Complete guide to the NIS2 Directive — the EU's strengthened cybersecurity framework for essential and important entities, with fines up to €10M or 2% of global turnover.
The NIS2 Directive (EU) 2022/2555 is the European Union's updated network and information security directive, replacing the original NIS Directive of 2016. It significantly broadens the scope and strengthens cybersecurity requirements for organisations operating across 18 critical sectors in the EU. NIS2 mandates comprehensive cyber risk management measures, imposes a 24-hour early warning obligation for significant incidents followed by full notification within 72 hours, and requires supply chain security assessments. It introduces personal accountability for senior management. Member States were required to transpose the directive into national law by 17 October 2024, affecting over 160,000 organisations.
Two categories of entities across 18 sectors: Essential entities (energy, transport, banking, healthcare, water, digital infrastructure) and Important entities (postal, waste, chemicals, food, manufacturing, digital providers). Generally captures organisations with 50+ employees or €10M+ annual turnover.
Article 2
Article 3
Article 4
Article 20
Article 21
Article 23
Article 24
Transposition deadline
17 Oct 2024All EU Member States had to transpose NIS2 into national law.
Enforcement begins
18 Oct 2024Organisations must now comply with transposed national legislation.
Essential entities: up to €10M or 2% of global turnover. Important entities: up to €7M or 1.4% of global turnover. Beyond financial penalties, senior management can face personal liability and temporary management bans.
NIS2 distinguishes between two categories of entities, with different supervisory regimes and enforcement approaches.
Article 21 of NIS2 specifies a comprehensive list of cybersecurity measures that essential and important entities must implement.
NIS2 introduces strict, phased incident reporting timelines that apply to all essential and important entities.
NIS2 introduces a significant new requirement: personal liability for senior management for cybersecurity failures.
Law4Devs provides all 46 NIS2 articles as structured JSON sourced verbatim from EUR-Lex. Filter by entity type, sector, obligation category, and timeline. Cross-reference with GDPR, DORA, and CRA for overlapping obligations.
GET /v1/frameworks/nis2/articles → 200 OK · structured JSON · official EUR-Lex source
NIS2 (Directive EU 2022/2555) is the European Union's updated network and information security directive, replacing the original NIS Directive of 2016. Containing 46 articles and 144 recitals, NIS2 significantly broadens the scope and strengthens cybersecurity requirements for organisations operating across 18 critical sectors in the EU. It introduces a clear distinction between essential entities, such as energy, transport, banking, healthcare, water supply, and digital infrastructure, and important entities, including postal services, waste management, chemicals, food production, and manufacturing. NIS2 mandates comprehensive cyber risk management measures, imposes a 24-hour early warning obligation for significant incidents followed by a full incident notification within 72 hours, and requires supply chain security assessments. Member States were required to transpose the directive into national law by 17 October 2024. The directive affects over 160,000 organisations across the EU. Law4Devs provides all 46 NIS2 articles as structured JSON, filterable by entity type, sector, and obligation category.
NIS2 Directive EU 2022/2555 applies to two categories of entities across 18 sectors. Essential entities operate in sectors of high criticality: energy (electricity, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (DNS, TLD registries, cloud computing, data centres), ICT service management, public administration, and space. Important entities cover sectors including postal and courier services, waste management, chemicals, food production and distribution, manufacturing of medical devices, computers, electronics, machinery, and motor vehicles, as well as digital providers such as online marketplaces, search engines, and social networking platforms. The directive generally captures organisations with 50 or more employees or annual turnover exceeding €10 million. Member States may also designate smaller entities as in scope where they pose systemic risks. Law4Devs lets you query NIS2 by sector and entity classification to identify exactly which articles apply to your organisation.
Under NIS2 Directive EU 2022/2555, fines differ based on entity classification. Essential entities face maximum administrative fines of at least €10 million or 2% of total worldwide annual turnover of the preceding financial year, whichever amount is higher. Important entities face fines of at least €7 million or 1.4% of global annual turnover, whichever is higher. Beyond financial penalties, NIS2 introduces personal accountability for senior management — company directors and officers can be held personally liable for failures to ensure adequate cybersecurity risk management measures. Supervisory authorities may impose temporary bans on individuals exercising managerial functions. Member States may also issue binding instructions, order security audits, and publicly disclose non-compliance. These enforcement provisions are significantly stronger than the original NIS Directive, which left penalty determination entirely to Member States. Law4Devs structures all NIS2 enforcement and penalty articles as queryable JSON, enabling compliance teams to assess risk exposure by entity type.
Law4Devs provides the full text of all 46 articles of NIS2 Directive EU 2022/2555 as structured, machine-readable JSON via a REST API, sourced directly from EUR-Lex. Engineering and compliance teams can query NIS2 articles filtered by entity classification (essential or important), specific sector (energy, healthcare, transport, digital infrastructure, and 14 more), obligation type (risk management, incident reporting, supply chain security, governance), and timeline. Each API response includes the complete legal text, article metadata, semantic tags identifying whether a provision imposes an obligation, defines a scope, or establishes a penalty, and cross-references to related articles in GDPR, DORA, CRA, and other overlapping frameworks. The API tracks EUR-Lex amendments automatically, so integrations always reflect the latest consolidated text. Responses average 34 milliseconds, suitable for embedding in GRC dashboards, CI/CD compliance gates, or internal audit tools. Official SDKs are available for Python, TypeScript, Java, Rust, PHP, and Dart.
All articles, recitals, and amendments — queryable, filterable, and always up to date.