Skip to main content
The NIS 2 Directive (Network and Information Security Directive 2) significantly expands the EU’s cybersecurity requirements, covering more sectors and imposing stricter risk management, incident reporting, and governance obligations. It replaces the original NIS Directive.
NIS 2 is mandatory across the EU. Non-compliance can result in fines up to €10 million or 2% of global turnover for essential entities. Senior management can be held personally liable for negligence.

Who needs NIS 2 compliance?

NIS 2 applies to medium and large organizations in 18 sectors:

Essential entities

Energy, transport, banking, financial market infrastructure, health, drinking water, digital infrastructure, ICT service management, public administration, and space.

Important entities

Postal services, waste management, chemicals, food production, manufacturing, digital providers, and research.

Key requirements

RequirementDescription
Risk ManagementImplement technical, operational, and organizational cybersecurity measures
Incident Reporting24-hour early warning, 72-hour notification, 1-month final report
Supply Chain SecurityAssess and manage cybersecurity risks in your supply chain
GovernanceSenior management must approve and oversee cybersecurity measures
Business ContinuityBackup management, disaster recovery, and crisis management
TrainingRegular cybersecurity training for management and staff

How DSALTA helps

  • NIS 2 controls mapped to all directive requirements
  • Incident response documentation and reporting templates
  • Supply chain risk management through vendor scoring
  • Governance documentation for management accountability
  • Cross-framework mapping — ~80% overlap with ISO 27001, significant overlap with DORA

Frequently asked questions

NIS 2 applies to organizations providing services or conducting activities within the EU, regardless of where they are headquartered. If you serve EU customers in covered sectors, you may be in scope.
There is approximately 80% overlap. Organizations with ISO 27001 certification have a strong foundation for NIS 2 compliance, but need to address additional requirements like incident reporting timelines and supply chain security.
Yes. NIS 2 allows member states to hold management personally liable for gross negligence in cybersecurity oversight.