What is the NIS2 Directive and what does it replace?

NIS2 is Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union. It repeals the original NIS Directive (Directive (EU) 2016/1148) with effect from 18 October 2024 and substantially expands sectoral scope, harmonises supervisory powers, and aligns penalty regimes. Member States were required to transpose NIS2 into national law by 17 October 2024, and to apply the transposing measures from 18 October 2024.

Who must comply with NIS2?

NIS2 applies to essential and important entities operating in the sectors listed in Annex I (high-criticality sectors such as energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management business-to-business, public administration, and space) and Annex II (other critical sectors such as postal and courier services, waste management, manufacture of chemicals, food, manufacture of certain goods, digital providers, and research). The size-cap rule in Article 2(1) generally pulls in medium-sized and large entities (as defined by Recommendation 2003/361/EC) that provide their services or carry out their activities within the Union, with further inclusions in Article 2(2)–(5) (most regardless of size) and carve-outs in Article 2(7)–(8).

When does NIS2 apply?

NIS2 entered into force on 16 January 2023. Member States had until 17 October 2024 to transpose the Directive (Article 41(1)) and shall apply the transposing measures from 18 October 2024. Because NIS2 is a Directive, the binding rules in any given Member State are those of its national transposing law, which may carry additional national-specific requirements.

What does Article 21 require?

Article 21(1) requires essential and important entities to take appropriate and proportionate technical, operational and organisational measures to manage the risks to the network and information systems they use, and to prevent or minimise the impact of incidents on service recipients and other services. Article 21(2) lists ten minimum measure categories, (a) to (j): risk-analysis and information-system-security policies; incident handling; business continuity (backup, disaster recovery, crisis management); supply-chain security; secure acquisition, development and maintenance; effectiveness assessment; cyber hygiene and training; cryptography and encryption; HR security, access control and asset management; and multi-factor or continuous authentication with secured communications, where appropriate.

What are the NIS2 incident reporting timelines?

Article 23(4) stages the reporting of significant incidents: a 24-hour early warning from becoming aware; a 72-hour incident notification with an initial assessment; an intermediate report upon request; a final report within one month of the notification; and, for incidents still ongoing when the final report is due, a progress report followed by a final report within one month of handling. An incident is significant under Article 23(3) if it causes (or can cause) severe operational disruption or financial loss for the entity, or considerable material or non-material damage to other persons. Trust service providers benefit from a derogation: 24 hours, instead of 72, for incidents affecting their trust services.

How does NIS2 relate to DORA?

DORA (Regulation (EU) 2022/2554) Article 1(2) operates by treating DORA as a sector-specific Union legal act for the purposes of Article 4 of the NIS2 Directive. The practical effect for financial entities that would otherwise be NIS2 essential or important entities under national transposition is that DORA's specialised provisions apply on the matters it covers (ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk). NIS2 obligations remain relevant where DORA does not cover the matter and where the national NIS2 transposition extends further. See the NIS2 vs DORA comparison on docs.modulos.ai for a structured walk-through.

How does NIS2 relate to ISO/IEC 27001?

ISO/IEC 27001:2022 (with Amendment 1:2024) is a certifiable information-security management-system standard; NIS2 is a binding EU cybersecurity directive. They are complementary: an ISO 27001-aligned ISMS provides a sound technical and organisational baseline for many of the Article 21(2) measure categories, but ISO certification does not by itself discharge NIS2 obligations. NIS2 compliance is determined by the national transposing law and the supervisory authority, not by the standard.

NIS2 Directive (EU) 2022/2555

The NIS2 Directive — Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 — is the European Union's horizontal cybersecurity framework. It repealed the original 2016 NIS Directive (Directive (EU) 2016/1148) and substantially broadened scope, sharpened supervisory powers, and aligned the sanctions regime across Member States.

This page is a Modulos compliance guide. The Article references and key dates are quoted or paraphrased from the published OJ text; the platform mapping references real Modulos surfaces.

Quick decision

In scope (essential or important entity in Annex I / Annex II sectors) → start with this guide. Scope the entity using Scope and applicability, then work through Article 21 cybersecurity measures and Article 23 incident reporting.
Financial entity that would otherwise be a NIS2 essential or important entity under national transposition → read the NIS2 vs DORA comparison first. DORA Article 1(2) operates by treating DORA as a sector-specific Union legal act for the purposes of NIS2 Article 4 — on matters DORA covers, its specialised provisions apply; NIS2 obligations remain relevant where DORA does not cover the matter and where national transposition extends further.
Trust service provider, top-level-domain name registry, DNS service provider, cloud / data-centre / CDN / managed-service / managed-security-service provider, online marketplace, search engine, or social-networking platform → the same Article 21 measures apply, but with the technical and methodological specification of Commission Implementing Regulation (EU) 2024/2690 layered on top.
Already operating an ISO/IEC 27001 ISMS → treat NIS2 as a binding overlay. The ISMS provides much of the Article 21(2) substance, but Article 23 reporting and Article 20 management-body accountability are NIS2-specific obligations on the national transposing law's terms.
Outside the EU but offering services into the EU → scope follows from Article 2(1): the Union-nexus limb is met by providing services or carrying out activities within the Union, so establishment outside the EU does not take an otherwise in-scope Annex I / II entity out of scope. For the Article 26(1)(b) digital entity types (DNS, TLD registries, domain-registration services, cloud, data centres, CDN, MSP/MSSP, marketplaces, search engines, social platforms), Article 26(3) requires a non-EU provider to designate an EU representative, which fixes jurisdiction in the representative's Member State.

TL;DR

NIS2 = Directive (EU) 2022/2555, published in OJ L 333, 27 December 2022. Adopted 14 December 2022, entered into force 16 January 2023, transposition deadline 17 October 2024, application of national transposing measures from 18 October 2024.
It replaces the original NIS Directive (Directive (EU) 2016/1148) and extends sectoral scope, governance accountability, technical measures, incident reporting, supervision, and sanctions.
The four operative pillars: scope and classification (Articles 2–4); management-body accountability and cybersecurity measures (Articles 20–21); incident notification (Article 23); supervision, enforcement, and sanctions (Articles 32–37).
Because NIS2 is a Directive, the binding rules are those of each Member State's national transposing law. Transpositions may extend beyond the directive's minimum.
For financial entities, DORA (Regulation (EU) 2022/2554) Article 1(2) treats DORA as a sector-specific Union legal act for the purposes of NIS2 Article 4; DORA's specialised provisions apply on matters it covers, while NIS2 obligations remain relevant where DORA does not cover the matter and where national transposition extends further.

Primary source

Directive (EU) 2022/2555 on EUR-Lex (CELEX 32022L2555) · OJ L 333, 27.12.2022, pp. 80–152 · Commission Implementing Regulation (EU) 2024/2690 (technical and methodological requirements for the relevant entities listed in its Article 1)

Key facts

Instrument

Directive (EU) 2022/2555 — transposed into national law

Adopted / in force

14 Dec 2022 / 16 Jan 2023

Applies

National transposing measures from 18 Oct 2024

Scope test

Annex I / II sectors + size cap, with regardless-of-size additions

Core duties

Art 20 governance, Art 21 measures, Art 23 reporting

Max fines

≥ EUR 10m / 2% (essential); ≥ EUR 7m / 1.4% (important)

What NIS2 changes from the original NIS Directive

The original NIS Directive (Directive (EU) 2016/1148) introduced the first EU-wide cybersecurity baseline for "operators of essential services" and "digital service providers". NIS2 keeps that policy direction but addresses three structural weaknesses:

Scope was patchy. Each Member State chose which operators of essential services to designate; the result was uneven coverage across the single market. NIS2 replaces this with a size-cap rule (Article 2(1)) tied to Recommendation 2003/361/EC, plus enumerated sectors in Annex I and Annex II.
Governance was weak. NIS2 introduces explicit management-body responsibility (Article 20) and personal accountability of management bodies for compliance with Article 21 measures.
Sanctions and supervision were uneven. NIS2 harmonises supervisory powers and requires Member States to provide for administrative fines under Article 34. For infringements of Article 21 or Article 23, the Directive obliges Member States to provide for maximum fines of at least EUR 10 000 000 or 2% of the total worldwide annual turnover in the preceding financial year of the undertaking the entity belongs to (whichever is higher) for essential entities (Article 34(4)), and at least EUR 7 000 000 or 1.4% for important entities (Article 34(5)) — Member States may set higher national maxima, but not lower.

Entity scope at a glance

NIS2 distinguishes two categories with overlapping technical obligations but different supervisory regimes:

Essential entities — entities classified as essential under Article 3(1). This includes (a) entities in Annex I sectors that exceed the size-cap thresholds; (b) specific entity types essential regardless of size under Article 3(1)(b) — qualified trust service providers, top-level-domain name registries, and DNS service providers; (c) providers of public electronic communications networks or publicly available electronic communications services qualifying as medium-sized enterprises under Article 3(1)(c); and (d) further specific cases enumerated in Article 3(1)(d)–(g), including the central-government public administration entities referred to in Article 2(2)(f)(i). Supervisory regime is ex ante and ex post under Article 32.
Important entities — under Article 3(2), entities in Annex I or Annex II sectors that do not qualify as essential under Article 3(1). This catches the size-cap Annex I / Annex II entities that are not essential, plus entities additionally identified by Member States under Article 2(2)(b)–(e) (including, for example, sole providers in a Member State of a service essential for the maintenance of critical societal or economic activities, or entities whose disruption could have a significant impact on public safety, security or health, or which present a significant systemic risk). Supervisory regime is ex post under Article 33 (where evidence, indication, or information suggests non-compliance).

See Scope and applicability for the full classification logic, Annex I / Annex II sectoral lists, and the manual scoping workflow Modulos uses.

NIS2 structure

NIS2 Directive (EU) 2022/2555

Chapter I — General provisionsArticles 1–6: subject matter, scope, essential / important classification, sector-specific equivalence, definitions

Chapter II — Coordinated cybersecurity frameworksArticles 7–13: national strategies, competent authorities, single points of contact, CSIRTs

Chapter III — CooperationArticles 14–19: Cooperation Group, CSIRTs network, EU-CyCLONe, ENISA cybersecurity report, peer reviews

Chapter IV — Risk management and reportingArticles 20–25: management-body duties, Article 21 measures, Article 23 reporting, certification schemes (Art 24), standardisation (Art 25)

Chapter V — Jurisdiction and registrationArticles 26–28: jurisdiction, ENISA registry of entities, domain-name registration data database (Art 28)

Chapter VI — Information sharingArticles 29–30: voluntary information-sharing arrangements and notifications

Chapter VII — Supervision and enforcementArticles 31–37: supervisory measures, sanctions, fines, mutual assistance between authorities

Chapter VIII — Delegated and implementing actsArticles 38–39: exercise of the delegation, committee procedure

Chapter IX — Final provisionsArticles 40–46: review, transposition (Art 41), repeal of the 2016 NIS Directive (Art 44), entry into force

The four chapters most operationally relevant to in-scope entities are Chapter IV (risk management and reporting), Chapter V (jurisdiction and registration), Chapter VI (voluntary information sharing), and Chapter VII (supervision and enforcement). See the dedicated spokes below for each.

How to operationalize NIS2 in Modulos

Modulos models NIS2 as two complementary framework templates:

Framework	Project type	Focus	Requirements	Mapped controls
OFF-15 (`NIS2 (org)`)	Organization	Scope and classification, management-body duties, Article 21 governance, Article 23 reporting, supervisory duties	28 (`ORF-333` to `ORF-360`)	81 unique
MFF-15 (`NIS2 (app)`)	AI application	AI-service operational execution, reporting workflows, covered-entity overlays	18 (`MRF-275` to `MRF-292`)	71 unique

The split keeps board-level governance duties separate from per-service operational evidence, which is the same separation NIS2 itself draws between management-body accountability (Article 20) and entity-level technical implementation (Article 21).

Every requirement is anchored in the primary law: the requirement text carries a References section citing the precise article, paragraph, or Annex point (NIS2 Directive, Implementing Regulation (EU) 2024/2690, with EUR-Lex links) and an Applicability section stating which entities each limb binds. Three NIS2 tag families classify the requirements and their controls:

NIS2 Scope — conditional-applicability labels for duties that attach only to specific entity types or situations (see Scope and applicability).
NIS2 Domain — the measure area, mirroring the Article 21(2)(a)–(j) categories plus Article 20 governance, Article 23 reporting, scope, registration, information-sharing, and supervision.
NIS2 Basis — the legal basis of each duty: Directive Art 21 (all entities) for measures binding every in-scope essential and important entity, versus Impl. Reg. 2024/2690 (relevant entities only) for the technical detail that binds only the relevant entity types listed in the Implementing Regulation's Article 1.

A typical setup:

Requirements — each NIS2 obligation (e.g. Article 21(2)(d) supply-chain security; Article 23(4)(a) 24-hour early warning) is recorded as a requirement on the relevant project. Fulfilment is tracked through a two-state lifecycle (Not fulfilled → Fulfilled, with optional Out of scope).
Controls — the framework templates pair NIS2-specific overlay controls (carrying article-cited guidance and an evidence checklist for the duty) with shared, framework-agnostic governance controls reused across the ISO 27001 / ISO 42001 / DORA templates. Additional implemented measures (e.g. SBOM tooling, vendor due-diligence policy, MFA rollout) are documented as named controls and mapped to one or more requirements. Controls move through their own lifecycle and can be put through a review request when a status change is proposed.
Evidence — design documents, risk-assessment artefacts, incident-response runbooks, training records, and supplier reviews are recorded once and linked to multiple controls.
Readiness + fulfilment attestation — a requirement becomes ready for review once all linked controls are in a final state. The requirement owner then attests that the obligation is satisfied for the project scope by marking the requirement fulfilled, with the rationale captured in the requirement's comments and logs.
Reporting workflows — Article 23 staged reporting (24 hour / 72 hour / final / progress) is tracked through requirements and evidence. Modulos does not provide a dedicated incident-reporting UI surface; staged reports and authority notices are stored as evidence against the relevant Article 23 requirement.

See Operationalizing in Modulos for the practical rollout sequence.

Cross-framework mapping (preview)

NIS2 area	ISO/IEC 27001:2022 (Amd 1:2024)	ISO/IEC 27002:2022	DORA (Regulation (EU) 2022/2554)	EU AI Act (Regulation (EU) 2024/1689)
Article 20 management-body duties	Clauses 5.1 (leadership and commitment), 5.3 (roles and responsibilities)	A.5.2 information security roles and responsibilities	Article 5 (governance and organisation)	Article 26 (deployer obligations), Article 14 (human oversight design) where applicable
Article 21 cybersecurity measures	Clauses 6.1 (actions to address risks and opportunities), 8 (operation), Annex A	Several Annex A controls in 5.x–8.x	Article 6 (ICT risk-management framework), Delegated Regulation (EU) 2024/1774 (RTS)	Article 15 (accuracy, robustness, cybersecurity) for high-risk AI
Article 23 incident reporting	Annex A.5.24–A.5.26 information security incident management	A.5.24 (planning), A.5.25 (assessment)	Articles 17–19 plus Delegated Regulation 2025/301 (RTS on content and time limits) and Implementing Regulation 2025/302 (ITS on forms and templates)	Article 73 (serious incident reporting for high-risk AI providers)
Article 21(2)(d) supply-chain security	Clauses 8.1 (operational planning)	A.5.19 (information security in supplier relationships), A.5.21 (managing information security in the ICT supply chain)	Articles 28–30 plus 2024/1773 (TPP policy RTS) and 2025/532 (subcontracting RTS)	Article 25 (value-chain responsibility and provider reclassification)
Articles 32–37 supervision	(Not directly mapped)	(Not directly mapped)	Articles 46–54 (competent authorities; administrative penalties and remedial measures)	Articles 70–99 (governance, surveillance, penalties)

Cross-framework references are conditional on entity classification, sectoral scope, and applicable obligations. For the pairwise treatment with DORA see NIS2 vs DORA; for the full hub see framework comparison.

Scope and applicability

Article 2 scope, Article 3 essential / important classification, manual scoping, NIS2 Scope tags

Cybersecurity measures (Article 21)

The ten Article 21(2) categories quoted verbatim, with implementation discipline and Modulos requirement mapping

Incident reporting (Article 23)

24-hour early warning, 72-hour notification, intermediate, final, and progress reports — verbatim timelines and significance test

Operationalizing in Modulos

Practical rollout sequence for OFF-15 and MFF-15

NIS2 vs DORA comparison

Where each applies, sector-specific Union legal act interaction under NIS2 Article 4, incident-reporting coordination

Source attribution

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 80–152. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 specifies technical and methodological requirements for cybersecurity risk-management measures for the relevant entity types listed in its Article 1.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. NIS2 takes effect in each Member State through national transposing law; binding obligations and supervisory authorities are determined by that national law. For binding interpretation in your jurisdiction, consult the published EUR-Lex text, the relevant ISO/IEC standards, and qualified counsel.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

NIS2 Directive (EU) 2022/2555

Quick decision

TL;DR

What NIS2 changes from the original NIS Directive

Entity scope at a glance

NIS2 structure

How to operationalize NIS2 in Modulos

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIS2 Directive (EU) 2022/2555 ​

Quick decision ​

TL;DR ​

What NIS2 changes from the original NIS Directive ​

Entity scope at a glance ​

NIS2 structure ​

How to operationalize NIS2 in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

NIS2 Directive (EU) 2022/2555

Quick decision

TL;DR

What NIS2 changes from the original NIS Directive

Entity scope at a glance

NIS2 structure

How to operationalize NIS2 in Modulos

Cross-framework mapping (preview)

Related pages

Source attribution