What is the NIS2 Directive and what does it replace?

NIS2 is Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union. It repeals the original NIS Directive (Directive (EU) 2016/1148) with effect from 18 October 2024 and substantially expands sectoral scope, harmonises supervisory powers, and aligns penalty regimes. Member States were required to transpose NIS2 into national law by 17 October 2024, and to apply the transposing measures from 18 October 2024.

Who must comply with NIS2?

NIS2 applies to essential and important entities operating in the sectors listed in Annex I (high-criticality sectors such as energy, transport, banking, financial market infrastructures, health, drinking water, waste water, digital infrastructure, ICT service management business-to-business, public administration, and space) and Annex II (other critical sectors such as postal and courier services, waste management, manufacture of chemicals, food, manufacture of certain goods, digital providers, and research). The size-cap rule in Article 2(1) generally pulls in medium-sized and large entities as defined by Recommendation 2003/361/EC, with a series of carve-outs and inclusions in Article 2(2)–(5).

When does NIS2 apply?

NIS2 entered into force on 16 January 2023. Member States had until 17 October 2024 to transpose the Directive (Article 41(1)) and shall apply the transposing measures from 18 October 2024. Because NIS2 is a Directive, the binding rules in any given Member State are those of its national transposing law, which may carry additional national-specific requirements.

What does Article 21 require?

Article 21(1) requires essential and important entities to take appropriate and proportionate technical, operational and organisational measures to manage the risks posed to the security of network and information systems used in their operations or for the provision of their services, and to prevent or minimise the impact of incidents on recipients of those services and on other services. Article 21(2) then lists ten minimum measure categories (a) through (j) that the measures must include — covering risk-analysis and information-system-security policies, incident handling, business continuity, supply-chain security, secure acquisition / development / maintenance, effectiveness assessment, cyber hygiene and training, cryptography and encryption, human-resources security and access control, and (j) the use of multi-factor or continuous authentication solutions, secured voice, video and text communications, and secured emergency communication systems within the entity, where appropriate.

What are the NIS2 incident reporting timelines?

Article 23(4) establishes a staged process for significant incidents: an early warning to the CSIRT or competent authority without undue delay and within 24 hours; an incident notification within 72 hours including an initial assessment; an intermediate report on relevant status updates upon request; a final report within one month of the incident notification; and, for ongoing incidents at the time of the final report, a progress report plus a subsequent final report within one month of handling. Article 23(3) treats an incident as significant if it has caused or is capable of causing severe operational disruption of the services or financial loss for the entity, or if it has affected or is capable of affecting other natural or legal persons by causing considerable material or non-material damage. Article 23(4) also derogates from point (b) for trust service providers: they must notify the CSIRT or competent authority within 24 hours of becoming aware of significant incidents that have an impact on the provision of their trust services.

How does NIS2 relate to DORA?

DORA (Regulation (EU) 2022/2554) Article 1(2) operates by treating DORA as a sector-specific Union legal act for the purposes of Article 4 of the NIS2 Directive. The practical effect for financial entities that would otherwise be NIS2 essential or important entities under national transposition is that DORA's specialised provisions apply on the matters it covers (ICT risk management, ICT-related incident reporting, digital operational resilience testing, ICT third-party risk). NIS2 obligations remain relevant where DORA does not cover the matter and where the national NIS2 transposition extends further. See the [NIS2 vs DORA comparison](/frameworks/comparison/nis2-vs-dora) for a structured walk-through.

How does NIS2 relate to ISO/IEC 27001?

ISO/IEC 27001:2022 (with Amendment 1:2024) is a certifiable information-security management-system standard; NIS2 is a binding EU cybersecurity directive. They are complementary: an ISO 27001-aligned ISMS provides a sound technical and organisational baseline for many of the Article 21(2) measure categories, but ISO certification does not by itself discharge NIS2 obligations. NIS2 compliance is determined by the national transposing law and the supervisory authority, not by the standard.

NIS2 Directive (EU) 2022/2555

The NIS2 Directive — Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 — is the European Union's horizontal cybersecurity framework. It repealed the original 2016 NIS Directive (Directive (EU) 2016/1148) and substantially broadened scope, sharpened supervisory powers, and aligned the sanctions regime across Member States.

This page is a Modulos compliance guide. The Article references and key dates are quoted or paraphrased from the published OJ text; the platform mapping references real Modulos surfaces.

Quick decision

In scope (essential or important entity in Annex I / Annex II sectors) → start with this guide. Scope the entity using Scope and applicability, then work through Article 21 cybersecurity measures and Article 23 incident reporting.
Financial entity that would otherwise be a NIS2 essential or important entity under national transposition → read the NIS2 vs DORA comparison first. DORA Article 1(2) operates by treating DORA as a sector-specific Union legal act for the purposes of NIS2 Article 4 — on matters DORA covers, its specialised provisions apply; NIS2 obligations remain relevant where DORA does not cover the matter and where national transposition extends further.
Trust service provider, top-level-domain name registry, DNS service provider, cloud / data-centre / CDN / managed-service / managed-security-service provider, online marketplace, search engine, or social-networking platform → the same Article 21 measures apply, but with the technical and methodological specification of Commission Implementing Regulation (EU) 2024/2690 layered on top.
Already operating an ISO/IEC 27001 ISMS → treat NIS2 as a binding overlay. The ISMS provides much of the Article 21(2) substance, but Article 23 reporting and Article 20 management-body accountability are NIS2-specific obligations on the national transposing law's terms.
Outside the EU but offering services into the EU → Article 26 jurisdictional rules apply to specific entity types (DNS service providers, top-level-domain name registries, entities providing domain-name registration services, cloud computing service providers, data centre service providers, content delivery network providers, managed service providers, managed security service providers, online marketplaces, search engines, and social-networking services platforms — Art 26(1)(b)). For those entities, the representative-establishment requirement in Article 26(3) may bring a non-EU provider in scope.

TL;DR

NIS2 = Directive (EU) 2022/2555, published in OJ L 333, 27 December 2022. Adopted 14 December 2022, entered into force 16 January 2023, transposition deadline 17 October 2024, application of national transposing measures from 18 October 2024.
It replaces the original NIS Directive (Directive (EU) 2016/1148) and extends sectoral scope, governance accountability, technical measures, incident reporting, supervision, and sanctions.
The four operative pillars: scope and classification (Articles 2–4); management-body accountability and cybersecurity measures (Articles 20–21); incident notification (Article 23); supervision, enforcement, and sanctions (Articles 32–37).
Because NIS2 is a Directive, the binding rules are those of each Member State's national transposing law. Transpositions may extend beyond the directive's minimum.
For financial entities, DORA (Regulation (EU) 2022/2554) Article 1(2) treats DORA as a sector-specific Union legal act for the purposes of NIS2 Article 4; DORA's specialised provisions apply on matters it covers, while NIS2 obligations remain relevant where DORA does not cover the matter and where national transposition extends further.

Primary source

Directive (EU) 2022/2555 on EUR-Lex (CELEX 32022L2555) · OJ L 333, 27.12.2022, pp. 80–152 · Commission Implementing Regulation (EU) 2024/2690 (technical specifications for digital-infrastructure entities)

What NIS2 changes from the original NIS Directive

The original NIS Directive (Directive (EU) 2016/1148) introduced the first EU-wide cybersecurity baseline for "operators of essential services" and "digital service providers". NIS2 keeps that policy direction but addresses three structural weaknesses:

Scope was patchy. Each Member State chose which operators of essential services to designate; the result was uneven coverage across the single market. NIS2 replaces this with a size-cap rule (Article 2(1)) tied to Recommendation 2003/361/EC, plus enumerated sectors in Annex I and Annex II.
Governance was weak. NIS2 introduces explicit management-body responsibility (Article 20) and personal accountability of management bodies for compliance with Article 21 measures.
Sanctions and supervision were uneven. NIS2 harmonises supervisory powers and requires Member States to provide for administrative fines under Article 34. The Directive obliges Member States to provide for maximum fines of at least EUR 10 000 000 or 2% of the worldwide annual turnover (whichever is higher) for essential entities, and at least EUR 7 000 000 or 1.4% for important entities — Member States may set higher national maxima, but not lower.

Entity scope at a glance

NIS2 distinguishes two categories with overlapping technical obligations but different supervisory regimes:

Essential entities — entities classified as essential under Article 3(1). This includes (a) entities in Annex I sectors that exceed the size-cap thresholds; (b) specific entity types essential regardless of size under Article 3(1)(b) — qualified trust service providers, top-level-domain name registries, and DNS service providers; (c) providers of public electronic communications networks or publicly available electronic communications services qualifying as medium-sized enterprises under Article 3(1)(c); and (d) further specific cases enumerated in Article 3(1)(d)–(h), including certain public administration entities. Supervisory regime is ex ante (proactive) under Article 32.
Important entities — under Article 3(2), entities in Annex I or Annex II sectors that do not qualify as essential under Article 3(1). This catches the size-cap Annex I / Annex II entities that are not essential, plus entities additionally identified by Member States under Article 2(2)(b)–(e) (including, for example, sole providers in a Member State of a service essential for the maintenance of critical societal or economic activities, or entities whose disruption could have a significant impact on public safety, security or health, or which present a significant systemic risk). Supervisory regime is ex post under Article 33 (where evidence, indication, or information suggests non-compliance).

See Scope and applicability for the full classification logic, Annex I / Annex II sectoral lists, and the manual scoping workflow Modulos uses.

NIS2 structure

NIS2 Directive (EU) 2022/2555

Chapter I — General provisionsArticles 1–6: subject matter, scope, essential / important classification, sector-specific equivalence, definitions

Chapter II — Coordinated cybersecurity frameworksArticles 7–13: national strategies, competent authorities, CSIRTs, single points of contact, NIS Cooperation Group

Chapter III — CooperationArticles 14–19: CSIRTs network, EU-CyCLONe, ENISA cooperation, peer reviews, mutual assistance

Chapter IV — Risk management and reportingArticles 20–25: management-body duties, Article 21 measures, Article 23 reporting, registries, vulnerability disclosure

Chapter V — Jurisdiction and registrationArticles 26–28: jurisdiction, ENISA registry of digital-infrastructure entities, database of DNS / TLD / cloud providers

Chapter VI — Information sharingArticles 29–30: voluntary information-sharing arrangements and notifications

Chapter VII — Supervision and enforcementArticles 31–37: supervisory measures, sanctions, fines, mutual assistance between authorities

Chapter VIII — Final provisionsArticles 38–46: Committee procedure, transposition (Art 41), repeal of the 2016 NIS Directive (Art 44), entry into force

The four chapters most operationally relevant to in-scope entities are Chapter IV (risk management and reporting), Chapter V (jurisdiction and registration), Chapter VI (voluntary information sharing), and Chapter VII (supervision and enforcement). See the dedicated spokes below for each.

How to operationalize NIS2 in Modulos

Modulos models NIS2 as two complementary framework objects:

Framework	Project type	Focus	Requirement count
OFF-15 (`NIS2 (org)`)	Organization	Scope and classification, management-body duties, Article 21 governance, Article 23 reporting, supervisory duties	28 (`ORF-333` to `ORF-360`)
MFF-15 (`NIS2 (app)`)	AI application	AI-service operational execution, reporting workflows, covered-entity overlays	18 (`MRF-275` to `MRF-292`)

The split keeps board-level governance duties separate from per-service operational evidence, which is the same separation NIS2 itself draws between management-body accountability (Article 20) and entity-level technical implementation (Article 21).

A typical setup:

Requirements — each NIS2 obligation (e.g. Article 21(2)(d) supply-chain security; Article 23(4)(a) 24-hour early warning) is recorded as a requirement on the relevant project. Fulfilment is tracked through a two-state lifecycle (Not fulfilled → Fulfilled, with optional Out of scope).
Controls — implemented measures (e.g. SBOM tooling, vendor due-diligence policy, MFA rollout) are documented as named controls and mapped to one or more requirements. Controls move through their own lifecycle and can be put through a review request when a status change is proposed.
Evidence — design documents, risk-assessment artefacts, incident-response runbooks, training records, and supplier reviews are recorded once and linked to multiple controls.
Readiness + fulfilment attestation — a requirement becomes ready for review once all linked controls are in a final state. The requirement owner then attests that the obligation is satisfied for the project scope by marking the requirement fulfilled, with the rationale captured in the requirement's comments and logs.
Reporting workflows — Article 23 staged reporting (24 hour / 72 hour / final / progress) is tracked through requirements and evidence. Modulos does not provide a dedicated incident-reporting UI surface; staged reports and authority notices are stored as evidence against the relevant Article 23 requirement.

See Operationalizing in Modulos for the practical rollout sequence.

Cross-framework mapping (preview)

NIS2 area	ISO/IEC 27001:2022 (Amd 1:2024)	ISO/IEC 27002:2022	DORA (Regulation (EU) 2022/2554)	EU AI Act (Regulation (EU) 2024/1689)
Article 20 management-body duties	Clauses 5.1 (leadership and commitment), 5.3 (roles and responsibilities)	A.5.2 information security roles and responsibilities	Article 5 (governance and organisation)	Article 26 (deployer obligations), Article 14 (human oversight design) where applicable
Article 21 cybersecurity measures	Clauses 6.1 (risk treatment), 8 (operation), Annex A	Several Annex A controls in 5.x–8.x	Article 6 (ICT risk-management framework), Implementing acts 2024/1774	Article 15 (accuracy, robustness, cybersecurity) for high-risk AI
Article 23 incident reporting	Clause 8.3 / Annex A.5.24 information security incident management	A.5.24 (planning), A.5.25 (assessment)	Articles 17–19 plus Delegated Regulation 2025/301 (RTS on content and time limits) and Implementing Regulation 2025/302 (ITS on forms and templates)	Article 73 (serious incident reporting for high-risk AI providers)
Article 21(2)(d) supply-chain security	Clauses 8.1 (operational planning)	A.5.19 (information security in supplier relationships), A.5.21 (managing information security in the ICT supply chain)	Articles 28–30 plus 2024/1773 (TPP policy RTS) and 2025/532 (subcontracting RTS)	Article 25 (value-chain responsibility and provider reclassification)
Articles 32–37 supervision	(Not directly mapped)	(Not directly mapped)	Articles 50–57 (competent authorities)	Articles 70–99 (governance, surveillance, penalties)

Cross-framework references are conditional on entity classification, sectoral scope, and applicable obligations. For the pairwise treatment with DORA see NIS2 vs DORA; for the full hub see framework comparison.

Scope and applicability

Article 2 scope, Article 3 essential / important classification, manual scoping, NIS2 Scope tags

Cybersecurity measures (Article 21)

The ten Article 21(2) categories quoted verbatim, with implementation discipline and Modulos requirement mapping

Incident reporting (Article 23)

24-hour early warning, 72-hour notification, intermediate, final, and progress reports — verbatim timelines and significance test

Operationalizing in Modulos

Practical rollout sequence for OFF-15 and MFF-15

NIS2 vs DORA comparison

Where each applies, sector-specific Union legal act interaction under NIS2 Article 4, incident-reporting coordination

Source attribution

Directive (EU) 2022/2555 of the European Parliament and of the Council of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS2) is published in the Official Journal of the European Union L 333, 27.12.2022, pp. 80–152. Commission Implementing Regulation (EU) 2024/2690 of 17 October 2024 specifies technical and methodological requirements for cybersecurity risk-management measures for the digital-infrastructure entity types listed in its Article 1.

Disclaimer

This page is for general informational purposes and does not constitute legal advice. NIS2 takes effect in each Member State through national transposing law; binding obligations and supervisory authorities are determined by that national law. For binding interpretation in your jurisdiction, consult the published EUR-Lex text, the relevant ISO/IEC standards, and qualified counsel.

Comparison

EU AI Act

Commission guidance

ISO Standards

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIST AI RMF

GDPR (EU)

NIS2 (EU)

DORA (EU)

OWASP for AI Security

UAE AI Ethics

MAS FEAT

Microsoft Supplier DPR

NIS2 Directive (EU) 2022/2555

Quick decision

TL;DR

What NIS2 changes from the original NIS Directive

Entity scope at a glance

NIS2 structure

How to operationalize NIS2 in Modulos

Cross-framework mapping (preview)

Source attribution

Commission guidance

ISO/IEC 42001

ISO/IEC 27001

ISO/IEC 27701

NIS2 Directive (EU) 2022/2555 ​

Quick decision ​

TL;DR ​

What NIS2 changes from the original NIS Directive ​

Entity scope at a glance ​

NIS2 structure ​

How to operationalize NIS2 in Modulos ​

Cross-framework mapping (preview) ​

Related pages ​

Source attribution ​

NIS2 Directive (EU) 2022/2555

Quick decision

TL;DR

What NIS2 changes from the original NIS Directive

Entity scope at a glance

NIS2 structure

How to operationalize NIS2 in Modulos

Cross-framework mapping (preview)

Related pages

Source attribution