160,000 EU Organizations Face October Deadlines as Implementation Accelerates

NIS2 Scope and Implementation Status

The NIS2 Directive (EU 2022/2555) applies to over 160,000 organizations across 18 critical sectors. Member states had until October 17, 2024 to transpose the directive into national law, with enforcement now fully active across the EU.

160K+

Organizations in Scope

+180%

Critical Sectors

+125%

€10M

Essential Entities

Max Fine

€7M

Important Entities

Max Fine

NIS2 Coverage by Sector Category

Entity Classification Thresholds

NIS2 distinguishes between Essential and Important entities based on size and sector. Essential entities face stricter supervision and higher penalties, while Important entities have slightly reduced obligations but remain fully in scope.

Category	Employees	Turnover	Balance Sheet	Sector
Essential	250+	€50M+	€43M+	Annex I
Important	50-249	€10M-€50M	—	Annex I/II
In Scope (Any Size)	—	—	—	DNS/CDN/Trust

NIS2 Entity Classification Criteria

⚠Management Liability

Article 32 introduces personal liability for management body members. Sanctions include temporary prohibitions from management functions and public identification of responsible persons—a first for EU cybersecurity law.

Incident Reporting Timeline

NIS2 establishes strict incident reporting deadlines measured in hours, not days. Organizations must notify national authorities within 24 hours of becoming aware of significant incidents, with detailed follow-up within 72 hours.

NIS2 Incident Reporting Timeline (Hours)

21 Security Measures Required

NIS2 mandates 21 specific security measures covering risk management, incident response, supply chain security, and access controls. Organizations must implement these measures and demonstrate compliance through documentation.

Annual risk assessments with board-approved security policy
Multi-factor authentication for all privileged access
Encryption for data at rest and in transit
Vulnerability management: Critical patches within 72 hours
Centralized logging with minimum 18-month retention
Supplier security assessments and contractual requirements
Annual security awareness training for all employees
Business continuity and incident response plans

Patch Management Requirements

NIS2 establishes specific patch management timelines based on vulnerability severity. Critical vulnerabilities must be patched within 72 hours, high severity within 14 days, and medium severity within 30 days.

NIS2 Security Measure Implementation Status (Q1 2026)

Sector-Specific Obligations

Tech companies fall under NIS2 if they provide ICT service management (managed services/security) or digital infrastructure (cloud, datacenter, CDN). SaaS providers serving critical sectors like banking or healthcare may also be in scope.

Service Type	Annex	Likely Classification
Cloud Infrastructure (IaaS)	Annex I	Essential
Managed Security Services	Annex I	Essential
CDN Providers	Annex I	Essential
SaaS for Banking	Annex I	Important
SaaS for Retail	Annex II	Important/Out

Tech Company NIS2 Applicability

ℹDORA Overlap

Financial sector entities should note DORA (effective January 17, 2025) takes precedence for ICT risk management. NIS2 still applies to non-ICT operational technology and physical security measures.

National Implementation Variations

While NIS2 is an EU directive, member states have flexibility in implementation. Some countries have designated specific authorities (like RIA in Estonia), while others are still finalizing competent authority designations.

✓Compliance Advantage

Organizations with mature cybersecurity programs report 67% lower implementation costs. Existing ISO 27001 certification covers approximately 60% of NIS2 requirements, significantly reducing compliance burden.