NIS2 Enforcement Is Live: What Changed and What to Do First

The Grace Period Is Over

The NIS2 Directive (Directive (EU) 2022/2555) required EU member states to transpose its requirements into national law by October 17, 2024. Most member states met that deadline or followed shortly after. As of Q1 2026, national enforcement is active across the EU.

National Competent Authorities (NCAs) are now conducting audits. Germany's BSI has set an entity registration deadline of April 2026. France's ANSSI began compliance verification in late 2025. The Netherlands, Belgium, and the Nordics are following similar timelines.

If you operate in the EU and fall under NIS2 scope — which now covers a much broader range of sectors and entity sizes than the original NIS Directive — you are subject to audit today.

What Actually Changed from NIS1

NIS2 is not an incremental update. It is a fundamental expansion:

• Scope expanded from ~10,000 to ~160,000 entities across the EU. The original NIS Directive covered critical infrastructure operators. NIS2 adds manufacturing, food production, waste management, postal services, chemicals, digital providers, and more.
• Two-tier classification: Essential entities (energy, transport, health, water, digital infrastructure, banking, space) and Important entities (manufacturing, food, chemicals, postal, research, waste management, digital providers). Both must comply. The difference is in penalty levels and audit regimes.
• Management accountability: Article 20 makes management bodies personally responsible for approving cybersecurity risk management measures. Management must receive cybersecurity training. Personal liability is on the table — we break down the details in our analysis of NIS2 management liability and why executives are personally on the hook.
• Supply chain security: Article 21(2)(d) requires organizations to address cybersecurity risks in their supply chains and supplier relationships. This cascades requirements down to vendors and service providers.
• Incident reporting tightened: 24-hour early warning to the CSIRT, 72-hour incident notification, and a final report within one month.

Penalty Structure

The penalties are designed to get board-level attention:

The higher of the two figures applies. For a manufacturer with EUR 500M in revenue, the Essential entity cap is EUR 10M. For a manufacturer with EUR 100M, it is still EUR 2M.

Beyond fines, NCAs can:

• Order temporary suspension of certifications or authorizations
• Temporarily prohibit management from exercising management functions
• Issue binding instructions with defined compliance deadlines

Enforcement Timeline by Country

Not all member states are moving at the same pace. Here is where the key markets stand:

Germany and France are furthest along. If you operate in either market, your audit window is now.

What Auditors Look For First

Based on early enforcement actions and NCA guidance, auditors are prioritizing:

1. Governance structure — Is there a named individual responsible for cybersecurity? Has management approved the risk management framework? Have management bodies received training?

2. Asset inventory — Do you know what you have? Can you produce a complete inventory of network and information systems, including OT assets? This is the foundation auditors start from.

3. Network segmentation and access control — Are critical systems isolated? Is access controlled on a least-privilege basis? Unsegmented networks with open access are an immediate finding.

4. Incident response capability — Do you have a documented, tested incident response plan? Can you meet the 24-hour early warning and 72-hour notification timelines?

5. Supply chain risk management — Have you assessed the cybersecurity posture of your critical suppliers? Do your contracts include security requirements?

For OT-heavy organizations — manufacturers, energy operators, water utilities — auditors specifically examine:

• Whether OT networks are segmented from IT networks
• Whether remote access to OT systems is controlled and logged
• Whether OT assets are included in the asset inventory
• Whether incident response plans cover OT-specific scenarios

The OT Compliance Gap

Most organizations that have been preparing for NIS2 started with their IT environments. Email security, endpoint protection, identity management, cloud configurations — these have mature tooling and tools and playbooks that already exist.

OT environments are different. The challenges are specific and persistent:

• Industrial control systems run proprietary protocols that standard IT security tools do not understand
• PLCs, RTUs, and HMIs were never designed for endpoint software and cannot accept it
• Patching requires maintenance windows that may only occur quarterly — or annually
• Network visibility is limited because many OT networks lack centralized monitoring
• Legacy equipment predates modern authentication standards

These are not hypothetical problems. They are the reason OT environments consistently show up as the largest compliance gap in NIS2 readiness assessments.

Addressing this requires network-level controls that work around legacy equipment: segmentation appliances that enforce access policies at zone boundaries, capture traffic logs for audit purposes, and provide visibility into industrial protocol communications — without touching the devices themselves.

A Prioritized 5-Step Action Plan

If you are subject to NIS2 and have not completed your compliance program, here is where to focus:

Step 1: Register with Your NCA (Deadline: Immediate)

If your member state requires entity registration — and most do — this is your first administrative task. In Germany, the BSI registration portal is live with an April 2026 deadline. Missing registration does not exempt you from compliance; it just adds a violation.

Step 2: Complete Your Asset Inventory (Weeks 1-4)

You cannot protect what you do not know about. Build a complete inventory of:

• All IT systems (servers, endpoints, cloud services, applications)
• All OT systems (PLCs, HMIs, SCADA servers, historians, engineering workstations)
• All network infrastructure (switches, routers, firewalls, wireless access points)
• All remote access paths (VPN concentrators, jump servers, vendor connections)

Step 3: Implement Network Segmentation (Weeks 4-12)

Separate critical OT systems from IT networks. Enforce default-deny policies at boundary points. For OT environments, deploy inline or passive network appliances that can enforce segmentation without requiring device-level changes.

Prioritize:

• IT/OT boundary enforcement
• Remote access control and session logging
• Isolation of safety-critical systems

Step 4: Establish Incident Response Capability (Weeks 4-8)

Document and test an incident response plan that:

• Covers both IT and OT scenarios
• Meets the 24-hour early warning requirement
• Identifies your CSIRT and reporting procedures
• Includes communication templates and escalation paths

Step 5: Document Everything (Ongoing)

NIS2 compliance is evidence-based. Build and maintain:

• Risk management framework approved by management
• Security policies covering all Article 21 measures
• Records of management training
• Supplier security assessments
• Incident response test results
• Audit logs demonstrating control effectiveness

The organizations getting through audits cleanly are the ones that started with their OT blind spots, built network-level controls they can actually demonstrate, and documented every decision. Defense contractors operating in both the US and EU should also explore how one compliance architecture can satisfy both CMMC and NIS2. If your OT network is still a flat, unmonitored space behind a single firewall — that is where your first investment should go.