The NIS2 Directive (EU 2022/2555) is the backbone of European cybersecurity. It applies to entities in 18 sectors divided into Annex I (essential, 11 sectors) and Annex II (important, 7 sectors), with a minimum threshold of 50 employees or €10M turnover, except for specific exceptions for SMEs in critical sectors (DNS, TLDs, trust services, public administrations). Fines reach €10 million or 2% of global turnover for essential entities and €7 million or 1.4% for important ones, with personal liability for directors. The European transposition deadline expired on 17 October 2024; several Member States (including Spain) were referred to the CJEU for delays. Even with incomplete transposition, the obligations are enforceable from the moment national rules take effect.
What the NIS2 Directive is (Directive (EU) 2022/2555)
NIS2 is the Directive (EU) 2022/2555 of the European Parliament and Council of 14 December 2022, on measures for a common high level of cybersecurity across the Union. It replaces the 2016 NIS Directive ("NIS1") and entered into force on 16 January 2023.
Unlike a Regulation (such as DORA), a Directive is not directly applicable: each Member State must transpose it into its national legal order. NIS2 set the transposition deadline at 17 October 2024.
The stated objective is to raise the minimum cybersecurity level in the EU in a harmonised way, expanding the regulated sectors, tightening technical and governance measures and unifying incident notification deadlines.
Directive timeline
| Milestone | Date |
|---|---|
| Approval by European Parliament and Council | 14 Dec 2022 |
| Publication in OJEU | 27 Dec 2022 |
| Entry into force | 16 Jan 2023 |
| National transposition deadline | 17 Oct 2024 |
| Date national obligations had to be fully applicable | 18 Oct 2024 |
| European Commission infringement procedures | 2024-2025 (several Member States delayed) |
| First periodic Directive review by the Commission | 17 Oct 2027 |
Transposition status by EU country (May 2026 summary)
| State | Transposition status |
|---|---|
| Germany | Transposed (NIS2UmsuCG) |
| France | Transposed (loi de résilience opérationnelle numérique) |
| Italy | Transposed (Legislative Decree 138/2024) |
| Netherlands | Transposed (Cyberbeveiligingswet) |
| Belgium | Transposed (loi NIS2) |
| Spain | Partially transposed (Royal Decree-Law 7/2025 + bill in parliamentary process) |
| Portugal | In process |
| Poland | Transposed |
| Nordic countries | Mostly transposed |
| Others | States with specific delays referred to the CJEU |
Verify the current status by consulting the European Commission's Compliance Registry or ENISA's publications before taking operational decisions.
Scope of application: sectors and thresholds
NIS2 works with two combined criteria:
- Sector (fit in Annexes I or II)
- Size (medium or large enterprise per Recommendation 2003/361/EC: ≥50 employees or >€10M turnover)
If you fit both, NIS2 applies to you.
Annex I: Essential entities (11 sectors)
| Sector | Subsectors |
|---|---|
| Energy | Electricity, district heating and cooling, oil, gas, hydrogen |
| Transport | Air, rail, maritime and inland waterway, road |
| Banking | Credit institutions |
| Financial markets | Trading venues, central counterparties |
| Health | Healthcare providers, reference laboratories, manufacturing of basic pharmaceutical products, manufacturing of critical medical devices |
| Drinking water | Supply and distribution |
| Wastewater | Collection, disposal or treatment |
| Digital infrastructure | IXP providers, DNS, TLD registries, cloud, data centers, content delivery networks (CDN), trust services, public communication networks |
| B2B ICT services management | Managed service providers (MSP), managed security service providers (MSSP) |
| Public administration | Central and regional administration entities (with national security exceptions) |
| Space | Operators of ground-based infrastructures |
Annex II: Important entities (7 sectors)
| Sector | Subsectors |
|---|---|
| Postal and courier services | Operators with broad coverage |
| Waste management | Collection, transport, recovery, disposal |
| Chemicals | Manufacturing, production, distribution |
| Food production and distribution | Agri-food chain above a certain size |
| Manufacturing | Medical devices and in vitro diagnostics, computers and electronics, electrical equipment, other machinery, motor vehicles and components, other transport equipment |
| Digital providers | Online marketplaces, search engines, social network service platforms |
| Research | Research organisations |
Size criteria and exceptions
General rule (Recommendation 2003/361/EC criterion):
- Medium enterprise: 50-249 employees, up to €50M turnover, up to €43M balance sheet.
- Large enterprise: ≥250 employees or >€50M turnover or >€43M balance sheet.
NIS2 applies to medium or large entities in included sectors.
Specific exceptions extending NIS2 to entities below the threshold:
- Sole providers of a service in the Member State.
- Providers of DNS, TLDs, domain name registries.
- Qualified trust service providers.
- Entities whose disruption affects public safety or poses significant systemic risk.
- Public administrations per national criteria.
Sanctioning regime
NIS2 introduces the most severe sanctioning regime in European cybersecurity to date.
Maximum fines
| Category | Maximum fine |
|---|---|
| Essential entities | Up to €10 million or 2% of total annual global turnover of the previous financial year, whichever is higher |
| Important entities | Up to €7 million or 1.4% of total annual global turnover of the previous financial year, whichever is higher |
Important: the fine is calculated on global group turnover, not only on the infringing entity nor only on the European activity.
Other sanctioning consequences
In addition to economic fines, authorities can:
- Temporarily suspend certifications or administrative authorisations
- Prohibit the exercise of management functions by individuals responsible for the breach (disqualification)
- Publish the sanction by name, with reputational effect
- Impose daily coercive fines until effective compliance
Personal liability of directors
NIS2 establishes that the management body is personally responsible for:
- Inadequate approval of risk management measures
- Lack of supervision over the execution of measures
- Lack of their own cybersecurity training
This responsibility isn't insurable through D&O in many cases (depending on national legislation). It's one of the most relevant changes and forces boards to document their cybersecurity due diligence in a traceable way.
Relevant public cases
As of May 2026, the first NIS2 sanctions are starting to be published in Member States with early transposition. Germany has opened proceedings against several entities for failure to notify incidents on time. France has issued formal warnings on entities without minimum measures in place. Italy has initiated sectoral inspections on regional public administrations.
Spain, with pending transposition, hasn't yet issued formal sanctions, but INCIBE-CERT inspections are already underway under RD-Law 7/2025.
Essential obligations
Although the complete guide to obligations sits in the NIS2 Spain piece, the core is:
- Governance framework approved and supervised by the management body, with specific board training.
- Live risk analysis reviewed at least annually.
- Ten mandatory areas of article 21 (policies, incident management, continuity, supply chain, SDLC, effectiveness assessment, cyber hygiene, cryptography, HR/access control, MFA).
- Notification of serious incidents within 24h / 72h / 1 month.
- Active ICT supply chain management.
- Effectiveness assessment through audits and technical testing.
Frequently asked questions
Does NIS2 apply to non-EU companies?
Yes, if they provide services within the EU in included sectors. The Directive contemplates the designated representative in a Member State for foreign entities providing services in the EU, particularly DNS, TLDs, cloud, digital platforms and MSPs/MSSPs.
Does NIS2 apply retroactively?
No. It applies to incidents and obligations from its national entry into force. But the sanctioning regime can review prior practices as evidence of continued lack of diligence.
What happens if my provider fails to comply?
Your obligation under article 21 letter d is to manage supply chain risk. If the provider fails and it affects you, you can be sanctioned for lack of diligence in their selection and oversight, not for the provider's breach itself.
Can fines be combined with GDPR?
Yes. If a single incident breaches NIS2 and GDPR (incident with personal data), sanctions can be imposed via both routes independently, by different authorities.
How do I prove diligence in an inspection?
By keeping up-to-date evidence: board minutes, signed risk analyses, incident and notification records, audit and pentesting results, training plan with attendance, contracts with clauses, periodic provider evaluations. See NIS2 audit step by step.
What do I do if my country hasn't transposed yet?
Obligations derived from RD-Law 7/2025 are already enforceable in Spain. Additionally, European clients will demand NIS2-equivalent measures from you contractually, without waiting for full transposition. The operational strategy: prepare as if full transposition were in force.
Are Spanish public administrations under NIS2 or ENS?
Both. ENS (Royal Decree 311/2022) is the specific national framework; NIS2 is the European framework. The regulatory trend is to integrate both: complying with ENS High covers a good portion of NIS2 for public administrations, but additional obligations remain (harmonised notification, specific board training, supply chain).
Align your organisation with the NIS2 Directive at Secra
At Secra we perform multi-jurisdictional NIS2 applicability analyses, evaluation against article 21 and an adequacy plan with roadmap.
→ Learn about our NIS2 compliance service
→ Request an initial conversation, no commitment
Related reading
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.