The NIS2 Directive (EU) 2022/2555 strengthens cybersecurity requirements for essential and important entities across the EU, with fines up to €10M or 2% of global turnover and management liability.
Focus: Critical infrastructure, incident reporting, supply chain security, management accountability
Article 2 — Scope
Article 3 — Essential Entities
Article 4 — Important Entities
Article 20 — Security Requirements
Article 21 — Incident Reporting
Article 23 — Supply Chain Security
Article 24 — Management Accountability
GET /v1/frameworks/nis2/articles → 200 OK · structured JSON · official source
NIS2 (Directive EU 2022/2555) is the European Union's updated network and information security directive, replacing the original NIS Directive of 2016. Containing 46 articles and 144 recitals, NIS2 significantly broadens the scope and strengthens cybersecurity requirements for organisations operating across 18 critical sectors in the EU. It introduces a clear distinction between essential entities, such as energy, transport, banking, healthcare, water supply, and digital infrastructure, and important entities, including postal services, waste management, chemicals, food production, and manufacturing. NIS2 mandates comprehensive cyber risk management measures, imposes a 24-hour early warning obligation for significant incidents followed by a full incident notification within 72 hours, and requires supply chain security assessments. Member States were required to transpose the directive into national law by 17 October 2024. The directive affects over 160,000 organisations across the EU. Law4Devs provides all 46 NIS2 articles as structured JSON, filterable by entity type, sector, and obligation category.
NIS2 Directive EU 2022/2555 applies to two categories of entities across 18 sectors. Essential entities operate in sectors of high criticality: energy (electricity, oil, gas, hydrogen), transport (air, rail, water, road), banking, financial market infrastructure, healthcare, drinking water, wastewater, digital infrastructure (DNS, TLD registries, cloud computing, data centres), ICT service management, public administration, and space. Important entities cover sectors including postal and courier services, waste management, chemicals, food production and distribution, manufacturing of medical devices, computers, electronics, machinery, and motor vehicles, as well as digital providers such as online marketplaces, search engines, and social networking platforms. The directive generally captures organisations with 50 or more employees or annual turnover exceeding €10 million. Member States may also designate smaller entities as in scope where they pose systemic risks. Law4Devs lets you query NIS2 by sector and entity classification to identify exactly which articles apply to your organisation.
Under NIS2 Directive EU 2022/2555, fines differ based on entity classification. Essential entities face maximum administrative fines of at least €10 million or 2% of total worldwide annual turnover of the preceding financial year, whichever amount is higher. Important entities face fines of at least €7 million or 1.4% of global annual turnover, whichever is higher. Beyond financial penalties, NIS2 introduces personal accountability for senior management — company directors and officers can be held personally liable for failures to ensure adequate cybersecurity risk management measures. Supervisory authorities may impose temporary bans on individuals exercising managerial functions. Member States may also issue binding instructions, order security audits, and publicly disclose non-compliance. These enforcement provisions are significantly stronger than the original NIS Directive, which left penalty determination entirely to Member States. Law4Devs structures all NIS2 enforcement and penalty articles as queryable JSON, enabling compliance teams to assess risk exposure by entity type.
Law4Devs provides the full text of all 46 articles of NIS2 Directive EU 2022/2555 as structured, machine-readable JSON via a REST API, sourced directly from EUR-Lex. Engineering and compliance teams can query NIS2 articles filtered by entity classification (essential or important), specific sector (energy, healthcare, transport, digital infrastructure, and 14 more), obligation type (risk management, incident reporting, supply chain security, governance), and timeline. Each API response includes the complete legal text, article metadata, semantic tags identifying whether a provision imposes an obligation, defines a scope, or establishes a penalty, and cross-references to related articles in GDPR, DORA, CRA, and other overlapping frameworks. The API tracks EUR-Lex amendments automatically, so integrations always reflect the latest consolidated text. Responses average 34 milliseconds, suitable for embedding in GRC dashboards, CI/CD compliance gates, or internal audit tools. Official SDKs are available for Python, TypeScript, Java, Rust, PHP, and Dart.