mandatory Coordinated Vulnerability Disclosure (CVD) policy; presumption of compliance via ISO 27001 or Belgian Cyber Fundamentals with third‑party assessments. 

Croatia 

Cyber Security Act effective 15 Feb 2024. 

Awaiting sectoral notices to businesses; compliance deadlines vary by entity type. 

Denmark 

General act and sector‑specific laws published; general act enters into force 1 Jul 2025. 

Sectoral approach (telecom, energy, finance laws); concerns about insufficient guidance and harmonisation. 

Estonia 

Amended Cybersecurity Act enters into force 1 Jul 2025. 

 

Finland 

Cybersecurity Act 124/2025 in force since 8 Apr 2025. 

Centralised supervision by Traficom; transposition largely aligns with NIS2. 

France 

Draft law (“Resilience of Critical Infrastructures and the Strengthening of Cybersecurity”) submitted; Senate adopted text 12 Mar 2025, still pending in National Assembly; adoption expected late 2025. 

The government plans to bundle NIS2 with other regulations (e.g., DORA, CER) into a single Resilience Act. Estimated 10,000–15,000 entities in scope; details on self‑registration to be specified in decrees. 

Germany 

Draft NIS2 law published May 2024; adoption expected Q3–Q4 2025. 

Includes “negligible activity” carve‑out allowing companies to exclude minor business activities from scope; municipalities and federal institutions are excluded; self‑assessment tool planned; concerns over multiple supervisory authorities and short implementation timelines. 

Greece 

Law 5160/2024 effective 27 Nov 2024. 

 

Hungary 

Cybersecurity Act in force 1 Jan 2025. 

Unified cybersecurity framework across public and private sectors; biannual cybersecurity audits and NIST 800‑53‑aligned measures; national risk register used for classifying entities. 

Italy 

Legislative Decree 138/2024 in force since 26 Oct 2024. 

Entities must register by 1 Apr 2025 and appoint a cybersecurity manager by 1 Oct 2025; Italian branches of international groups may be subject to Italian rules; public hospitals and schools are included. 

Latvia 

Cybersecurity Law 2024 in force 1 Sep 2024. 

Many aspects defined through implementing acts; deadlines for self‑registration set to 28 Feb 2025; incident reporting requirements apply from 1 Jan 2026. 

Lithuania 

Law XII 1428/2024 in force 18 Oct 2024. 

Broader ex‑ante supervision of public administration and data residency requirements for government‑owned entities. 

Malta 

Legal Notice 71/2025 issued Apr 2025; enforcement date pending ministerial announcement. 

Centralised supervision (MITA/CIPD). 

Netherlands 

Draft Cybersecurity Act under preparation; adoption expected Q4 2025; enforcement likely Q1–Q2 2026. 

Sector‑specific ministries responsible, raising concerns about harmonised application. 

Poland 

Draft amendments to National Cyber Security System Act published; expected vote Q4 2025 and enforcement in early 2026. 

One of the most restrictive drafts: proposes using the 5G toolbox to exclude vendors across 18 sectors; introduces biennial audits and executive liability. 

Romania 

Government Emergency Ordinance 155/2024 in force since 31 Dec 2024. 

Entities must self‑register; the National Cybersecurity Directorate (DNSC) decides if they are essential (within 60 days) or important (within 150 days); evaluation methodology inspired by Belgium; approx. 12,000 companies expected in scope. 

Slovakia 

Cybersecurity Act amended; in force 1 Jan 2025. 

Sector‑specific enforcement bodies coordinated by the National Security Authority. 

Slovenia 

Information Security Act (ZInfV 1) in force 19 Jun 2025. 

Draft law emphasises multi‑stakeholder governance and detailed supply‑chain security models. 

Common trends and divergences 

  • Uneven transposition: Implementation progress varies; Belgium, Croatia, Greece, Hungary, Italy, Latvia, Lithuania, Romania and Slovakia were among the first to adopt laws, while many states still have draft legislation. 
  • Public‑sector inclusion: Countries like Italy and Romania include public hospitals, schools and local administrations under their NIS2 laws. 
  • Mandatory audits: Poland requires biennial audits; Belgium allows third‑party conformity assessments; Hungary mandates biannual audits aligned with NIST 800‑53. 
  • Different registration deadlines: Self‑registration deadlines range from early 2025 (Latvia, Romania) to late 2025 or 2026 in other countries. 
  • Enforcement models: Some countries centralise supervision under a single authority (e.g., Finland’s Traficom, Lithuania’s NCSC, Malta’s MITA/CIPD); others adopt a sectoral approach (Italy, Slovakia). 
  • Unique national deviations: Germany introduces a “negligible activity” carve‑out, excluding certain business activities; Poland plans to exclude high‑risk vendors using the 5G toolbox; Belgium can expand the sector scope by royal decree and mandates CVD policies; Italy requires appointment of a cybersecurity manager. 

Implications for Organisations 

  • Board‑level responsibility – executives must understand cybersecurity risks, oversee compliance programmes and may be personally liable for failures. 
  • Operational impact – risk‑management measures require investment in security controls, supply‑chain risk assessments, continuous authentication, training and business‑continuity planning. 
  • Reporting readiness – organisations must establish incident response plans capable of generating early‑warning notifications within 24 hours, detailed reports within 72 hours and final root‑cause analyses within one month. 
  • Cross‑border complexity – companies operating in multiple Member States must monitor each national law. Some states go beyond the directive, imposing audits, additional sectors or stricter reporting, and registration deadlines vary. 
  • Penalties and enforcement – non‑compliance can result in fines up to €10 million or 2 % of global turnover for essential entities and €7 million or 1.4 % for important entities, temporary suspensions or management bans. 

Ready to Make NIS2 Manageable?

NIS2 is no longer a future requirement — it is an operational reality with real enforcement, personal accountability, and strict reporting timelines. For many organisations, the challenge is not understanding the directive, but turning it into working processes, technical controls, and audit-ready evidence across multiple jurisdictions.

Q-Sec helps European organisations move from regulatory uncertainty to defensible compliance. We combine deep NIS2 expertise with hands-on security operations — from applicability and gap assessments to incident-reporting workflows, log monitoring, evidence repositories, and ongoing assurance. Our teams work directly inside your environment to ensure every requirement is implemented, verified, and ready to stand up to supervisory scrutiny.

Whether you are just confirming your NIS2 scope, preparing for registration, or building the capability to meet 24-hour and 72-hour reporting obligations, Q-Sec provides a clear path forward — without overengineering or disrupting your operations.

Talk to our NIS2 specialists to understand where you stand, what regulators will expect from you, and how to get there with confidence.

Get in touch to start your NIS2 readiness journey →

Prepared using information from EU legislative sources and legal updates available as of November 13, 2025. Laws may change; consult your legal adviser for specific guidance. 

 
View full post