What is NIS2 Directive?
An EU directive that raises cybersecurity and incident-reporting requirements for essential and important service operators across critical sectors.
Definition
The NIS2 Directive (Directive (EU) 2022/2555) is the EU’s updated cybersecurity law for critical infrastructure, replacing the original 2016 NIS Directive. It significantly widens the range of covered sectors, tightens security and incident-reporting requirements, and introduces stronger supervision and enforcement — including management accountability and potential fines.
Member states were required to transpose NIS2 into national law by October 2024, so specific obligations are enforced through each country’s implementing legislation.
Key obligations
Risk-management measures
Policies, cryptography, access control and supply-chain security.
Incident reporting
Early warning within 24 hours, with fuller reports to follow.
Governance & accountability
Management bodies approve and oversee the measures.
Business continuity
Backups, disaster recovery and crisis management.
Supply-chain security
Assess and manage supplier and service-provider risk.
Who needs to comply?
NIS2 applies to medium and large organisations operating in “essential” and “important” sectors — energy, transport, health, digital infrastructure, public administration, manufacturing and more — as defined by each member state’s law.
How ISpectra helps
ISpectra runs your NIS2 readiness program — gap assessment against the risk-management measures, incident-reporting playbooks, supply-chain controls and governance — mapped to ISO 27001 to reuse existing evidence.
Talk to an advisor