Framework

NIS2 (Network and Information Security Directive)

The updated EU directive on cybersecurity that expands the scope of the original NIS Directive to cover more sectors and entities. NIS2 introduces stricter security requirements, incident reporting obligations, and enforcement measures with significant penalties for non-compliance.

The NIS2 Directive (Directive (EU) 2022/2555) is the EU's updated cybersecurity legislation that replaces the original NIS Directive from 2016. It significantly expands the scope to cover essential and important entities across 18 sectors, including energy, transport, banking, health, digital infrastructure, and public administration. Member states were required to transpose NIS2 into national law by October 17, 2024.

NIS2 introduces proportionate security requirements based on entity classification. Essential entities (large organizations in critical sectors) face stricter oversight and higher penalties (up to €10 million or 2% of global turnover), while important entities have somewhat lighter requirements but still face penalties up to €7 million or 1.4% of turnover. Key obligations include risk management measures, incident reporting within 24 hours (early warning) and 72 hours (full notification), supply chain security, and management body accountability.

For financial services organizations already subject to DORA, NIS2 generally defers to DORA as the sector-specific regulation (lex specialis). However, organizations in overlapping sectors should understand both frameworks to ensure comprehensive compliance coverage.

Learn More

Discover how Matproof can help you achieve NIS2 (Network and Information Security Directive) compliance.

View framework page

NIS2 compliance by city

Frankfurt Munich Berlin Hamburg Düsseldorf Stuttgart Cologne Paris Amsterdam Madrid Milan

Related Terms

DORA (Digital Operational Resilience Act)

An EU regulation that establishes uniform requirements for the security of network and information systems in the financial sector. DORA became mandatory on January 17, 2025, and applies to banks, insurance companies, investment firms, and their critical ICT service providers.

Incident Reporting

The formal process of detecting, classifying, and reporting ICT-related incidents to competent authorities. DORA Articles 17-23 establish specific requirements for incident classification, initial notification, intermediate reports, and final reports to supervisory authorities.

Supply Chain Security

The management of cybersecurity risks throughout the supply chain, including all third-party vendors, software providers, and service partners. Both DORA and NIS2 mandate supply chain security measures to protect against cascading failures and targeted attacks.

Risk Assessment

A systematic process of identifying potential threats, evaluating vulnerabilities, and determining the likelihood and impact of risks to an organization's information assets and operations. Risk assessments are foundational to ISO 27001, DORA, and virtually every compliance framework.

Related Articles

9 NIS2 Compliance Quick Wins for 2026

9 quick wins to accelerate your NIS2 compliance in 2026. Practical, high-impact actions you can implement immediately to improve your cybersecurity posture and

How to Implement NIS2 Supply Chain Security

Practical guide to implementing NIS2 supply chain security requirements. Covers supplier risk assessment, security requirements in contracts, and ongoing monito

NIS2 Compliance for Energy Sector Organizations

NIS2 compliance guide for energy companies including electricity, gas, oil, and hydrogen operators. Covers OT/ICS security, supply chain requirements, and incid

NIS2 Compliance for Healthcare Organizations

NIS2 implementation guide for healthcare providers and hospitals. Covers essential entity classification, medical device security, patient data protection, and

Automate compliance with Matproof

DORA, SOC 2, ISO 27001 — get audit-ready in weeks, not months.