NIS2: What Europe’s New Directive Changes for Cybersecurity

Actualizado: 2026-05-03

The NIS2 Directive^[1] (Network and Information Security 2), adopted in December 2022 with a transposition deadline of October 2024, substantially expands Europe’s cybersecurity framework. It replaces NIS1 from 2016 and represents the biggest cybersecurity regulatory change for European organisations since GDPR^[2] came into force. For technical teams, understanding its practical implications is not a task that admits delay.

Key Takeaways

• NIS2 expands scope from 7 to 18 sectors, adding health, digital public administration, space, and research.
• It defines 10 named minimum technical measure categories.
• Sanctions align with GDPR: up to €10 million or 2% of global turnover.
• Management bodies carry personal liability for serious non-compliance.
• Member State transposition deadline is October 2024.

What Changes vs NIS1

NIS1 covered a small set of sectors and left much discretion to each Member State. The result was uneven application and limited scope. NIS2 fixes the three main gaps:

• Expanded scope. From 7 sectors to 18, now covering health, digital public administration, postal services, waste management, space, and research. Medium and large companies in those sectors fall within scope automatically.
• More concrete minimum measures. NIS1 required “appropriate technical and organisational measures”; NIS2 lists 10 specific categories: risk management, incident response, business continuity, supply-chain security, encryption, training, access control, MFA, vulnerability policies, and audits.
• Sanctions aligned with GDPR. Up to €10 million or 2% of global annual turnover, whichever is higher. In addition, management liability is explicit: a CEO or CTO can be held personally responsible for serious non-compliance.

Obligations That Become Critical

For operations and development teams, three areas concentrate the most work.

Incident Notification

NIS2 introduces mandatory time-escalated notification:

1. 24 hours from detection: early warning to the competent authority.
2. 72 hours: notification with initial assessment.
3. 30 days: final report with detail on causes, impact, and remediation.

This turns incident response into a procedure with a runbook and a stopwatch. For teams currently managing incidents with informal practices, it’s the biggest investment the directive demands. A solid alerting system — like that covered in Kubernetes observability with Pixie — is the technical foundation that runbook rests on.

Supply-Chain Security

For the first time, European regulation explicitly addresses the supply chain. If you use SaaS providers, cloud services, critical-risk open-source libraries, or contractors with system access: you must evaluate and document their security. It’s not enough that your own system is secure — the whole chain must be.

This ties into technologies like Sigstore^[3] and SLSA^[4] that make software provenance traceable. Adopting these layers before the deadline significantly reduces future compliance effort.

Mandatory Multi-Factor Authentication

MFA stops being a recommendation and becomes mandatory for all privileged access:

• Traditional SSH infrastructure.
• Web admin panels.
• Cloud service accounts capable of causing significant operational impact.

The specific form (TOTP, WebAuthn, hardware keys) is at the operator’s discretion, but absence of MFA is direct non-conformity.

Who’s Included

NIS2 distinguishes two levels:

• Essential entities (energy, transport, banking, water, health, digital infrastructure): stricter measures and ex-ante supervision.
• Important entities (digital public admin, postal, chemistry, research, digital manufacturing, SaaS, medium social networks): same technical obligations, ex-post supervision.

The threshold: medium (50+ employees or €10M+ turnover) and large companies in those sectors. To know whether your organisation falls under it, the European Union Agency for Cybersecurity (ENISA)^[5] maintains an updated sectoral guide.

Preparation Plan

A typical roadmap for organisations starting to prepare follows four phases:

1. Q3: Gap assessment. Audit against the 10 measures. What exists documented, what exists de facto without documentation, what is missing?
2. Q4: Prioritised remediation plan. MFA, critical-supplier inventory, incident runbooks. These three elements take the most time.
3. Following H1: Execution. Implement missing controls and run simulated-incident tests (tabletop exercises^[6]).
4. Following H2: Validation. Final audit before each Member State’s transposition deadline.

Organisations already complying with ISO 27001 or adopting a framework like CIS Controls^[7] start with a big advantage. A team already applying mature SRE practices — see Applying Google’s SRE Book Without Being Google — has the operational discipline NIS2 demands already documented.

Conclusion

NIS2 is not optional regulation nor easy to postpone. Its impact on the technical team’s day-to-day ranges from access policy to detection system design. Early preparation is the only realistic way to arrive in shape at the deadline.

1. NIS2 Directive
2. GDPR
3. Sigstore
4. SLSA
5. European Union Agency for Cybersecurity (ENISA)
6. tabletop exercises
7. framework like CIS Controls