Key Takeaways
- NIS2 covers approximately 160,000 entities across the EU, up from roughly 15,000 under the original NIS Directive.
- Essential entities face fines of up to €10 million or 2% of worldwide annual turnover, whichever is higher.
- Management bodies can be held personally liable for cybersecurity failures, making this a board-level obligation.
- The transposition deadline passed on 17 October 2024, but as of early 2026 several member states (including France and Spain) have not yet completed national implementation.
What is NIS2 Directive?
NIS2 replaced the original 2016 NIS Directive because its scope was too narrow and its enforcement too fragmented. Article 21 requires every in-scope entity to adopt proportionate technical and organisational cybersecurity measures covering at least ten domains, including risk analysis policies, incident handling, supply chain security, and business continuity planning. Article 23 sets a tiered incident-reporting obligation: a 24-hour early warning to the national CSIRT, a 72-hour incident notification with an initial assessment, an intermediate status update if requested, and a final report within one month.
The Directive distinguishes between essential entities (energy, transport, banking, health, digital infrastructure, public administration) and important entities (postal services, waste management, manufacturing, food production, digital providers). The classification determines the supervisory regime. National competent authorities can conduct regular audits of essential entities proactively; for important entities, enforcement is reactive, triggered by evidence of non-compliance. Entities meeting both NIS2 and CSRD thresholds should expect regulators to cross-reference cybersecurity governance disclosures with the measures required under Article 21.
Germany transposed NIS2 through an amended BSI Act (effective 2026), while the Netherlands published its implementing legislation in late 2025. Each national transposition may add sector-specific requirements on top of the Directive's minimum harmonisation baseline.
Worked example: Rossi Alimentari S.p.A.
Client: Italian food production company, FY2025, revenue €67M, IFRS reporter. Rossi operates four processing plants and falls within the "manufacturing" sector of Annex II to Directive 2022/2555. The company has 320 employees and exceeds the medium-sized enterprise threshold, classifying it as an important entity under NIS2.
Step 1 — Scope determination
The engagement team confirms that Rossi meets the NIS2 size threshold (more than 250 employees or annual turnover exceeding €50M). Food manufacturing is listed in Annex II, Sector 5 ("Manufacturing"). As an important entity, Rossi is subject to the full set of Article 21 risk-management obligations but falls under the reactive (rather than proactive) supervisory regime of Article 33.
Step 2 — Assess compliance with Article 21 measures
The auditor evaluates whether Rossi has implemented the ten minimum cybersecurity risk-management measures. Rossi has adopted an ISO 27001-aligned information security management system but has not formalised supply chain security policies. The gap matters because Article 21.2(d) specifically requires supply chain risk management, and two of Rossi's critical suppliers operate outside the EU.
Step 3 — Test incident-reporting readiness
The engagement team reviews Rossi's incident-response plan. The plan references a 48-hour reporting window, which does not align with the 24-hour early-warning requirement of Article 23.4(a). The team also confirms that Rossi has identified the correct national CSIRT (ACN, the Italian cybersecurity agency) but has not completed the mandatory registration on the national platform.
Step 4 — Evaluate governance and board accountability
Article 20 requires management bodies to approve cybersecurity risk-management measures and to undergo cybersecurity training. Rossi's board approved an information security policy in March 2025, but no board member has completed the required training. The auditor flags this as a compliance risk carrying potential personal liability exposure for board members.
Conclusion: Rossi qualifies as an important entity under NIS2 with four compliance gaps (supply chain policy, incident-reporting timeline, board training, and platform registration) that require remediation before the next regulatory assessment cycle. The documentation trail is defensible because each gap maps to a specific Article and sub-paragraph.
Why it matters in practice
- Teams at smaller firms often assume NIS2 applies only to large listed companies. The Directive's scope covers medium-sized entities (50+ employees or €10M+ turnover) in listed sectors, meaning mid-market audit clients in manufacturing and food production frequently fall within scope. Article 2.1 of Directive 2022/2555 sets the size threshold, and overlooking it leads to unidentified regulatory obligations in the audit planning phase.
- Practitioners conflate NIS2 compliance with DORA compliance for financial-sector clients. The Digital Operational Resilience Act (Regulation (EU) 2022/2554) is lex specialis for financial entities. Article 4 of NIS2 explicitly defers to DORA where both apply. Testing NIS2 controls at a banking client that is subject to DORA applies the wrong framework and produces audit evidence that does not address the applicable regulation.
NIS2 vs. NIS1 (original NIS Directive)
| Dimension | NIS1 (Directive 2016/1148) | NIS2 (Directive 2022/2555) |
|---|---|---|
| Scope | ~15,000 operators of essential services across 7 sectors | ~160,000 essential and important entities across 18 sectors |
| Entity classification | Member states determined who qualified on a case-by-case basis | Harmonised size-based threshold (50+ employees or €10M+ turnover) with sector lists |
| Incident reporting | No fixed timeline; varied by member state | Tiered: 24-hour early warning, 72-hour notification, 1-month final report |
| Maximum fines | No harmonised fine level | €10M / 2% turnover (essential) and €7M / 1.4% turnover (important) |
| Management liability | Not addressed | Article 20 introduces personal liability for management bodies |
The shift from NIS1 to NIS2 moved cybersecurity regulation from a narrow, member-state-discretionary regime to a broad, harmonised obligation with enforcement teeth. For audit purposes, the expansion in scope means that clients previously outside the cybersecurity regulatory perimeter may now fall within it without realising.
Related terms
Frequently asked questions
Does NIS2 apply to my audit client in manufacturing?
If the client has 50 or more employees or exceeds €10M in annual turnover and operates in a sector listed in Annex I or Annex II of Directive 2022/2555, NIS2 applies. Manufacturing is listed in Annex II. The auditor should verify the client's classification during engagement planning and assess whether the entity has registered with the relevant national competent authority under Article 3.3.
What happens if a NIS2 entity fails to report an incident on time?
Article 34 empowers national authorities to impose administrative fines of up to €10M or 2% of worldwide turnover for essential entities and €7M or 1.4% for important entities. Late reporting under Article 23 is a standalone compliance failure, separate from the underlying incident. The auditor should assess whether any reporting failures constitute a contingent liability under IAS 37.
How does NIS2 interact with CSRD reporting?
NIS2 and CSRD overlap in scope for many entities. ESRS G1 (Governance) and ESRS S1 (Own workforce) may require disclosure of cybersecurity governance arrangements that parallel the Article 21 measures. The two regimes operate independently, but an entity disclosing strong cybersecurity governance under ESRS while failing to meet NIS2 requirements creates a consistency risk the auditor should flag.