Breaking down NIS2: the five main requirements of the updated NIS Directive

March 2026  |  SPECIAL REPORT: DATA PRIVACY & CYBER SECURITY

Financier Worldwide Magazine

March 2026 Issue

The Network and Information Systems Directive 2 (NIS2) is the European Union’s (EU’s) upgraded version of the NIS Directive. It is designed to standardise what ‘good cyber security’ looks like across member states with clearer controls, accountability, and a stronger and consistent baseline for resilience as threats evolve.

The 2025 European Union Agency for Cybersecurity threat landscape notes that threat actors are recycling proven tools and tactics, while also experimenting with new attack approaches. At the same time, they are actively exploiting vulnerabilities and increasingly working together – steps that collectively put the EU’s digital infrastructure security and resilience under growing pressure.

And the volume is relentless: more than 1600 attacks hit European organisations every week. It is in this scenario that NIS2, with its wider scope of application, aims to improve cyber security across both essential and important entities (as of 5 January 2026, the European Cyber Security Organisation’s NIS2 Transposition Tracker shows 19 of 27 EU member states have transposed NIS2 into national law).

NIS2: scope and applicability

NIS2 expands the range of organisations covered by the directive, increasing the number of covered entities by around tenfold by bringing many more sectors into scope. Covered organisations are classified into two groups that determine the level of supervision and enforcement.

The first group is essential entities, operating in key sectors such as energy, healthcare, space, transport, banking and financial markets, managed service providers, and waste and drinking water.

The second group is important entities, covering food, manufacturing, postal services, research, chemical manufacturing, digital service providers and waste management.

As a general rule, small and micro entities are not in scope, but NIS2 includes specific exceptions, especially for certain digital infrastructure and trust-related service providers, and some public administration bodies.

Five essential requirements for NIS2 compliance

NIS2 is designed to make EU organisations harder to disrupt and faster to recover when incidents happen. Outlined below are five key requirements.

Information risk management and security governance. Organisations must establish a clear governance structure, led by senior leadership, responsible for approving, supervising and reviewing the identification, evaluation and control of cyber risks across the organisation. NIS2 makes the leadership liable for non-compliance.

The security approach, therefore, needs to be well documented and actionable, and must cover key aspects such as how risks are identified, who has the final sign-off on major security decisions and how essential services are kept running when something goes wrong.

Risk assessments should cover both the organisation’s own information and communication technology ( ICT) systems and the critical ICT services and ICT products in its supply chain. As part of this process, entities must identify which ICT services and ICT products qualify as ‘critical’ and could fall under coordinated security risk assessments at the EU or national level, taking into account technical and, where relevant, non-technical risk factors.

Incident management, classification and notification. It is mandatory for organisations to report ‘high impact’ security incidents. Such incidents disrupt an organisation’s operation, cause tremendous financial and reputational damage, and harm people within the organisation.

NIS2 requires early reporting within 24 hours of the incident. A complete report must be submitted within 72 hours and a final report is due no later than one month after the incident. Under NIS2, incident management must be supported by clear ownership of responsibilities, seamless communication, backups, recovery techniques and actionable incident response. This makes for better containment underpinned by transparency and speed.

Cyber security best practices. An organisation’s cyber security posture must be proportionate to the threat landscape. At the operational level, the acquisition, development or maintenance of network and information systems should be seen through security-tinted glasses, with an eye on their vulnerability handling and disclosure.

The cyber security approach should trust nothing: users, devices, applications or network segments. Zero trust is the way forward. Other fundamental elements of strong cyber security are network segmentation, secure device configuration, regular software updates and patching, and leveraging artificial intelligence-enabled detection, analysis and incident response.

Third party risk management. The supply chain is a key attack vector and common ingress point for attacks. NIS2 expects organisations to manage supply chain cyber risk, including the security aspects of their relationships with direct suppliers and service providers. There may be consequences if required measures are not in place.

The focus should be on binding contracts that include incident notification, security audits and data-handling rules. Relationships with high-risk suppliers such as ICT, hosting and managed security providers should be closely monitored. These require more granular scrutiny of identity and access controls, system configuration and data protection.

Security awareness (for senior executives and all employees). An organisation’s workforce is an important defensive layer in any cyber security framework. NIS2 requires that all employees, including the leadership team, undergo security awareness training.

Mock practical exercises covering popular attack techniques must put users through their paces to ensure better understanding and subsequent action. Topics to cover include cyber security best practices, incident handling, and anything else that helps build a people-led, difficult to break defensive layer.

Key takeaways

NIS2 is not a checklist, so the ‘chasing controls’ approach is limiting. A better way to move is by observing the recommendations outlined below.

Zero assumptions, better scoping. Companies should confirm whether they are an ‘essential’ or ‘important’ entity and understand why. This will help them define the ‘appropriate and proportionate’ measures under NIS2.

Thorough gap review. Organisations might have certain security policies in place that meet NIS2 requirements, but there are gaps that need to be addressed. Companies should map risk management, incident handling and reporting, access control and other core areas.

Prioritise the basics. Some basics organisations can focus on include multifactor authentication, least privilege, secure configurations, patching discipline, clear escalation paths and the 24-72-30 NIS2 reporting doctrine (an initial alert within 24 hours, an expanded report within 72 hours and a closure report within 30 days.)

Build incremental compliance. Companies should not think of NIS2 as a one-off project. They will need to stay compliant with NIS2 as it grows, as market dynamics change, as the threat landscape evolves and as technology matures. Through it all, organisations have to exercise necessary controls.

As many as 83 percent of chief audit executives across organisations in the EU say cyber security and data security are among the top five risk management challenges. NIS2 offers a strategy to turn that concern into concrete action, by setting a clear minimum bar for controls, accountability and resilience across sectors.

 

Steve Durbin is chief executive of the Information Security Forum. He can be contacted on +44 (0)7785 953 800 or by email: steve.durbin@securityforum.org.

© Financier Worldwide

BY

Steve Durbin

Information Security Forum

©2001-2026 Financier Worldwide Ltd. All rights reserved. Any statements expressed on this website are understood to be general opinions and should not be relied upon as legal, financial or any other form of professional advice. Opinions expressed do not necessarily represent the views of the authors’ current or previous employers, or clients. The publisher, authors and authors' firms are not responsible for any loss third parties may suffer in connection with information or materials presented on this website, or use of any such information or materials by any third parties.