TroutTrout
TroutTrout
Language||
Request a Demo
Back to Blog
NIS2

NIS2 Directive Explained Requirements Scope and Who Must Comply in 2026

Trout Team4 min read

Understanding the NIS2 Directive

The NIS2 Directive is the EU's most significant cybersecurity legislation since the original NIS Directive of 2016. It expands the scope to cover more sectors, introduces stricter penalties (up to 10 million EUR or 2% of global turnover), and requires incident reporting within 24 hours. For manufacturers, energy companies, and digital infrastructure providers that were not covered before, this is new territory with hard deadlines.

What Are the Requirements?

Security Measures

Under NIS2, organizations are required to implement specific cybersecurity measures proportionate to their risk. These measures must align with best practices and include:

  • Risk analysis and information system security policies.
  • Incident handling (prevention, detection, response, and recovery).
  • Business continuity and crisis management.
  • Supply chain security.
  • Security in network and information systems acquisition, development, and maintenance.
  • Policies and procedures to assess the effectiveness of the cybersecurity risk management measures.

Incident Reporting

Incident reporting is a crucial aspect of NIS2, designed to ensure timely awareness and response to cyber threats. Organizations must:

  1. Report incidents that have a significant impact on the provision of their services.
  2. Notify competent authorities or CSIRTs (Computer Security Incident Response Teams) within 24 hours of becoming aware of an incident.
  3. Provide detailed incident reports within 72 hours.

Governance and Accountability

The directive places strong emphasis on governance, requiring entities to:

  • Assign clear responsibilities for cybersecurity risk management.
  • Ensure top-level management accountability in overseeing NIS2 compliance.
  • Provide regular training and awareness programs for employees.

Scope of NIS2

Expanded Sector Coverage

NIS2 widens the scope of the sectors it covers, including additional industries deemed essential to the economy and society. These include:

  • Energy
  • Transportation
  • Banking and financial market infrastructures
  • Health
  • Drinking water supply and distribution
  • Digital infrastructure
  • Public administration

Essential vs. Important Entities

Entities are classified as either Essential or Important based on their societal and economic impact. This classification determines the extent of their obligations under NIS2, with Essential entities facing more stringent requirements.

Who Must Comply?

Existing and New Obligations

NIS2 applies to:

  • Existing entities previously covered under the original NIS Directive.
  • New entities within the expanded sectors and those identified as having critical importance.

Thresholds for Inclusion

The directive sets specific thresholds for inclusion, based on factors such as:

  • Size and turnover.
  • Market significance.
  • The criticality of the services provided.

How to Prepare for NIS2 Compliance

Conduct a Gap Analysis

Perform a detailed gap analysis to compare current cybersecurity practices against NIS2 requirements. This analysis will highlight areas needing improvement or additional measures.

Implement a Cybersecurity Framework

Adopt a cybersecurity framework, such as NIST SP 800-171 or ISO/IEC 27001, to provide a structured approach to managing information security. This aids in aligning with NIS2 requirements effectively.

Strengthen Incident Response Plans

Develop and refine incident response plans to ensure rapid detection and mitigation of cybersecurity incidents. Regularly test these plans through simulations and drills.

Enhance Supply Chain Security

Given the emphasis on supply chain security, evaluate and strengthen the cybersecurity posture of your supply chain. This includes conducting risk assessments and ensuring supplier contracts include cybersecurity obligations.

Training and Awareness

Regularly conduct training sessions for employees to enhance awareness and understanding of cybersecurity threats and the importance of adherence to NIS2 requirements.

Conclusion

The 2026 deadline is fixed. If you have not started your gap analysis, that is the immediate next step. Identify which entity category you fall into (essential or important), map your current controls against Article 21 requirements, and build a remediation timeline. Focus first on incident reporting readiness (the 24-hour notification window catches most organizations off guard) and supply chain security obligations. The organizations that start now will be compliant; the ones that wait will be scrambling.

Other Articles

RansomwareManufacturing

Ransomware Targeting Manufacturing in 2026: A 49% Increase and What to Do About It

119 ransomware groups. 3,300 industrial victims. A 49% year-over-year increase. Manufacturing is the #1 target. Here's what the data says and what actually stops it.

NIS2Compliance

NIS2 Enforcement Is Live: What Changed and What to Do First

The NIS2 grace period is over. National authorities across the EU are now conducting audits. Here's what's different and where to start.

CMMCCompliance

CMMC October 2026: What Defense Manufacturers Must Do Now

CMMC compliance becomes mandatory in all new DoD contracts by October 2026. Here's what defense manufacturers need to do in the next seven months.

News & Insights

Resources & Insights.

Securing Modbus whitepaper
WhitepaperWhitepaper

Securing Modbus in Modern Industrial Environments

Zero Trust OT webinar
WebinarWebinar

Zero Trust for OT Networks

OT network architecture diagram
ArchitectureGuide

Reference Architectures for OT Security

All articles