NIS2 Compliance Requirements: 10 Mandatory Security Controls Before the 2026 Deadline

The NIS2 compliance deadline is here. EU member states have transposed the directive into national law, and enforcement is actively ramping up across all 27 member states. Organizations that haven’t implemented the 10 mandatory security controls outlined in Article 21 face penalties up to €10 million or 2% of global annual turnover—whichever is higher.

But NIS2 compliance isn’t just about avoiding fines. The directive represents the EU’s most comprehensive cybersecurity framework, designed to protect critical infrastructure and digital services across Europe. Organizations that take it seriously will not only stay on the right side of regulators but also build genuine resilience against the threats that matter.

This guide breaks down each of the 10 NIS2 compliance requirements, explains when you need to meet them, and provides practical implementation guidance. By the end, you’ll know exactly what to do and have a clear path forward.

What Is NIS2 and Who Must Comply?

NIS2 (Network and Information Security Directive 2) is the EU’s updated cybersecurity legislation that replaced the original NIS Directive from 2016. It entered into force on October 17, 2024, with member states required to incorporate it into national law by April 17, 2025.

Who’s In Scope

NIS2 applies to organizations in 18 critical sectors, classified as either:

• Essential Entities — Higher scrutiny, penalties up to €10M or 2% of turnover
• Important Entities — Lower penalties (€7M or 1.4%), still significant

Essential Entity sectors include energy, transport, banking, health, water, digital infrastructure, ICT service management, public administration, and space.

Important Entity sectors include postal services, waste management, chemicals, food, manufacturing, and digital providers (marketplaces, search engines, social networks).

Size thresholds:

• Essential: 250+ employees OR >€50M turnover OR >€43M balance sheet
• Important: 50-249 employees OR €10M-50M turnover OR €10M-43M balance sheet

Not sure which category applies to your organization? Use our free NIS2 Compliance Checker for an instant classification and gap analysis.

NIS2 Deadline 2026: Key Dates You Need to Know

Understanding the NIS2 timeline is critical for planning your compliance activities:

Date	Milestone	What It Means for You
December 27, 2022	Directive adopted	Political agreement reached
October 17, 2024	Entered into force	NIS2 became EU law
April 17, 2025	Transposition deadline	Member states must have national laws in place
October 17, 2025	Registration deadline	Entities should be registered with competent authorities
2026	Active enforcement	Supervision and penalties begin in earnest
Ongoing	Continuous compliance	NIS2 is not a one-time exercise

If you’re reading this in 2026, enforcement is already underway. National competent authorities are conducting audits, and organizations that haven’t implemented the required controls are at risk.

The 10 NIS2 Compliance Requirements

Article 21 of the NIS2 Directive outlines 10 mandatory cybersecurity risk-management measures. These aren’t suggestions—they’re legal requirements that regulated entities must implement. Let’s examine each one in detail.

Requirement 1: Risk Analysis and Security Policies

What NIS2 requires: Organizations must conduct regular risk assessments of their information systems and maintain documented security policies.

Practical implementation:

• Conduct a comprehensive risk assessment at least annually, or when significant infrastructure changes occur
• Document threats, vulnerabilities, and potential impact on business operations
• Maintain written security policies covering access control, data protection, incident response, and acceptable use
• Review and update policies at least annually, or when regulatory or operational changes require it

Common gaps we see:

• Risk assessments that are too high-level and don’t identify specific vulnerabilities
• Security policies that exist on paper but aren’t enforced or communicated to staff
• No regular review cycle—policies sit untouched for years

How to demonstrate compliance: Maintain documented evidence of your risk assessment methodology, findings, and remediation plans. Regulators will want to see that you’re identifying risks systematically and addressing them.

---

Requirement 2: Incident Handling

What NIS2 requires: Organizations must have formal processes for detecting, containing, eradicating, and recovering from security incidents.

Practical implementation:

• Deploy 24/7 security monitoring (Security Operations Center or equivalent)
• Establish clear incident classification criteria (what counts as significant vs. routine)
• Document incident response procedures with defined roles and escalation paths
• Conduct regular tabletop exercises and simulations to test procedures

Critical detail—incident reporting timelines: NIS2 introduces strict notification requirements that catch many organizations unprepared:

Phase	Deadline	What to Report
Early Warning	24 hours	Initial notification that incident occurred
Incident Notification	72 hours	Updated assessment, severity, cross-border impact
Final Report	1 month	Detailed incident description, root cause, mitigation

Read our detailed guide on NIS2 incident reporting requirements for step-by-step procedures.

How to demonstrate compliance: Maintain logs of incidents (both significant and routine), evidence of tabletop exercises, and documented procedures. During an audit, regulators will ask to see your incident response plan and may request evidence of recent exercises.

---

Requirement 3: Business Continuity and Crisis Management

What NIS2 requires: Organizations must have business continuity plans that address backup management, disaster recovery, and crisis management.

Practical implementation:

• Develop and maintain a business continuity plan (BCP) covering critical business functions
• Implement the 3-2-1 backup rule: 3 copies of data, 2 different storage types, 1 offsite
• Test backup restoration regularly—at least quarterly for critical systems
• Document crisis management procedures with clear communication protocols

Common gaps we see:

• Backups exist but have never been tested for restoration
• BCPs that were written years ago and don’t reflect current infrastructure
• No communication plan for informing customers, regulators, or partners during a crisis

How to demonstrate compliance: Maintain evidence of backup tests, BCP reviews, and crisis simulation exercises. Document RTOs (Recovery Time Objectives) and RPOs (Recovery Point Objectives) for critical systems.

---

Requirement 4: Supply Chain Security

What NIS2 requires: Organizations must assess the security posture of their suppliers and service providers, and include security requirements in contracts.

Practical implementation:

• Inventory all critical suppliers and service providers
• Assess supplier security through questionnaires, certifications (ISO 27001, SOC 2), or audits
• Include security requirements and right-to-audit clauses in vendor contracts
• Monitor supplier security continuously, not just at onboarding

This is one of the most significant changes from NIS1. Organizations are now accountable for the security of their supply chain, not just their own systems.

Common gaps we see:

• No formal supplier inventory or risk assessment process
• Vendor contracts without security clauses or SLAs
• Assumption that “they’re ISO certified” means they’re secure

How to demonstrate compliance: Maintain a supplier risk register, evidence of security assessments, and contracts with security requirements. Be prepared to show how you’re monitoring supplier security on an ongoing basis.

---

Requirement 5: Secure System Development

What NIS2 requires: Organizations must implement security-by-design and security-by-default principles in system acquisition, development, and maintenance.

Practical implementation:

• Integrate security into the development lifecycle (SSDLC)
• Conduct security code reviews and vulnerability assessments before deployment
• Maintain vulnerability handling procedures for addressing discovered flaws
• Use secure coding standards and automated security testing tools

How to demonstrate compliance: Document your SSDLC process, including security gates, code review requirements, and deployment approval procedures. Maintain evidence of security testing for recent releases.

---

Requirement 6: Security Effectiveness Assessments

What NIS2 requires: Organizations must regularly test the effectiveness of their security measures.

Practical implementation:

• Conduct vulnerability assessments at least quarterly
• Perform annual penetration testing by qualified third parties
• Implement continuous security monitoring and validation
• Conduct red team exercises for critical systems

How to demonstrate compliance: Maintain penetration test reports, vulnerability scan results, and evidence of remediation. Regulators will want to see that you’re not just testing but also addressing identified issues.

---

Requirement 7: Cyber Hygiene and Training

What NIS2 requires: Organizations must implement basic cybersecurity practices and provide regular security awareness training to all employees.

Practical implementation:

• Conduct security awareness training at least annually (quarterly for high-risk roles)
• Implement phishing simulation exercises
• Document and enforce password policies, acceptable use, and data handling procedures
• Train staff on incident reporting procedures

Common gaps we see:

• Training that’s “check-the-box” and doesn’t reflect real threats
• No training for contractors or third-party users
• Training content that hasn’t been updated to reflect current attack vectors (BEC, deepfakes, AI-generated phishing)

How to demonstrate compliance: Maintain training records, completion rates, and evidence of phishing simulations. Document your training curriculum and update cycle.

---

Requirement 8: Cryptography and Encryption

What NIS2 requires: Organizations must develop policies governing the use of cryptographic controls, including encryption and key management.

Practical implementation:

• Encrypt sensitive data at rest and in transit
• Implement secure key management procedures
• Use strong, standard cryptographic algorithms (avoid deprecated protocols)
• Document encryption requirements for different data classifications

How to demonstrate compliance: Maintain cryptographic policies, evidence of encryption implementation, and key management procedures. Be prepared to demonstrate encryption for critical data flows.

---

Requirement 9: Human Resources Security

What NIS2 requires: Organizations must implement access control policies, conduct background checks where appropriate, and ensure proper onboarding and offboarding procedures.

Practical implementation:

• Implement least-privilege access controls
• Conduct background checks for employees in sensitive roles
• Ensure prompt access revocation during offboarding
• Regularly review and validate user access rights

How to demonstrate compliance: Maintain access control policies, evidence of access reviews, and offboarding procedures. Be prepared to demonstrate that access is promptly revoked when employees leave.

---

Requirement 10: Multi-Factor Authentication

What NIS2 requires: Organizations must deploy multi-factor authentication (MFA) across critical systems and ensure secure communications.

Practical implementation:

• Deploy MFA for all privileged accounts and remote access
• Implement MFA for access to critical systems and data
• Use secure communication channels (encrypted voice, video, messaging) for sensitive discussions
• Document MFA policies and exceptions

Common gaps we see:

• MFA deployed for some systems but not others
• Exceptions granted without proper justification or time limits
• MFA bypass procedures that create security gaps

How to demonstrate compliance: Maintain MFA policies, evidence of deployment across systems, and documentation of any exceptions with business justification.

Penalties for Non-Compliance

NIS2 introduces substantial financial penalties that make non-compliance a board-level issue:

Essential Entities:

• Up to €10,000,000 or 2% of global annual turnover (whichever is higher)
• Management bodies can be held personally liable
• Potential suspension of certification or authorization

Important Entities:

• Up to €7,000,000 or 1.4% of global annual turnover (whichever is higher)
• Public naming and shaming for serious violations

Beyond financial penalties:

• Reputational damage from public enforcement actions
• Loss of customer and partner trust
• Business disruption from regulatory interventions
• Potential exclusion from public procurement contracts

How to Get NIS2 Compliant: A Practical Roadmap

If you’re behind on NIS2 compliance, here’s a realistic approach to catch up:

Week 1-2: Assessment and Classification

1. Determine your classification — Are you essential, important, or excluded? Use our NIS2 Compliance Checker for an instant assessment.
2. Conduct a gap assessment — Compare your current controls against the 10 requirements. Document what’s in place and what’s missing.
3. Identify your competent authority — Know who you’ll be reporting to and establish contact.

Week 3-4: Quick Wins and Documentation

1. Document existing controls — You may be more compliant than you think. Formalize what’s already in place.
2. Address basic gaps — MFA, access reviews, and training can often be implemented quickly.
3. Establish incident reporting procedures — Create templates and escalation paths for the 24-hour and 72-hour requirements.

Month 2-3: Strategic Investments

1. Implement supply chain security — Inventory critical suppliers and begin security assessments.
2. Deploy continuous monitoring — If you don’t have 24/7 security visibility, this is a priority.
3. Test business continuity — Validate backup restoration and crisis management procedures.

Month 4+: Continuous Improvement

1. Conduct regular testing — Quarterly vulnerability scans, annual penetration tests.
2. Maintain documentation — Keep evidence of compliance activities for audits.
3. Stay current — Monitor regulatory guidance and adjust as enforcement practices evolve.

Start Your NIS2 Compliance Journey Now

NIS2 compliance isn’t a checkbox exercise—it’s an ongoing program that requires sustained attention. The organizations that approach it strategically will not only avoid penalties but also build genuine resilience against cyber threats.

Start with a clear understanding of where you stand:

👉 Check Your NIS2 Compliance Status

Our free NIS2 Compliance Checker takes less than 5 minutes and provides:

• Instant classification (Essential, Important, or Excluded)
• Gap analysis against the 10 mandatory requirements
• Personalized recommendations with prioritized action items
• PDF report for internal discussions and planning

---

Frequently Asked Questions

When is the NIS2 compliance deadline?

The NIS2 Directive entered into force on October 17, 2024, with member states required to transpose it into national law by April 17, 2025. Enforcement is actively ramping up throughout 2026. If you haven’t started compliance efforts, you’re behind schedule.

What are the 10 NIS2 compliance requirements?

The 10 mandatory requirements are: (1) risk analysis and security policies, (2) incident handling, (3) business continuity and crisis management, (4) supply chain security, (5) secure system development, (6) security effectiveness assessments, (7) cyber hygiene and training, (8) cryptography and encryption, (9) human resources security, and (10) multi-factor authentication.

Who must comply with NIS2?

NIS2 applies to organizations in 18 critical sectors classified as either Essential Entities (energy, transport, banking, health, water, digital infrastructure, ICT services, public administration, space) or Important Entities (postal, waste, chemicals, food, manufacturing, digital providers). Size thresholds apply based on employee count and turnover.

What are the penalties for NIS2 non-compliance?

Essential Entities face penalties up to €10 million or 2% of global annual turnover (whichever is higher). Important Entities face penalties up to €7 million or 1.4% of turnover. Management bodies can be held personally liable for compliance failures.

How do I report incidents under NIS2?

NIS2 requires three-stage incident reporting: early warning within 24 hours of detection, incident notification within 72 hours with initial assessment, and final report within one month with detailed analysis. Reports go to your national competent authority.

---

Need help developing your NIS2 compliance program? Resiliently provides cyber risk assessment and compliance advisory services for organizations navigating complex regulatory requirements. Get in touch to discuss your specific needs.

---

Related NIS2 Resources

• NIS2 Penalties & Fines Explained: What Organizations Actually Face in 2026 — What happens if you miss the deadline
• NIS2 Compliance Checklist: 70+ Action Items — Specific actions for each of the 10 controls
• NIS2 Essential vs Important Entities: Classification Guide — Different control requirements by entity tier
• NIS2 Incident Reporting: 24-Hour, 72-Hour, and 1-Month Requirements — Stage 2 reporting tied to Article 21 controls