NIS2 replaces NIS1, correcting its three big weaknesses: insufficient coverage (from "manually identified operators" to 18 automatic sectors), weak sanctioning regime (from heterogeneous fines to a harmonised €10M/2% turnover) and inconsistent notification (from variable deadlines to 24h/72h/1 month European). The four most relevant operational changes: mandatory supply chain, personal director liability, specific board training and mandatory effectiveness assessment. If a company was under NIS1 as an "essential service operator", it's probably now under NIS2 with more demanding obligations.
Why NIS1 fell short
The 2016 NIS Directive was the first common European cybersecurity framework. After six years of application, the European Commission identified three big weaknesses.
1. Uneven coverage between Member States
NIS1 required each country to manually identify its "essential service operators" (OES). The result was heterogeneous: some countries identified many operators; others, very few. Identical companies in identical sectors fell in or out depending on the country, and the uncertainty held back security investment.
2. Weak sanctioning regime
Fines were a national matter without minimum harmonisation. Maximum fines varied between €100,000 and several million per country, with few active enforcers and a low deterrent effect.
3. Inconsistent incident notification
Deadlines and formats varied between countries, which made coordinated European response to cross-border incidents difficult.
NIS2 fixes the three fronts with a harmonised, binding approach.
Comparison table: NIS1 vs NIS2
| Dimension | NIS1 (2016) | NIS2 (2022) |
|---|---|---|
| Rule | Directive (EU) 2016/1148 | Directive (EU) 2022/2555 |
| Coverage | Manually identified OES + Digital Service Providers (DSP) | 18 sectors with automatic criteria: 11 essential (Annex I) + 7 important (Annex II) |
| Categorisation | OES / DSP | Essential / Important |
| Minimum size | Variable by country | Harmonised: ≥50 employees or >€10M turnover |
| SME exceptions | Variable | Specific: DNS, TLDs, trust services, public administrations, substitutability |
| Incident notification | Variable deadlines by country | 24h early alert / 72h notification / 1 month final report |
| Supply chain | Not formally addressed | Mandatory (article 21 letter d) |
| Board training | Not required | Mandatory and specific |
| Director liability | Not personal | Personal, with possible disqualification |
| Effectiveness assessment | Recommended | Mandatory (article 21 letter f) |
| Sanctioning regime | Heterogeneous | Harmonised: up to €10M/2% (essential) or €7M/1.4% (important) |
| Voluntary threat notification | Not contemplated | Contemplated and promoted |
| New sectors | - | Public administration, waste management, manufacturing, food, cloud, MSP/MSSP, space, research, expanded digital infrastructure |
| National authority | At Member State's choice | Mandatory designation + competent CSIRT |
| European cooperation | NIS Cooperation Group | Cooperation Group + EU-CyCLONe + reinforced ENISA |
New sectors incorporated in NIS2
NIS2 substantially expands the universe of regulated entities versus NIS1.
Annex I: Essential entities: new versus NIS1
| Sector | Status in NIS1 | Status in NIS2 |
|---|---|---|
| Wastewater | Not included | New |
| Space | Not included | New (ground operators) |
| Cloud services | Included as DSP (light regime) | Reinforcement as essential entity |
| Data centers | Not addressed | New |
| CDN | Not addressed | New |
| Managed services (MSP) | Not included | New |
| Managed security services (MSSP) | Not included | New |
| Public administration | National decision | Mandatory (with national security exceptions) |
| Health | Hospitals | Expansion to laboratories, pharma, medical products |
| Hydrogen | Not addressed | New |
Annex II: Important entities: practically new in NIS2
NIS1 didn't have this category. The entire Annex II list is new:
- Postal and courier services
- Waste management
- Chemical product manufacturing, production and distribution
- Food production and distribution
- Manufacturing (medical, electronics, electrical, machinery, vehicles, transport)
- Digital providers (marketplaces, search engines, social networks)
- Research
Practical impact: many mid-sized industrial and service companies that were completely outside NIS1 now enter NIS2 as important entities.
Incident notification: from a fuzzy model to 24h/72h
How it was in NIS1
Each country defined its own deadlines and formats. Spain applied "without undue delay"; France had its own deadlines; Germany, different ones. Multinational companies faced parallel procedures.
How it is in NIS2
Harmonised European deadline:
| Deadline | Action | Minimum content |
|---|---|---|
| 24 hours from awareness | Early alert to the competent CSIRT | Indication of whether the incident may be caused by unlawful or malicious acts, and cross-border impact if any |
| 72 hours | Incident notification | Initial assessment, severity, impact, indicators of compromise if any, mitigation measures |
| 1 month | Final report | Detailed description, severity, root cause, measures taken and ongoing |
Additionally, NIS2 contemplates notification to recipients of the services when an incident may affect them adversely.
Important: for financial sector entities, DORA deadlines are lex specialis and prevail.
Supply chain: the big operational novelty
NIS1 addressed supply chain marginally. NIS2 turns it into a specific obligation under article 21 letter d, requiring:
- Maintained, updated inventory of critical ICT providers.
- Risk assessment of each critical provider, with documented criteria.
- Contractual clauses imposing equivalent measures on the provider.
- Periodic verification through questionnaires, evidence and audits where applicable.
- Response plan for incidents affecting the provider.
- Consideration of concentration risk at aggregate level.
Additionally, European authorities can perform coordinated assessments of the supply chain of critical ICT products and services.
Practical impact: if you're a provider to a NIS2-regulated entity, you'll receive reinforced clauses and questionnaires even if you're not directly under NIS2.
Practical cases: companies moving from NIS1 to NIS2
Case 1: Mid-sized industrial company with no obligations under NIS1
Context: electrical equipment manufacturer, 220 employees, €60M turnover. Under NIS1 wasn't identified as OES.
Under NIS2: falls into Annex II as an important entity of the "Electrical equipment manufacturing" sector. Article 21 obligations apply, fines up to €7M or 1.4% turnover, 24h/72h notification.
Adequacy effort: 6-9 month project if starting from scratch, with applicability analysis, gap analysis against article 21, technical testing and remediation plan.
Case 2: Cloud operator under NIS1 as DSP
Context: Spanish cloud provider with 180 employees.
Under NIS1: was a DSP with a light regime (self-assessment, reactive supervision, limited sanctions).
Under NIS2: moves to essential entity with full regime: active supply chain management, effectiveness assessment, fines up to €10M/2%, proactive supervision.
Incremental effort: significant in the first year, structured technical testing programme, formalisation of supply chain management, specific board training and 24h/72h notification procedure with drills.
Case 3: Financial entity under NIS1
Context: mid-sized bank that was under NIS1 as OES in the banking sector.
Under NIS2 + DORA: lex specialis makes DORA prevail. NIS2 stops applying directly, but DORA obligations are higher than those it had under NIS1: mandatory TLPT every 3 years, provider register, CTPP oversight. Dedicated analysis in DORA vs NIS2.
Incremental effort: significant, particularly because of the introduction of mandatory TLPT every 3 years for designated entities. TLPT is the highest-cost, longest-duration ticket in the DORA framework.
Case 4: Public administration
Context: mid-sized municipality.
Under NIS1: public administrations were a national decision and many fell outside.
Under NIS2: national and regional public administrations enter mandatorily (with national security exceptions). In Spain they coexist with ENS.
Incremental cost: depends on ENS status; if ENS High is implemented, NIS2 adequacy is marginal.
Frequently asked questions
If I was an OES under NIS1, am I automatically an essential entity under NIS2?
Probably yes, but it's not automatic. You have to review Annexes I and II of NIS2 to confirm exact categorisation. Most OES move to essential; some switch category depending on subsector.
Does NIS2 formally repeal NIS1?
Yes. NIS2 article 44 repeals Directive (EU) 2016/1148 with effect from 18 October 2024.
Are NIS1 manual identifications kept?
Not automatically. NIS2 replaces the manual identification model with automatic criteria. National authorities re-identify the universe under the new criteria.
Does the national authority change versus NIS1?
Each Member State designates competent authorities and CSIRT. In Spain INCIBE-CERT (private sector) and CCN-CERT (public administrations) continue, with reinforced sectoral authorities.
Are there new obligations that weren't in NIS1?
Yes, the four main ones: mandatory supply chain, specific board training, personal director liability and mandatory effectiveness assessment (including technical tests).
Does NIS2 apply to the United Kingdom after Brexit?
Not directly. But British entities that provide services in the EU are under NIS2 via designated representation. The UK has its own NIS framework evolution (NIS Regulations) with converging criteria.
Migrate from NIS1 to NIS2 with Secra
At Secra we run comparative NIS1↔NIS2 analyses, review of pre-existing contractual clauses, adequacy plan for the new obligations and design of the harmonised notification procedure.
→ Learn about our NIS2 compliance service
→ Request an initial conversation, no commitment
Related reading
About the author
Secra Solutions team
Ethical hackers with OSCP, OSEP, OSWE, CRTO, CRTL and CARTE certifications, 7+ years of experience in offensive cybersecurity, and authors of CVE-2025-40652 and CVE-2023-3512.